Exploiting LLM APIs, function, & Plugins

Mapping LLM API Attack Surface

Excessive agency: when a LLM has access to APIs that can access sensitive information and can be persuaded to use those unsafely.
The 1st step for mapping the attack surface is to find out which APIs the LLM has access to.

LAB: Excessive Agency

Goal: Usel the LLM to delete the user carlos.

Chaining Vulnerabilities in LLM APIs

If all of the discovered APIs look harmless, we may be able to find a secondary vulnerability by sending classic web exploits to them.

LAB: Chaining Vulnerabilities

Goal: Delete morale.txt from carlos's home directory exploiting an OS command injection.

Insecure Output Handling

If the LLM's output is not properly sanitized or validated before being passed to other systems it can result to indirectly causing vulnerabilities, such as XSS and CSRF.

LAB: Insecure Output Handling

Goal: Leverage XSS to delete carlos.

After mapping the attack surface, we find out that the product_info endpoint is available. Using the review's functionality, as in Indirect Prompt Injection, executes the payload but also flags it as malicious.

Pass an XSS payload the deletes a user's account.

Passing the payload as is, i.e., without hiding it within a legit comment, does not work; the LLM identifies and ignores it.

"<iframe src =my-account onload = this.contentDocument.forms[1].submit() >"

PreviousOverview NextIndirect Prompt Injection

Last updated 1 year ago