OWASP_LLM_TOP10LLM01:2025voice-validated
OWASP_LLM_TOP10 LLM01: LLM01:2025
OWASP_LLM_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Prompt injection vulnerabilities occur when user prompts alter the LLM's behaviour or output in unintended ways. These inputs can affect the model even if they are imperceptible to humans, including indirect injection via external data, files, web pages, and tools. Direct injection occurs when a user input directly overrides the system prompt; indirect when content from a retrieved source contains attacker-controlled instructions.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | 1.0 confidence. Limiting the LLM's access to internal resources directly reduces the potential impact of a successful prompt injection, as specified in LLM01:2025. | 100% |
| M1038 | 1.0 confidence. Filtering network traffic, including robust input validation and output sanitization, prevents malicious prompts from reaching the LLM and malicious outputs from leaving, addressing LLM01:2025. | 100% |
| M1047 | 0.9 confidence. Comprehensive auditing and monitoring of LLM interactions, inputs, and outputs are crucial for detecting and responding to prompt injection attempts, as per LLM01:2025. | 90% |
| M1051 | 1.0 confidence. Secure configuration of the LLM and its environment minimizes the attack surface and prevents unintended behaviors caused by prompt injection, directly mitigating LLM01:2025. | 100% |
| M1056 | 1.0 confidence. Implementing stringent input validation and sanitization for all user prompts is the primary defense against prompt injection vulnerabilities, as highlighted in LLM01:2025. | 100% |
| M1031 | 0.9 confidence. Network segmentation isolates the LLM, limiting lateral movement and containing the blast radius if a prompt injection attack, as described in LLM01:2025, is successful. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-20 | 0.9 confidence. Improper input validation is the fundamental weakness allowing prompt injection, where the LLM processes untrusted user input without adequate checks, as per LLM01:2025. | 90% |
| CWE-94 | 0.9 confidence. Prompt injection exploits the LLM's ability to interpret and generate 'code-like' instructions, a direct consequence of improper control over code generation, as described in LLM01:2025. | 90% |
| CWE-918 | 0.8 confidence. Server-Side Request Forgery (SSRF) can result from prompt injection, where the LLM is tricked into making unauthorized requests to internal resources, as enabled by LLM01:2025. | 80% |
| CWE-284 | 0.8 confidence. Improper access control, granting the LLM excessive permissions, amplifies the impact of prompt injection, allowing attackers to perform actions beyond intended scope, as per LLM01:2025. | 80% |
| CWE-502 | 0.8 confidence. Indirect prompt injection can involve insecure deserialization of untrusted data from external sources, leading to code execution or data manipulation, a risk under LLM01:2025. | 80% |
| CWE-79 | 0.8 confidence. Similar to XSS, prompt injection involves improper neutralization of untrusted input that is then processed by the LLM, leading to unintended behavior, as noted in LLM01:2025. | 80% |
| CWE-346 | 0.8 confidence. Origin validation errors contribute to indirect prompt injection by allowing the LLM to trust and process malicious content from unverified external sources, as described in LLM01:2025. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0188 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation