Skip to content

Instantly share code, notes, and snippets.

@harryf
Created June 16, 2026 06:45
Show Gist options
  • Select an option

  • Save harryf/90fcce521905069770a0ee079f01b719 to your computer and use it in GitHub Desktop.

Select an option

Save harryf/90fcce521905069770a0ee079f01b719 to your computer and use it in GitHub Desktop.
# OWASP Top 10 for LLM Applications - Video Summary

A walkthrough of the 2025 OWASP Top 10 for Large Language Model applications, the most common security threats teams hit when they put LLMs into production, plus the defenses for each.

Each section links to its timestamp in the video and to the matching entry in the official OWASP 2025 guide. Rank movements are versus the 2023 list.


Intro - why this matters

Jump to 0:00

One clever prompt, one exposed training file, or one sketchy plugin can turn a helpful assistant into a security incident. OWASP (the community behind the classic Top 10 for web apps) first published an LLM Top 10 in 2023; this is the updated list reflecting what we have learned since.

1. Prompt Injection (LLM01:2025) - no change

Jump to 1:06 | OWASP guide

Crafted input steers the model into doing something it shouldn't, because LLMs don't reliably separate instructions from input. Direct injection is when the attacker types the malicious command; indirect injection hides it in content the model is asked to process (e.g. an article it summarizes). Results range from data leaks to unsafe instructions to arbitrary command execution, and creative phrasing (a poem, Morse code) can slip past prose-based guardrails. Defenses: harden the system prompt, put an AI firewall/gateway in front to inspect inputs and outputs, and penetration-test with injection attempts.

2. Sensitive Information Disclosure (LLM02:2025) - up 4

Jump to 7:01 | OWASP guide

The model leaks PII, health data, financials, or proprietary IP it was trained on. Attackers can also query repeatedly to reconstruct the model itself (a model inversion / extraction attack). Defenses: sanitize and filter what goes into training, use an AI gateway to redact sensitive outputs, apply strong access controls on the model, the data and the users, and close misconfigurations (AI security posture management).

3. Supply Chain Vulnerabilities (LLM03:2025) - up 2

Jump to 11:45 | OWASP guide

The stack (data, model, application, and the infrastructure underneath) is full of components you didn't build. Most teams pull models from open sources like Hugging Face (2M+ models, many over a billion parameters), far too large to inspect manually, so you ingest unverified components and hope for the best. Defenses: vet data and suppliers, track provenance (a chain of custody), scan and red-team models for vulnerabilities, and patch/keep software current.

4. Data and Model Poisoning (LLM04:2025) - down 1

Jump to 15:11 | OWASP guide

Tampered training or RAG data injects error, bias, or even model-borne malware that ripples into the model's accuracy. A little "toxin in the drinking water" spreads. Retrieval-augmented generation (RAG) cuts hallucinations by grounding answers in a supplied document, but a poisoned RAG source reintroduces the problem. Defenses: know your sources, apply access controls over the model, training data and RAG data, and enforce change control on the system.

5. Improper Output Handling (LLM05:2025)

Jump to 19:12 | OWASP guide

When the model's output flows into another system (code, a browser, a database query), unchecked output can introduce cross-site scripting, SQL injection, or remote code execution downstream. Defense: validate and sanitize outputs rather than blindly trusting whatever the LLM emits.

6. Excessive Agency (LLM06:2025)

Jump to 20:16 | OWASP guide

Giving the model too much power (tools, APIs, plugins, control over real-world systems) means a hijack, or even a hallucination, can cause real damage, including to health and safety. Defense: limit the model's permissions and autonomy to the minimum it needs.

7. System Prompt Leakage (LLM07:2025)

Jump to 21:26 | OWASP guide

If the system prompt holds secrets (credentials, API keys for apps the model logs into) and there's no guard, a cleverly phrased question can pull them out. Defense: keep sensitive data out of the system prompt and guard against leakage.

8. Vector and Embedding Weaknesses (LLM08:2025)

Jump to 22:16 | OWASP guide

A manipulated RAG document can bleed into and persist in the LLM instead of just "washing over" it, making the system unreliable. Defense: ensure retrieved content informs the answer without permanently altering the model.

9. Misinformation (LLM09:2025)

Jump to 23:01 | OWASP guide

Output can be false through manipulation or hallucination. Defense: apply critical thinking, cross-reference answers against other sources, and don't base decisions on shaky ground.

10. Unbounded Consumption (LLM10:2025)

Jump to 23:43 | OWASP guide

Too many requests, long-running ones, or compute-heavy ones can take the system down (denial of service) or run up the bill (denial of wallet). Defense: rate-limit and manage resource consumption.


Wrap-up

Jump to 24:41

That's the OWASP Top 10 for LLMs. The attackers already know these; the guidance exists so defenders do too. See the OWASP guide for full detail on each risk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment