OWASP LLM Top 10

The OWASP Top 10 for Large Language Model Applications identifies the most critical security risks for LLM-based systems. Inkog detects violations across all applicable categories.

Coverage Matrix

LLM01: Prompt Injection

Manipulation of LLM behavior through crafted inputs that override system instructions.

Inkog Rules:

• prompt_injection - Direct user input in prompts
• sql_injection_via_llm - LLM-generated SQL without parameterization

Example Finding:

agent.py:45:1: HIGH [prompt_injection]
  User input directly embedded in prompt template
  CWE-94 | OWASP LLM01

Remediation:

• Use structured message formats with clear role separation
• Validate and sanitize user inputs
• Implement output filtering

LLM02: Insecure Output Handling

Using LLM outputs in dangerous contexts without validation.

Inkog Rules:

• output_validation_failures - LLM output to dangerous sinks
• tainted_eval - LLM output in eval/exec
• unvalidated_exec_eval - Command execution without validation

Example Finding:

api.py:89:5: CRITICAL [tainted_eval]
  LLM-generated code executed via eval()
  CWE-94, CWE-95 | OWASP LLM02

Remediation:

• Treat all LLM output as untrusted
• Use allowlists for permitted operations
• Sandbox code execution

LLM04: Model Denial of Service

Attacks that cause excessive resource consumption.

Inkog Rules:

• infinite_loop_semantic - Unbounded loops
• context_exhaustion_semantic - Context window overflow
• token_bombing - Excessive token consumption
• missing_rate_limits - No rate limiting
• recursive_tool_calling - Infinite tool recursion

Example Finding:

workflow.py:23:1: CRITICAL [infinite_loop_semantic]
  Loop condition depends on LLM output without termination guarantee
  CWE-835, CWE-400 | OWASP LLM04

Remediation:

• Add maximum iteration limits
• Implement timeouts
• Use rate limiting

LLM06: Sensitive Information Disclosure

Leaking confidential data through prompts, logs, or outputs.

Inkog Rules:

• hardcoded_credentials - API keys in source code
• logging_sensitive_data - PII in logs
• cross_tenant_data_leakage - Multi-tenant data exposure

Example Finding:

config.py:12:5: CRITICAL [hardcoded_credentials]
  Hardcoded API key detected
  CWE-798 | OWASP LLM06

Remediation:

• Use environment variables for secrets
• Redact logs before storage
• Implement tenant isolation

LLM08: Excessive Agency

Agents with more capabilities than necessary for their task.

Inkog Rules:

• infinite_loop_semantic - Unbounded agent loops
• missing_human_oversight - No human-in-the-loop

Example Finding:

agent.py:156:1: HIGH [missing_human_oversight]
  Agent executes actions without human approval checkpoint
  OWASP LLM08

Remediation:

• Implement approval workflows for sensitive actions
• Add maximum depth limits for agent chains
• Log all agent actions for audit

LLM09: Overreliance

Trusting LLM outputs without verification.

Inkog Rules:

• context_exhaustion_semantic - Unbounded context accumulation
• output_validation_failures - Missing output validation

Example Finding:

chain.py:78:1: HIGH [context_exhaustion_semantic]
  Unbounded message history accumulation
  CWE-400 | OWASP LLM09

Remediation:

• Implement sliding window for conversation history
• Validate LLM outputs against expected schemas
• Add confidence thresholds

LLM10: Model Theft

Unauthorized access to model data or weights.

Inkog Rules:

• cross_tenant_data_leakage - Tenant isolation failures
• hardcoded_credentials - Exposed API keys enabling model access

Example Finding:

vectorstore.py:34:1: CRITICAL [cross_tenant_data_leakage]
  Shared vector store without tenant isolation
  CWE-639 | OWASP LLM10

Remediation:

• Implement strict tenant isolation
• Use encrypted storage
• Audit all model access

Compliance Report

Inkog generates OWASP LLM Top 10 compliance reports:

{
  "owasp_llm_top_10": {
    "LLM01": 2,
    "LLM02": 1,
    "LLM04": 3,
    "LLM06": 2,
    "LLM08": 1,
    "total_violations": 9
  }
}

Resources

• OWASP LLM Top 10 Official Site 
• OWASP LLM Security Guide