Security Test: LLM Insecure Plugin Design¶

Description¶

Default Severity:

LLM insecure plugin design happens when plugins integrated with large language models aren’t properly checked for valid input or overseen for permissions. This means attackers could trick the system into running harmful code or getting sensitive data without proper controls, leading to dangerous outcomes like remote code execution or data theft. Developers often overlook thorough input validation or mistakenly trust external inputs, which can open the door to serious security threats if not fixed.

Reference:

https://genai.owasp.org/llmrisk/llm07-insecure-plugin-design/
- https://owasp.org/www-project-top-10-for-large-language-model-applications/

Configuration¶

Identifier: injection/llm_insecure_plugin_design

Examples¶

All configuration available:

checks:
  injection/llm_insecure_plugin_design:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM07:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.12.2`
NIST	`SP800-53`
FedRAMP	`SI-3`
CWE	`915`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`
CVSS Score	`5.0`