mirror of
https://github.com/OWASP/www-project-ai-testing-guide.git
synced 2026-06-04 13:28:06 +02:00
ppcvote
5e942cabca
The existing AITG-APP-05 test scenario covers content-level safety categories (1-10) and a single XSS attack vector (test 11), but the doc's summary explicitly identifies application-level risks (XSS, SSRF, injections) as a major category and the framework page #28 has an open request for "more examples of web exploits enabled by output." Adds six new payload categories (tests 12-17) covering the application-level injection vectors not yet documented: 12. XSS beyond `<script>` tags — event handlers, javascript: URIs, data:text/html URIs, iframe `srcdoc`, SVG-embedded scripts. 13. SQL injection in output — destructive statements, UNION-based exfiltration, comment-bypass payloads. 14. Shell command injection in output — `curl … | sh` installers, destructive `rm -rf`, reverse shells, env-var exfiltration. 15. Path traversal to sensitive system files — Unix `etc/passwd`/ `etc/shadow`, Windows `system32`, container `proc/self`. 16. Markdown image exfiltration — model-emitted external image with conversation content in the query string. 17. Unicode smuggling — homoglyphs and bidirectional overrides used to slip security-relevant tokens past byte-level filters. Each entry follows the existing test format (probe prompts + a "Response indicating vulnerability" line) and references the OWASP LLM02:2025 mapping that the doc already cites. Closes (partially) #28; cross-references #76.