Slide 15 · Scenario 2 of 4
The LLM writes JavaScript. The browser runs it. The session is gone.
OWASP LLM05:2025 Scenario B, retold concretely.
OWASP SCENARIO B
JavaScript Generated by LLM Interpreted in a Browser
A content platform lets users ask an LLM to generate blog post drafts. The drafts are previewed in a rich-text editor that renders HTML. An attacker — a competing user or external actor — crafts a request that causes the model to include a hidden script tag in the draft. When the author previews the post, the script runs in their browser. The author’s editor session is hijacked. The attacker now has write access to the author’s published content.
Why it matters: The attack didn’t require a vulnerability in the editor software — just in how the application inserted LLM text into the DOM. A single call to innerHTML instead of textContent opened the door.
What Was Missing
→ LLM output inserted with innerHTML (not textContent or DOMPurify)
→ No Content Security Policy to block inline scripts
→ No server-side HTML sanitization before delivering to the client