Mapping Findings to OWASP LLM Top 10
導覽 for mapping AI red team findings to the OWASP Top 10 for LLM Applications, with classification guidance, reporting templates, and remediation mapping.
The OWASP Top 10 for LLM Applications has become the de facto standard for categorizing AI 安全 漏洞. Mapping your 紅隊 findings to OWASP categories adds industry-recognized context, helps clients 理解 where their 漏洞 fit in the broader landscape, and satisfies auditors who expect standardized classification. 然而, the mapping is not always one-to-one: many AI findings span multiple categories, and some findings do not fit cleanly into any category. This walkthrough provides systematic guidance for accurate, useful OWASP mapping.
This walkthrough references OWASP Top 10 for LLM Applications version 2025 (v2.0). Category numbering and descriptions may differ in future versions.
Step 1: 理解 the OWASP LLM Top 10 Categories
Quick Reference Table
| # | Category | Core Risk | Common Finding Types |
|---|---|---|---|
| LLM01 | 提示詞注入 | Untrusted 輸入 manipulates model behavior | Direct injection, indirect injection, 越獄 |
| LLM02 | Sensitive Information Disclosure | Model reveals confidential data | 系統提示詞 extraction, PII leakage, 訓練資料 exposure |
| LLM03 | Supply Chain 漏洞 | Compromised components in AI pipeline | Poisoned models, malicious plugins, compromised 訓練資料 |
| LLM04 | Data and Model Poisoning | Tampered 訓練 or 微調 data | 後門 injection, bias introduction, 知識庫 投毒 |
| LLM05 | Improper 輸出 Handling | Unsafe use of model outputs | XSS via 輸出, SQL injection via tool calls, SSRF |
| LLM06 | Excessive Agency | Model takes unauthorized actions | Unrestricted 函式呼叫, excessive 權限, autonomous actions |
| LLM07 | System Prompt Leakage | System instructions revealed to users | Direct extraction, 推論-based extraction, error message leakage |
| LLM08 | Vector and 嵌入向量 Weaknesses | 漏洞 in RAG/嵌入向量 systems | Data exfiltration, access control bypass, 嵌入向量 inversion |
| LLM09 | Misinformation | Model generates false or misleading content | Hallucination 利用, authority spoofing, false citations |
| LLM10 | Unbounded Consumption | Resource exhaustion attacks | Token exhaustion, compute abuse, denial of service |
Step 2: Map Findings to Categories
Mapping Decision Process
對每個 finding, work through this decision process:
Finding: [Description]
│
├── Does it involve manipulating model behavior via 輸入?
│ └── Yes → LLM01: 提示詞注入
│ └── Is the injection direct (使用者輸入) or indirect (external data)?
│
├── Does 模型 reveal confidential information?
│ └── Yes → LLM02: Sensitive Information Disclosure
│ └── Also check LLM07 if 系統提示詞 specifically is leaked
│
├── Does it involve compromised third-party components?
│ └── Yes → LLM03: Supply Chain 漏洞
│
├── Does it involve tampered 訓練/微調 data?
│ └── Yes → LLM04: Data and Model Poisoning
│
├── Does the application unsafely handle model 輸出?
│ └── Yes → LLM05: Improper 輸出 Handling
│ └── 範例: 輸出 rendered as HTML, used in SQL, passed to shell
│
├── Does 模型 take actions beyond intended scope?
│ └── Yes → LLM06: Excessive Agency
│ └── Unauthorized function calls, excessive 權限
│
├── Are 系統提示詞 contents exposed?
│ └── Yes → LLM07: System Prompt Leakage
│
├── Does it involve RAG/嵌入向量 漏洞?
│ └── Yes → LLM08: Vector and 嵌入向量 Weaknesses
│
├── Does 模型 generate false/misleading information?
│ └── Yes → LLM09: Misinformation
│
└── Does it involve resource exhaustion?
