OWASP_LLM_TOP10LLM02:2025voice-validated
OWASP_LLM_TOP10 LLM02: LLM02:2025
OWASP_LLM_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
LLMs can expose sensitive information through their outputs, including personally identifiable information (PII), proprietary algorithms, confidential business data, training data leakage, and credentials. Risks include lack of input/output sanitisation, inadequate data anonymisation, system prompt leakage, and indirect inference attacks that probe the model for sensitive context.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1598.003 | 1. Attackers craft malicious prompts, exploiting LLM vulnerabilities to elicit sensitive data, including PII and proprietary information. | 90% |
| T1592.001 | 1. LLMs, when improperly secured, can inadvertently disclose details about the underlying host hardware, aiding reconnaissance efforts. | 80% |
| T1595.002 | 1. LLMs trained on or given access to confidential business documents may reveal strategic plans or competitive intelligence through crafted queries. | 85% |
| 1. LLMs with access to local file systems can be prompted to read and output sensitive data stored on the system. | 90% | |
| T1074.001 | 1. LLM outputs containing sensitive information effectively stage data for collection, simplifying exfiltration for attackers. | 85% |
| 1. Automated data processing by LLMs, if not properly controlled, can lead to the unintended collection and exposure of sensitive information. | 80% | |
| 1. LLMs integrated with cloud storage can be manipulated to retrieve and disclose sensitive data from cloud objects. | 85% | |
| T1560.001 | 1. Attackers can prompt LLMs to summarize or archive sensitive data, consolidating it for easier exfiltration. | 75% |
| 1. Sensitive data extracted from an LLM via prompt injection can be considered exfiltrated over a C2 channel, as the attacker controls the output mechanism. | 90% | |
| T1567.002 | 1. An LLM can be coerced into outputting sensitive data to an attacker-controlled web service or cloud storage, bypassing traditional network controls. | 85% |
| T1552.001 | 1. LLMs may inadvertently reveal credentials if they are present in training data, accessible files, or system prompts. | 90% |
| 1. LLMs can disclose internal file paths, directory structures, or sensitive file names, aiding attacker discovery. | 80% | |
| T1087.001 | 1. LLMs, through inference or direct access, can reveal information about user accounts or system accounts. | 75% |
| 1. LLMs can be prompted to disclose details about internal network systems, connected services, or network topology. | 70% | |
| T1027.006 | 1. LLMs can be used to embed sensitive information within seemingly innocuous outputs or extract information hidden in inputs, acting as a steganographic tool. | 65% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. Network segmentation isolates LLM systems from sensitive internal networks, preventing unauthorized data access and disclosure. | 90% |
| M1035 | 1. Limiting LLM access to only necessary resources prevents it from accessing and disclosing sensitive data it does not require for its function. | 95% |
| M1038 | 1. Implementing robust user account management ensures LLM services operate with the principle of least privilege, reducing potential data exposure. | 85% |
| M1040 | 1. Data Loss Prevention (DLP) solutions monitor LLM outputs, detecting and blocking the disclosure of sensitive information like PII or proprietary data. | 90% |
| M1047 | 1. Comprehensive auditing of LLM inputs and outputs provides visibility into potential sensitive information disclosure attempts and actual leaks. | 85% |
| M1050 | 1. Regular vulnerability scanning identifies weaknesses in LLM applications and their integrations that could lead to sensitive data exposure. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-20 | 1. Improper input validation allows malicious prompts to bypass security measures, leading to sensitive information disclosure. | 95% |
| CWE-200 | 1. The core vulnerability: LLMs expose sensitive information (PII, proprietary data) to unauthorized users through their outputs. | 98% |
| CWE-359 | 1. LLMs can violate privacy by disclosing private information, including PII, due to inadequate data anonymization or training data leakage. | 90% |
| CWE-532 | 1. Sensitive information from prompts or internal processing may be inadvertently included in LLM log files, creating a disclosure risk. | 85% |
| CWE-540 | 1. System prompt leakage occurs when sensitive configuration details or hardcoded secrets are exposed within the LLM's accessible components. | 80% |
| CWE-668 | 1. LLMs with excessive permissions or misconfigurations can access resources (e.g., internal databases) outside their intended scope, leading to data exposure. | 85% |
| CWE-918 | 1. An LLM vulnerable to SSRF can be tricked into making requests to internal services, potentially revealing sensitive internal network information. | 75% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0183 compute · voice-rubric self-validated