What is OWASP LLM01 and which attacks does it cover?

Question

Accepted Answer

OWASP LLM01 — Prompt Injection — is the top-ranked vulnerability in the OWASP LLM Top 10. It covers any technique that causes an LLM to follow attacker-controlled instructions, and is broken into two primary sub-types: **direct** (the attacker is the user, pasting payloads into the chat or API) and **indirect** (the payload arrives through a document, web page, email, tool output, RAG corpus, or other untrusted source the model later ingests). OWASP's LLM01 explicitly enumerates downstream harms: data exfiltration (the model leaks system prompts or RAG contents), privilege escalation (the model calls a higher-trust tool than intended), social engineering (the model emits attacker-supplied text to a downstream user), and persistent compromise via stored injection. LLM01 interacts with LLM02 (insecure output handling), LLM06 (sensitive information disclosure), and LLM07 (insecure plugin/tool design) — a single injection often chains across categories. InjectShield's detector categories map 1:1 to LLM01 sub-types: direct, indirect, stored, multi-turn, role-confusion, jailbreak, and tool-misuse — each surfaced as a distinct verdict so teams can tune thresholds per surface (chatbot vs. RAG vs. agent).