Testing APIs Against The OWASP LLM Top 10

Uploaded on 2024-11-08 in TECHNOLOGY-Key Areas-Artificial Intelligence, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

GenerativeAI and Large Language Models (LLMs) are now being widely used in a business context which is significantly expanding the potential attack surface.

According to a Lightspeed survey, over 60% of those large businesses questioned said their business was using GenAI in some capacity in three or more use cases. Keen to harness the technology and gain competitive advantage, these businesses are rapidly integrating it into their operations and client facing offerings. But they’re doing so at such a rate that security is struggling to keep pace.

By 2025 its estimated there will be 750 million applications using LLMs but without sufficient testing and protection, these applications could be exposed to attack.

The focus in cybersecurity circles has been to use AI to protect against attacks but what if those attacks specifically target AI applications? It’s an issue that the OWASP industry group has grappled with, culminating in the release of the OWASP Top 10 for LLM Applications in August 2023. Aimed at developers, data scientists, and security experts tasked with designing and building applications and plug-ins leveraging LLM technologies, the Top 10 provides a concise but thorough overview of the main security issues affecting LLMs today. It covers attack tactics, techniques and procedures, with the top three attack types identified as prompt injection (both direct and indirect), insecure output handling and training data poisoning. 

How Testing APIs Can Secure AI

Key to addressing the issue of securing these applications is testing the Application Programming Interfaces (APIs) they use to access data and to communicate with each other and to relay their findings. By using synthetic traffic to proactively testing LLM applications, it then becomes possible to identify vulnerabilities such as those highlighted in the OWASP Top 10. For instance, recent testing of several popular GenAI applications revealed indirect prompt injection vulnerabilities. When standard prompts were used, these did not yield a response, but malicious prompts were able to extract additional information from the AI systems. 

In another example, it was revealed that Gemini for Workspace was susceptible to just such an attack back in September. By inserting malicious instructions into the data source the AI used, researchers were able to show they could manipulate the output of the Gemini LLM which the application integrates with.

Four tests were carried out.

  • The first saw an injected email sent to Gmail containing hidden instructions together with control tokens to trick the LLM into incorrectly summarising its content.
  • The second, similar in nature to a phishing attack, saw a warning to reset a password sent with a modified URL.
  • The third saw an attack carried out against Google Slides whereby speaker notes were used to prevent a correct summary being created.
  • While the fourth showed how sharing a file from Google Drive could be used to trick the LLM into sourcing and following instructions in a second document in the same shared folder. 

Each of these attacks shows that even a heavyweight such as Google Gemini can succumb to prompt injection.

But the effects of insecure output handling, the second biggest threat identified in the OWASP list, can be just as damaging. It can lead to cross site forgery requests (CSRF) or remote code execution (RCE), as in the case of the Ollama vulnerability reported in June. That CVE saw Ollama provide insufficient validation, enabling an attacker to send a specially crafted HTTP request to its API. This could then be used to pull a model from Ollama and then supply a malicious file that contained a malicious payload, corrupting files held on the system and allowing the attacker to hijack it. 

Preventing Poisoning

Third on the OWASP list is the poisoning of training data, which is typically seen as an open source issue, as illustrated by the one hundred malicious models that were found to have been uploaded to the Hugging Face AI repository by researchers in February. On another occasion, researchers found they could access Meta and Llama LLM repositories using unsecured API access tokens they discovered on GitHub and Hugging Face which would potentially have allowed them to poison the LLMs as well as steal models and data sets. However, this type of attack does not necessarily require a malicious actor, as models can theoretically succumb to degenerative model collapse and implode, thereby poisoning themselves. This highlights the need for both testing and detection to benchmark outputs and detect degradation in the quality of those.

What each of these attack types illustrates is the need for testing for such issues prior to deployment. By using an API-native solution, it’s possible to test AI applications against the OWASP Top 10 to determine if these can be subverted. Organisations can then provide recommendations to their developers who can take the necessary corrective action.

So far, the biggest threats posed against LLMs are the subversion of AI by malicious actors or through ungoverned or shadow AI. These issues all have one thing in common: too much trust being placed in the technology and not enough checks and balances being in put in place.

By using API testing on AI applications, it becomes possible to mitigate these risks and to prevent AI from going rogue.  

Andy Mills is  VP of EMEA for Cequence Security

Image:  Allison Saeng

You Might Also Read: 

The Unique TTPs Attackers Use To Target APIs:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« NAKIVO Backup & Replication: The Best Solution For Business Data Backup
Hackers Target Sensitive Corporate Data  »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

PortSwigger

PortSwigger

PortSwigger's Burp Suite is an integrated platform for performing security testing of web applications.

Fortress Group

Fortress Group

Fortress is specialized in confidential and discrete recruitment solutions and temporary staffing in the field of security and risk management.

Viavi Solutions

Viavi Solutions

Viavi Solutions is a global leader in both network and service enablement and optical security performance products and solutions.

Cyacomb

Cyacomb

Cyacomb (formerly Cyan Forensics) provides digital forensics software to help police forces find evidence on computers many times faster than before.

MassMutual Ventures

MassMutual Ventures

Mass Mutual ventures backs companies building category-defining businesses in markets including enterprise software, digital health, cybersecurity, and fintech.

DNX Ventures

DNX Ventures

Based in Silicon Valley and Tokyo, DNX Ventures is an early stage VC for B2B startups in sectors including Cybersecurity.

Securd

Securd

Securd takes opportunities away from your cyber adversaries. Cloud-delivered zero-trust DNS firewall and web filtering protection keep your business network and remote employees safe.

r00tz Asylum

r00tz Asylum

r00tz Asylum is a nonprofit dedicated to teaching kids around the world how to love being white-hat hackers.

Check Point Software Technologies

Check Point Software Technologies

Check Point Software Technologies is a leading provider of cyber security solutions to governments and corporate enterprises globally.

The Cyber Scheme

The Cyber Scheme

The Cyber Scheme provides NCSC certified and assured assessments, training and career support for security testers & technical cyber professionals.

Fivecast

Fivecast

Fivecast is enabling a safer world. We help organizations around the world explore masses of data to uncover actionable insights.

GIS Consulting (GISPL)

GIS Consulting (GISPL)

From General Data Protection Regulations to advanced Network Infrastructure Audits, GIS Consulting has established a reputation as one the leading cyber security companies in the industry.

StackGen

StackGen

StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied.

Tanzania Industrial Research and Development Organization (TIRDO)

Tanzania Industrial Research and Development Organization (TIRDO)

TIRDO is a multi-disciplinary research and development organization.

Transcendental Technologies

Transcendental Technologies

Transcendental is a consulting organization which specializes in customized assurance services in the fields of Localization, Mobile Software Solutions, Web Design, Cyber Security & Cyber Forensics.

TDi Technologies

TDi Technologies

TDI Technologies' flagship solution ConsoleWorks, is an IT/OT cybersecurity and operations platform for Privileged Access Users.