└── Yes → LLM10: Unbounded Consumption
Common Multi-Category Findings
Many findings legitimately span multiple categories. Document the primary and secondary categories:
| Finding Description | Primary Category | Secondary Category | Rationale |
|---|---|---|---|
| Prompt injection extracts 系統提示詞 | LLM01 | LLM07 | Injection is the attack method, prompt leakage is the impact |
| Injection causes unauthorized function call | LLM01 | LLM06 | Injection enables excessive agency |
| RAG retrieves cross-tenant documents | LLM08 | LLM02 | 嵌入向量 weakness causes information disclosure |
| Model 輸出 rendered as HTML causes XSS | LLM05 | LLM01 | 輸出 handling flaw, possibly enabled by injection |
| 越獄 generates harmful misinformation | LLM01 | LLM09 | Injection bypass enables misinformation generation |
| Token exhaustion via crafted prompts | LLM01 | LLM10 | Injection technique causes unbounded consumption |
Step 3: Create the OWASP Mapping Table
Finding-to-OWASP Mapping Template
# OWASP LLM Top 10 Mapping
## Mapping 總結
| OWASP Category | Findings Mapped | Highest Severity |
|---------------|----------------|-----------------|
| LLM01: 提示詞注入 | F-001, F-002, F-003 | Critical |
| LLM02: Sensitive Information Disclosure | F-004, F-007 | High |
| LLM03: Supply Chain 漏洞 | None identified | N/A |
| LLM04: Data and Model Poisoning | Not in scope | N/A |
| LLM05: Improper 輸出 Handling | F-008 | Medium |
| LLM06: Excessive Agency | F-005 | High |
| LLM07: System Prompt Leakage | F-004 | High |
| LLM08: Vector and 嵌入向量 Weaknesses | F-007 | High |
| LLM09: Misinformation | F-010 | Low |
| LLM10: Unbounded Consumption | F-009 | Medium |
## Coverage 評估
- Categories tested and findings identified: 7/10
- Categories tested with no findings: 1/10 (LLM03)
- Categories not in scope: 2/10 (LLM04 - no access to 訓練 pipeline)Detailed Mapping Per Finding
## F-001: Direct 提示詞注入 Bypass
### OWASP Mapping
- **Primary:** LLM01 - 提示詞注入
- **Secondary:** None
- **Subcategory:** Direct 提示詞注入 (user-supplied 輸入)
### OWASP Description Alignment
This finding aligns with LLM01 as follows:
- 攻擊 vector: User-crafted prompt that overrides system instructions
- 漏洞: Insufficient 輸入 validation and model instruction adherence
- Impact: Content 安全 policy bypass, potential for harmful 輸出 generation
### OWASP Remediation Guidance (adapted)
OWASP LLM01 recommends:
1. Enforce privilege control on LLM access to backend systems → **Applicable**
2. Add a human in the loop for high-risk actions → **Applicable for 工具使用**
3. Segregate external content from user prompts → **Applicable**
4. Establish trust boundaries between LLM and external sources → **Applicable**
### Our Specific Recommendations
[Include engagement-specific recommendations that build on OWASP guidance]Step 4: Handle Edge Cases
Findings That Do Not Map Cleanly
Some AI 安全 findings do not fit neatly into OWASP categories. Document these as supplementary findings.
# Supplementary Findings (Outside OWASP LLM Top 10)
## Finding F-011: Model Fingerprinting
The AI system reveals its underlying model identity, version,
and configuration when asked directly.
**Closest OWASP category:** LLM02 (Information Disclosure)
**Why it doesn't fit perfectly:** OWASP LLM02 focuses on sensitive
data exposure (PII, confidential data). Model identity disclosure
is a reconnaissance finding that enables more targeted attacks but
is not itself a data breach.
**Classification:** Supplementary finding - Reconnaissance enabler
**Severity:** LowCategory Disambiguation
When the mapping is ambiguous, use these rules:
| Scenario | Rule | 範例 |
|---|---|---|
| 攻擊 method vs. impact | Map to the impact category primarily | Injection (method) causing data leak (impact) → LLM02 primary |
| Overlapping categories | Map to the most specific category | 系統提示詞 leak → LLM07 (specific) over LLM02 (general) |
| Chain of 漏洞 | Map each link to its own category | Injection → Agency → 輸出 = LLM01 + LLM06 + LLM05 |
| Category not testable | Document as "Not in scope" | Training 資料投毒 when no 訓練 access |
Step 5: Leverage OWASP for Remediation Guidance
OWASP provides remediation guidance 對每個 category. Map your recommendations to OWASP guidance for additional authority.
