OWASP_LLM_TOP10LLM07:2025voice-validated
OWASP_LLM_TOP10 LLM07: LLM07:2025
OWASP_LLM_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
System prompts contain configuration, instructions, and sometimes sensitive data (credentials, internal endpoints, business logic) that should not be exposed. System prompt leakage occurs when an attacker extracts the system prompt via direct prompts, jailbreak techniques, indirect inference, or model output side-channels. Disclosure can enable further attacks, including improved prompt injection, model fingerprinting, and credential theft.
ATT&CK techniques this article tests · 14
| Technique | Why it maps | Confidence |
|---|---|---|
| T1566.001 | 1. Attackers use leaked system prompt information to craft highly targeted spearphishing emails, increasing success rates. This directly enables further attacks as stated in LLM07:2025. | 90% |
| T1190 | 2. Exploiting public-facing LLM applications can lead to system prompt leakage, providing attackers with critical configuration and business logic. This facilitates improved prompt injection. | 85% |
| T1592.002 | 4. Business logic and software configurations embedded in system prompts are exposed, providing attackers with insights into the LLM's operational software. | 90% |
| T1592.004 | 5. Internal endpoints mentioned in system prompts reveal network infrastructure, enabling attackers to map internal networks. | 90% |
| T1083 | 6. System prompts may inadvertently disclose file paths or directory structures, aiding attackers in discovering sensitive files. | 80% |
| T1552 | 7. Credentials directly embedded in system prompts are unsecured and become immediately available upon leakage, leading to credential theft. | 95% |
| T1003 | 8. Information from leaked prompts can be used to identify vulnerabilities or misconfigurations that facilitate OS credential dumping. | 75% |
| T1027 | 9. Jailbreak techniques often involve obfuscating malicious prompts to bypass LLM safety filters, directly leading to system prompt extraction. | 90% |
| T1497.001 | 10. Leaked system prompts can reveal details about the LLM's environment, allowing attackers to identify and evade virtualization or sandbox protections. | 70% |
| T1005 | 11. The act of extracting the system prompt from the LLM's context constitutes data collection from the local system. | 90% |
| T1039 | 12. If system prompts or related sensitive data are stored on network shared drives, their leakage can lead to collection from these resources. | 70% |
| T1041 | 13. Attackers use model output side-channels as a command and control channel to exfiltrate the sensitive system prompt data. | 85% |
| T1567.002 | 14. Leaked system prompts can be exfiltrated to attacker-controlled cloud storage services via manipulated LLM outputs. | 80% |
| T1490 | 15. Disclosure of critical system logic and configuration via prompts could enable attackers to inhibit system recovery mechanisms, causing significant impact. | 75% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1056 | 1. Protecting sensitive data exposure prevents credentials and internal endpoints within system prompts from being revealed. This directly addresses LLM07:2025's concern about sensitive data. | 95% |
| M1050 | 2. Secure software configuration of the LLM and its environment minimizes the attack surface for prompt leakage. This includes hardening LLM parameters and access controls. | 90% |
| M1054 | 3. Data Loss Prevention (DLP) solutions can detect and prevent the exfiltration of sensitive system prompt content through LLM outputs or other channels. | 85% |
| M1035 | 4. Limiting access to resources ensures that only authorized personnel and processes can view or modify system prompts, reducing leakage risk. | 90% |
| M1047 | 5. Comprehensive auditing and logging of LLM interactions and prompt access enable detection of unusual activity indicative of leakage attempts. | 85% |
| M1040 | 6. Implementing privilege separation ensures that LLM components operate with the least necessary privileges, restricting potential damage from a successful prompt injection. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Information exposure is the fundamental weakness when system prompts, containing sensitive data, are inadvertently revealed. This is the core issue of LLM07:2025. | 95% |
| CWE-798 | 2. The use of hard-coded credentials within system prompts directly leads to credential theft upon leakage. This is a critical risk highlighted by LLM07:2025. | 90% |
| CWE-94 | 3. Improper control of code generation, or code injection, is the underlying weakness allowing attackers to manipulate LLMs to reveal system prompts. | 90% |
| CWE-918 | 4. Server-Side Request Forgery (SSRF) can be enabled if prompt injection allows the LLM to make requests to internal endpoints, as mentioned in LLM07:2025. | 85% |
| CWE-359 | 5. Exposure of private information occurs when sensitive configuration, instructions, or business logic within system prompts are disclosed. | 90% |
| CWE-1336 | 6. Improper neutralization of special elements in LLM prompts is the specific weakness that enables prompt injection, leading to system prompt leakage. | 95% |
| CWE-201 | 7. Information exposure through sent data occurs if the system prompt is transmitted or processed in a manner that allows its content to be intercepted or revealed. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0180 compute · voice-rubric self-validated · 2 hallucination(s) dropped at validation