Slides 9–13 · 4 attack patterns, each a real incident
Slide 9 · Types Overview
Four ways improper output handling gets exploited.
Each is a different downstream system. Each has a documented real-world incident.
1️⃣
XSS via LLM Output — Slide 10
LLM output rendered as HTML in a browser, executing attacker-supplied scripts. Demonstrated against ChatGPT plugins and AI-powered web applications.
2️⃣
Code Injection / RCE — Slide 11
LLM-generated code passed to eval() or exec() without sandboxing. CVE-2023-29374 in LangChain: CVSS 9.8, arbitrary Python execution.
3️⃣
SQL Injection via Natural Language — Slide 12
Text-to-SQL systems where LLM-generated queries run without parameterization. CVE-2024-5565 in Vanna.AI: CVSS 9.2, RCE via the database host.
4️⃣
SSRF & Path Traversal — Slide 13
LLM-generated URLs forwarded server-side, or file paths used without validation. Accesses cloud metadata endpoints, internal services, and sensitive OS files.