ppcvote
5e942cabca
The existing AITG-APP-05 test scenario covers content-level safety categories (1-10) and a single XSS attack vector (test 11), but the doc's summary explicitly identifies application-level risks (XSS, SSRF, injections) as a major category and the framework page #28 has an open request for "more examples of web exploits enabled by output." Adds six new payload categories (tests 12-17) covering the application-level injection vectors not yet documented: 12. XSS beyond `<script>` tags — event handlers, javascript: URIs, data:text/html URIs, iframe `srcdoc`, SVG-embedded scripts. 13. SQL injection in output — destructive statements, UNION-based exfiltration, comment-bypass payloads. 14. Shell command injection in output — `curl … | sh` installers, destructive `rm -rf`, reverse shells, env-var exfiltration. 15. Path traversal to sensitive system files — Unix `etc/passwd`/ `etc/shadow`, Windows `system32`, container `proc/self`. 16. Markdown image exfiltration — model-emitted external image with conversation content in the query string. 17. Unicode smuggling — homoglyphs and bidirectional overrides used to slip security-relevant tokens past byte-level filters. Each entry follows the existing test format (probe prompts + a "Response indicating vulnerability" line) and references the OWASP LLM02:2025 mapping that the doc already cites. Closes (partially) #28; cross-references #76.
OWASP AI Testing Guide Table of Contents
1. Introduction
2. Threat Modeling AI Systems
3. OWASP AI Testing Guide Framework
-
3.1 🟦 AI Application Testing
-
3.1.1 | AITG-APP-01 | Testing for Prompt Injection |
-
3.1.2 | AITG-APP-02 | Testing for Indirect Prompt Injection |
-
3.1.3 | AITG-APP-03 | Testing for Sensitive Data Leak |
-
3.1.4 | AITG-APP-04 | Testing for Input Leakage |
-
3.1.5 | AITG-APP-05 | Testing for Unsafe Outputs |
-
3.1.6 | AITG-APP-06 | Testing for Agentic Behavior Limits |
-
3.1.7 | AITG-APP-07 | Testing for Prompt Disclosure |
-
3.1.8 | AITG-APP-08 | Testing for Embedding Manipulation |
-
3.1.9 | AITG-APP-09 | Testing for Model Extraction |
-
3.1.10 | AITG-APP-10 | Testing for content Bias |
-
3.1.11 | AITG-APP-11 | Testing for Hallucinations |
-
3.1.12 | AITG-APP-12 | Testing for Toxic Output |
-
3.1.13 | AITG-APP-13 | Testing for Over-Reliance on AI |
-
3.1.14 | AITG-APP-14 | Testing for Explainability and Interpretability |
-
3.2 🟪 AI Model Testing
-
3.2.1 | AITG-MOD-01 | Testing for Evasion Attacks |
-
3.2.2 | AITG-MOD-02 | Testing for Runtime Model Poisoning |
-
3.2.3 | AITG-MOD-03 | Testing for Poisoned Training Sets |
-
3.2.4 | AITG-MOD-04 | Testing for Membership Inference |
-
3.2.5 | AITG-MOD-05 | Testing for Inversion Attacks |
-
3.2.6 | AITG-MOD-06 | Testing for Robustness to New Data |
-
3.2.7 | AITG-MOD-07 | Testing for Goal Alignment |
-
3.3.1 | AITG-INF-01 | Testing for Supply Chain Tampering |
-
3.3.2 | AITG-INF-02 | Testing for Resource Exhaustion |
-
3.3.3 | AITG-INF-03 | Testing for Plugin Boundary Violations |
-
3.3.4 | AITG-INF-04 | Testing for Capability Misuse |
-
3.3.5 | AITG-INF-05 | Testing for Fine-tuning Poisoning |
-
3.3.6 | AITG-INF-06 | Testing for Dev-Time Model Theft |
-
3.4 🟨 AI Data Testing
-
3.4.1 | AITG-DAT-01 | Testing for Training Data Exposure |
-
3.4.2 | AITG-DAT-02 | Testing for Runtime Exfiltration |
-
3.4.3 | AITG-DAT-03 | Testing for Dataset Diversity & Coverage |
-
3.4.4 | AITG-DAT-04 | Testing for Harmful in Data |
-
3.4.5 | AITG-DAT-05 | Testing for Data Minimization & Consent |
4. Chapter 4: Appendices and References
-
4.1 Appendix A: Rationale For Using SAIF (Secure AI Framework)
-
4.2 Appendix B: Distributed, Immutable, Ephemeral (DIE) Threat Identification
-
4.4 Appendix D: Threat Enumeration to AI Architecture Components
-
4.5 Appendix E: Mapping AI Threats Against AI Systems Vulnerabilities (CVEs & CWEs)
-
4.6 References