OWASP Top 10 for LLM Applications
The LLM Top 10 is OWASP's risk framework for AI-native applications — a distinct list from the classic web Top 10. This guide walks each category and shows how an autonomous pentesting agent covers it end-to-end, from prompt injection through excessive agency.
- Behavioral LLM risks (LLM01, LLM02, LLM04, LLM06, LLM08, LLM09) automate cleanly with an agent loop.
- Supply-chain and training-data risks (LLM03, LLM05) mix agent probes with human review.
- Prompt injection × excessive agency is the highest-impact pairing in production.
- Manual prompt tools (PentestGPT) suggest payloads; an autonomous agent executes and validates them.
Why LLM apps need their own list
Classic AppSec assumes deterministic parsers: an input either escapes the SQL context or it doesn't. LLMs collapse that boundary — every token in every context is potential instruction. Prompt injection isn't a bug in one function, it's a property of the substrate. The OWASP LLM Top 10 reframes risk around that reality: model behavior, tool authority, and the trust boundary between untrusted content and system instructions.
Category-by-category coverage
| Code | Category | How the agent covers it |
|---|---|---|
| LLM01 | Prompt Injection | Agent feeds untrusted content (docs, URLs, tool outputs) into every model context and checks whether embedded instructions override the system prompt. Direct and indirect injection are both automatable. |
| LLM02 | Insecure Output Handling | Model outputs are treated as untrusted input. The agent asks the model to emit payloads (XSS, SQL, shell) and validates whether the downstream renderer/executor escapes them. |
| LLM03 | Training Data Poisoning | Partially automatable. Agent probes for backdoor triggers and biased responses; deep poisoning audits require dataset access and human review. |
| LLM04 | Model Denial of Service | Agent submits token-flooding, recursive tool-call, and expensive-context payloads to measure cost and latency amplification per request. |
| LLM05 | Supply Chain Vulnerabilities | Model registry, plugin, and fine-tune source auditing — flags unsigned artifacts, unpinned model versions, and third-party plugin trust boundaries. |
| LLM06 | Sensitive Information Disclosure | Agent probes for training-data regurgitation, system-prompt leakage, and PII in responses using structured extraction prompts. |
| LLM07 | Insecure Plugin Design | Each tool/function the model can call is fuzzed with adversarial arguments; agent validates whether tools enforce their own authz or blindly trust model input. |
| LLM08 | Excessive Agency | Agent maps the tool-call graph reachable from a prompt and files a finding when a single injection can trigger destructive actions without confirmation. |
| LLM09 | Overreliance | Behavioral check: agent submits hallucination-prone queries and verifies whether the app surfaces uncertainty or blindly renders model output as fact. |
| LLM10 | Model Theft | Agent measures response-fingerprinting and extraction-attack surface (query volume caps, watermarking, output rate limits). |
Prompt injection, executed not suggested
The gap between "here's a payload to try" and "the model executed a destructive tool call" is the whole game. PentestGPT and similar assistants stop at generating adversarial prompts. An autonomous agent submits the prompt through the real interface, observes the tool-call graph, and only files a finding when a chained action fires without confirmation. Every LLM01 report ships with the exact input, the model's response, and the downstream side effect.
What still needs a human
- Training data poisoning audits when dataset access is required.
- Threat modeling for plugin trust boundaries and cross-tenant tool exposure.
- Judging whether a hallucination in a low-stakes response is 'acceptable' or 'liability'.
- Model theft economics — deciding what extraction rate is worth defending against.
How CodeSentry runs the LLM Top 10
CodeSentry treats the LLM app the same way it treats a web app: enumerate entry points, generate adversarial inputs, execute, validate. For AI-native features it adds a model-behavior layer — a prompt-injection corpus, a tool-authority graph, and an output-handling sink map — so LLM01 through LLM10 land in the same PR queue as the classic Top 10.
Related reading: automating the classic OWASP Top 10 and CodeSentry vs PentestGPT.