Testing APIs Against The OWASP LLM Top 10

Uploaded on 2024-11-08 in TECHNOLOGY-Key Areas-Artificial Intelligence, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

GenerativeAI and Large Language Models (LLMs) are now being widely used in a business context which is significantly expanding the potential attack surface.

According to a Lightspeed survey, over 60% of those large businesses questioned said their business was using GenAI in some capacity in three or more use cases. Keen to harness the technology and gain competitive advantage, these businesses are rapidly integrating it into their operations and client facing offerings. But they’re doing so at such a rate that security is struggling to keep pace.

By 2025 its estimated there will be 750 million applications using LLMs but without sufficient testing and protection, these applications could be exposed to attack.

The focus in cybersecurity circles has been to use AI to protect against attacks but what if those attacks specifically target AI applications? It’s an issue that the OWASP industry group has grappled with, culminating in the release of the OWASP Top 10 for LLM Applications in August 2023. Aimed at developers, data scientists, and security experts tasked with designing and building applications and plug-ins leveraging LLM technologies, the Top 10 provides a concise but thorough overview of the main security issues affecting LLMs today. It covers attack tactics, techniques and procedures, with the top three attack types identified as prompt injection (both direct and indirect), insecure output handling and training data poisoning. 

How Testing APIs Can Secure AI

Key to addressing the issue of securing these applications is testing the Application Programming Interfaces (APIs) they use to access data and to communicate with each other and to relay their findings. By using synthetic traffic to proactively testing LLM applications, it then becomes possible to identify vulnerabilities such as those highlighted in the OWASP Top 10. For instance, recent testing of several popular GenAI applications revealed indirect prompt injection vulnerabilities. When standard prompts were used, these did not yield a response, but malicious prompts were able to extract additional information from the AI systems. 

In another example, it was revealed that Gemini for Workspace was susceptible to just such an attack back in September. By inserting malicious instructions into the data source the AI used, researchers were able to show they could manipulate the output of the Gemini LLM which the application integrates with.

Four tests were carried out.

  • The first saw an injected email sent to Gmail containing hidden instructions together with control tokens to trick the LLM into incorrectly summarising its content.
  • The second, similar in nature to a phishing attack, saw a warning to reset a password sent with a modified URL.
  • The third saw an attack carried out against Google Slides whereby speaker notes were used to prevent a correct summary being created.
  • While the fourth showed how sharing a file from Google Drive could be used to trick the LLM into sourcing and following instructions in a second document in the same shared folder. 

Each of these attacks shows that even a heavyweight such as Google Gemini can succumb to prompt injection.

But the effects of insecure output handling, the second biggest threat identified in the OWASP list, can be just as damaging. It can lead to cross site forgery requests (CSRF) or remote code execution (RCE), as in the case of the Ollama vulnerability reported in June. That CVE saw Ollama provide insufficient validation, enabling an attacker to send a specially crafted HTTP request to its API. This could then be used to pull a model from Ollama and then supply a malicious file that contained a malicious payload, corrupting files held on the system and allowing the attacker to hijack it. 

Preventing Poisoning

Third on the OWASP list is the poisoning of training data, which is typically seen as an open source issue, as illustrated by the one hundred malicious models that were found to have been uploaded to the Hugging Face AI repository by researchers in February. On another occasion, researchers found they could access Meta and Llama LLM repositories using unsecured API access tokens they discovered on GitHub and Hugging Face which would potentially have allowed them to poison the LLMs as well as steal models and data sets. However, this type of attack does not necessarily require a malicious actor, as models can theoretically succumb to degenerative model collapse and implode, thereby poisoning themselves. This highlights the need for both testing and detection to benchmark outputs and detect degradation in the quality of those.

What each of these attack types illustrates is the need for testing for such issues prior to deployment. By using an API-native solution, it’s possible to test AI applications against the OWASP Top 10 to determine if these can be subverted. Organisations can then provide recommendations to their developers who can take the necessary corrective action.

So far, the biggest threats posed against LLMs are the subversion of AI by malicious actors or through ungoverned or shadow AI. These issues all have one thing in common: too much trust being placed in the technology and not enough checks and balances being in put in place.

By using API testing on AI applications, it becomes possible to mitigate these risks and to prevent AI from going rogue.  

Andy Mills is  VP of EMEA for Cequence Security

Image:  Allison Saeng

You Might Also Read: 

The Unique TTPs Attackers Use To Target APIs:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« NAKIVO Backup & Replication: The Best Solution For Business Data Backup
Hackers Target Sensitive Corporate Data  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Citicus

Citicus

Citicus provides world-class security, risk and compliance management software, plus supporting services.

REVI-IT

REVI-IT

REVI-IT is a Danish state-owned audit firm focusing on enterprise IT business processes and compliance,

Roke Manor Research

Roke Manor Research

Roke is a world-class electronics engineering consultancy. Areas of expertise include cyber security, cyber assurance and cryptographic solutions.

Oak Ridge National Laboratory (ORNL)

Oak Ridge National Laboratory (ORNL)

ORNL conducts basic and applied research and development in key areas of science for energy, advanced materials, supercomputing and national security including cybersecurity.

Digiserve

Digiserve

Digiserve by Telkom Indonesia is an end-to-end managed solutions provider committed to empowering enterprises in Indonesia.

Zighra

Zighra

Zighra is a leading provider of On-Device AI solutions for continuous authentication and fraud detection on mobile and web applications.

Stage2Data

Stage2Data

Stage2Data is one of Canada’s most trusted cloud solution providers offering hosted Backup and Disaster Recovery Services.

CybExer Technologies

CybExer Technologies

CybExer provide an on-premise, easily deployable solution for complex technical cyber security exercises based on experience in military grade ranges.

SYSGO

SYSGO

SYSGO is the leading European provider of real-time operating systems for critical embedded applications in the Internet of Things (IoT).

Vortiv

Vortiv

Vortiv Ltd (formerly known as Transaction Solutions International Ltd) is a technology based company focused on the cybersecurity and the cloud services sector.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

Evo Security

Evo Security

Evo Security is an Identity and Access Management company focused exclusively on serving MSPs, MSSPs and their SMB and Mid-Market customers.

Anura

Anura

The world’s most accurate ad fraud solution protects your web assets by eliminating bots, malware and human fraud, ensuring your content is seen by real people.

SolidityScan

SolidityScan

SolidityScan is an advanced smart contract scanning tool designed to uncover vulnerabilities and proactively address risks within your code.

Secure Cyber Management

Secure Cyber Management

Secure Cyber Management provides industry-leading cloud security advice, guidance and services.

Canary Technology Solutions (Canary IT)

Canary Technology Solutions (Canary IT)

A Cloud, Cyber Security, Retail Solutions and Managed IT Services provider for over 25 years, we safeguard and revolutionise business through technology and foresight.