LLM05:2025Improper Output Handling
Slide 4 of 27
Part 1 · What Is It?Slide 4
Slide 4 · The Trust Gap
Developers trust LLM output. Attackers exploit that trust.
The model generates text. The application decides what to do with it.
❌ How developers think about it
The LLM wrote it — it must be clean
We control the prompt — so the output is controlled
The model wouldn’t produce something dangerous
It’s just text — text can’t hurt anything
✅ What’s actually true
LLM output is shaped by user-supplied input it received
Indirect prompt injection lets attackers steer output
Models reproduce text verbatim, including code
Text becomes code when a browser, shell, or DB parses it
The Chain

Attacker influences input → LLM produces output containing attacker payload → Application passes output to downstream system without sanitization → Downstream system executes the payload. The LLM is the bridge. The missing sanitization is the gap.

← BackNext → How this differs from Prompt Injection (LLM01)
📄 View sources for this lesson