OWASP LLM Top 10 — 2025 Edition

$ LLM Security Research Portal

Community-driven write-ups, hands-on labs, interactive demos, and open-source tools covering the OWASP Top 10 for Large Language Model Applications.

Browse Categories Read Write-ups

10Write-ups

10Labs

10Demos

10Tools

40Total resources

// 10 Risk Categories

View all →

LLM01

Prompt Injection

Attackers manipulate LLM inputs to override instructions, exfiltrate data, or execute unintended actions through crafted prompts.

LLM02

Sensitive Information Disclosure

LLMs inadvertently reveal confidential data, system prompts, training data, or PII through outputs or inference attacks.

LLM03

Supply Chain

Compromised third-party models, datasets, or plugins introduce vulnerabilities, backdoors, or malicious behavior into LLM deployments.

LLM04

Data and Model Poisoning

Adversarial manipulation of training data or fine-tuning processes to embed backdoors or bias model behavior.

LLM05

Improper Output Handling

Downstream systems blindly trust LLM output, enabling XSS, SSRF, code injection, or command execution vulnerabilities.

LLM06

Excessive Agency

LLM agents with excessive permissions, autonomy, or capabilities perform unintended high-impact actions without oversight.

LLM07

System Prompt Leakage

Confidential system prompts, operational instructions, or business logic are extracted through carefully crafted user inputs.

LLM08

Vector and Embedding Weaknesses

Attacks exploit vulnerabilities in vector databases and embedding systems used in RAG pipelines to manipulate retrieval.

LLM09

Misinformation

LLMs generate convincing but false information, exploiting overconfidence to spread harmful or deceptive content at scale.

LLM10

Unbounded Consumption

Attackers exploit LLMs to consume excessive compute resources, inflating costs or degrading service availability.

// Recently Added

Write-upLLM10

Token Flooding and LLM DoS Economics

How adversaries exploit LLM token generation to inflate costs and degrade service availability through sponge examples and token flooding.

Mar 1, 2024

LabLLM10

Maximize Token Generation (Sponge Attack)

Guided lab: craft prompts that maximize LLM output length without triggering safety filters, simulating a cost amplification attack.

Mar 1, 2024

DemoLLM10

Token Counter and Rate Limiter Demo

Interactive demonstration of token counting and rate limiting strategies to defend against unbounded consumption attacks.

Mar 1, 2024

ToolLLM10

LLM Cost Calculator and Token Budget Tools

Tools for calculating, monitoring, and capping LLM API costs to defend against unbounded consumption attacks.

Mar 1, 2024

Write-upLLM09

Exploiting LLM Overconfidence: Hallucination as an Attack Vector

How adversaries exploit LLM tendency to hallucinate confidently, enabling misinformation campaigns and trust exploitation.

Feb 25, 2024

LabLLM09

Construct a Factual-Sounding Hallucination

Guided lab: learn to craft prompts that elicit plausible but entirely fabricated information from an LLM.

Feb 25, 2024