Remediation Cross-Reference
# Remediation Cross-Reference with OWASP Guidance
## F-001: Direct 提示詞注入 → LLM01
| OWASP Recommended Control | Our Finding's Status | Our Recommendation |
|--------------------------|---------------------|-------------------|
| Constrain model behavior within well-defined boundaries | Partially implemented (系統提示詞) | 實作 multi-layer enforcement |
| Validate and sanitize all 輸入 | Basic filter present but bypassable | Enhance filter with multi-language support |
| Apply 防禦 in depth | Single-layer 防禦 only | Add 輸出 filtering as second layer |
| 實作 輸入/輸出 length limits | Length limits present | Adequate, no changes needed |
| Use content filtering on outputs | Not implemented | 實作 輸出 content moderation |
## F-005: Unauthorized Function Calling → LLM06
| OWASP Recommended Control | Our Finding's Status | Our Recommendation |
|--------------------------|---------------------|-------------------|
| Limit functions available to the LLM | All functions available | 實作 role-based function access |
| Avoid open-ended function calls | Functions accept arbitrary parameters | Add strict parameter schemas |
| Require human approval for high-impact actions | No human-in-the-loop | Add approval flow for destructive actions |
| 實作 rate limiting for function calls | No function-specific rate limits | Add per-function rate limiting |
| Log all function call activity | Basic logging present | Enhance with parameter and result logging |Step 6: Generate the OWASP 總結 Section for the Report
Include an OWASP mapping section in the report that provides at-a-glance classification.
Report Section Template
## OWASP Top 10 for LLM Applications Coverage
This 評估 evaluated the target system against the OWASP Top 10
for LLM Applications (v2.0, 2025). The following table summarizes
coverage and findings 對每個 category.
| # | Category | Tested | Findings | Highest Severity |
|---|---------|--------|---------|-----------------|
| LLM01 | 提示詞注入 | Yes | 3 | Critical |
| LLM02 | Sensitive Information Disclosure | Yes | 2 | High |
| LLM03 | Supply Chain 漏洞 | Partial | 0 | - |
| LLM04 | Data and Model Poisoning | No* | 0 | - |
| LLM05 | Improper 輸出 Handling | Yes | 1 | Medium |
| LLM06 | Excessive Agency | Yes | 1 | High |
| LLM07 | System Prompt Leakage | Yes | 1 | High |
| LLM08 | Vector and 嵌入向量 Weaknesses | Yes | 1 | High |
| LLM09 | Misinformation | Yes | 1 | Low |
| LLM10 | Unbounded Consumption | Yes | 1 | Medium |
*LLM04 was not tested as the 評估 scope did not include
access to the 訓練 or 微調 pipeline.
### Key Observations
- 系統's highest risk concentration is in **LLM01 (Prompt
Injection)**, with three findings including one rated Critical.
- **LLM06 (Excessive Agency)** findings are amplified by LLM01
weaknesses, as 提示詞注入 enables unauthorized 函式呼叫.
- 系統 shows strong resistance to **LLM03 (Supply Chain)**
risks through use of established AI providers with controlled
dependency management.Common OWASP Mapping Mistakes
-
Forcing every finding into exactly one category. Many findings legitimately span two or three OWASP categories. Use primary/secondary classification rather than forcing a single mapping.
-
Mapping by attack method instead of impact. A 提示詞注入 that causes data leakage should map primarily to LLM02 (impact) with LLM01 as secondary (method). The client cares about the impact more than the technique.
-
Ignoring categories not in scope. If you did not 測試 for 供應鏈 漏洞, say so explicitly. An empty row without explanation looks like the 評估 missed a category rather than intentionally excluded it.
-
Using outdated OWASP versions. The OWASP LLM Top 10 has been updated multiple times. Specify which version you are mapping to and verify your category descriptions match.
-
Treating OWASP mapping as compliance checklist. OWASP is a classification framework, not a compliance standard. Mapping findings to OWASP categories adds context but does not substitute for thorough, engagement-specific 測試 and analysis.
A 紅隊 finding shows that a 提示詞注入 attack causes the AI to call a 資料庫 function and return records from another tenant's account. Which OWASP LLM categories should this be mapped to?
相關主題
- Mapping to MITRE ATLAS -- Complementary attack mapping framework
- Finding Severity Classification -- Severity ratings referenced in OWASP mapping
- NIST AI RMF 評估 -- Another standards framework for AI risk
- EU AI Act Compliance 測試 -- Regulatory compliance that references OWASP