Exploiting LLM APIs, function, & Plugins

Mapping LLM API Attack Surface

Excessive agency: when a LLM has access to APIs that can access sensitive information and can be persuaded to use those unsafely.
The 1st step for mapping the attack surface is to find out which APIs the LLM has access to.

LAB: Excessive Agency

Goal: Usel the LLM to delete the user carlos.

Chaining Vulnerabilities in LLM APIs

If all of the discovered APIs look harmless, we may be able to find a secondary vulnerability by sending classic web exploits to them.

LAB: Chaining Vulnerabilities

Goal: Delete morale.txt from carlos's home directory exploiting an OS command injection.

Insecure Output Handling

If the LLM's output is not properly sanitized or validated before being passed to other systems it can result to indirectly causing vulnerabilities, such as XSS and CSRF.

LAB: Insecure Output Handling

Goal: Leverage XSS to delete carlos.

After mapping the attack surface, we find out that the product_info endpoint is available. Using the review's functionality, as in Indirect Prompt Injection, executes the payload but also flags it as malicious.

Pass an XSS payload the deletes a user's account.

Passing the payload as is, i.e., without hiding it within a legit comment, does not work; the LLM identifies and ignores it.

"<iframe src =my-account onload = this.contentDocument.forms[1].submit() >"

PreviousOverview NextIndirect Prompt Injection

Last updated 1 year ago

hashtagMapping LLM API Attack Surface

hashtagLAB: Excessive Agency

hashtagChaining Vulnerabilities in LLM APIs

hashtagLAB: Chaining Vulnerabilities

hashtagInsecure Output Handling

hashtagLAB: Insecure Output Handling

Mapping LLM API Attack Surface

LAB: Excessive Agency

Chaining Vulnerabilities in LLM APIs

LAB: Chaining Vulnerabilities

Insecure Output Handling

LAB: Insecure Output Handling