Security Test: LLM Insecure Output Handling¶

Description¶

Default Severity:

LLM insecure output handling means that generated content isn’t carefully checked before it’s used or displayed. If outputs aren’t properly validated, cleaned, or encoded, malicious code or data attacks can sneak in, potentially letting attackers inject harmful scripts, redirect requests, or steal sensitive data. Developers might assume the tool’s output is safe by default, but without careful checks, these oversights can open up vulnerabilities like XSS or SSRF. Simply put, failing to properly handle what the model generates can lead to significant security risks, so it's crucial to treat every output with caution.

Reference:

https://genai.owasp.org/llmrisk/llm02-insecure-output-handling/
- https://owasp.org/www-project-top-10-for-large-language-model-applications/

Configuration¶

Identifier: injection/llm_insecure_output_handling

Examples¶

All configuration available:

checks:
  injection/llm_insecure_output_handling:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM02:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.12.2`
NIST	`SP800-53`
FedRAMP	`SI-3`
CWE	`200`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N`
CVSS Score	`5.3`