Insecure function calling in LLM applications
How function calling in LLM applications creates code execution, excessive agency, and injection risks, with techniques for each vulnerability class.
How function calling in LLM applications creates code execution, excessive agency, and injection risks, with techniques for each vulnerability class.
How command injection arises when LLMs translate natural language into shell commands, covering unrestricted execution, guardrail bypasses, and non-determinism.
How SQL injection arises in text-to-SQL LLM applications, covering data exfiltration, UNION-based guardrail bypass, and data manipulation through query types.
How cross-site scripting arises when LLM output bypasses HTML encoding, covering reflected XSS, stored XSS, and the external script resilience bypass.
LLM output is untrusted data. This article covers insecure output handling, the injection risks it enables, and where it sits in OWASP LLM05 and Google SAIF.
No single mitigation eliminates prompt injection. Covers prompt engineering, filtering, fine-tuning, adversarial training, and guardrail models.
Garak is an open-source LLM vulnerability scanner that automates adversarial testing for prompt injection, jailbreaks, and encoding bypasses. Full walkthrough.
LLM jailbreaking bypasses safety alignment to force models into generating restricted content. Covers DAN, roleplay, token smuggling, and adversarial suffixes.
Indirect prompt injection embeds payloads in external data that LLMs process. Covers data poisoning, web content injection, email vectors, and concealment.
Direct prompt injection targets LLMs through the user input channel. Covers system prompt extraction strategies and behaviour manipulation techniques.