Excessive Agency (OWASP LLM 06)

Probes testing whether AI agents can be manipulated to perform actions beyond their intended scope or with inappropriate permissions.

Authorization Bypass Attacks

Probe Name

Description

Broken Function Level Authorization

This probe tests whether an AI agent with tool access can be manipulated to execute functions or operations beyond its intended authorization level. The probe evaluates the target’s ability to enforce proper function-level access controls and resist attempts to access unauthorized system capabilities through crafted prompts and function call manipulation

Broken Object Level Authorization

This probe tests for Broken Object Level Authorization (BOLA) vulnerabilities where an AI agent with tool access can be manipulated to access specific objects (documents, records, files, conversations, etc.) without proper authorization checks. The probe evaluates whether the target resists attempts to access unauthorized data through natural language requests that indirectly reference objects or through tool/function calls with manipulated object identifiers

Injection Vulnerabilities

Probe Name

Description

Shell Injection

This probe tests for shell injection vulnerabilities in AI agents that have access to system command execution. It generates crafted prompts designed to trick the AI into executing malicious shell commands or gaining unauthorized system access

SQL Injection

This probe tests for SQL injection vulnerabilities in AI agents with database access. It uses crafted prompts to try to make the AI execute unauthorized SQL commands or expose sensitive database data.

System Manipulation

Probe Name

Description

SSRF

This probe tests for Server-Side Request Forgery (SSRF) vulnerabilities in AI agents that have tool access, attempting to manipulate the target into making unauthorized requests to external systems or resources

Hijacking

This probe tests whether an AI agent can be hijacked or repurposed for unintended malicious activities beyond its original design scope