LLM05: Improper Output Handling Lab

Explore how LLMs can generate potentially dangerous code patterns and suggest non-existent packages. This lab focuses on identifying and preventing security issues in LLM-generated code.

Objective: Learn to identify package hallucination, unsafe code patterns, and proper validation techniques.

Understanding Improper Output Handling

What is Improper Output Handling?

Improper Output Handling occurs when LLM-generated content is passed to downstream systems without proper validation, sanitization, or encoding. This can lead to various security vulnerabilities including code execution, injection attacks, and data exposure.

Attack Vectors

  • Command Injection: Shell command execution
  • SQL Injection: Unsafe database queries
  • XSS: Unsanitized HTML/JavaScript
  • Package Hallucination: Non-existent dependencies

Impact

  • Remote code execution
  • Data breach
  • Privilege escalation
  • System compromise

OpenAI API Configuration

Your API key will be stored locally and only used for lab exercises.

Code Generator

Generate secure code for handling user data

Potentially unsafe code patterns

Example: "Write a function to securely process user data with encryption and validation"

Package Recommender

Get secure package recommendations for your project

Risk of package hallucination

Example: "Suggest secure packages for handling authentication and data validation"

Framework Setup

Configure framework security settings

Security misconfiguration risks

Example: "Set up Express.js middleware for secure API endpoints"

Prevention Strategies

Input Validation

  • Validate LLM responses
  • Implement strict schemas
  • Use allowlists
  • Check data types

Output Encoding

  • Context-aware encoding
  • HTML/JS escaping
  • SQL parameterization
  • Command sanitization

Security Controls

  • Content Security Policy
  • Least privilege access
  • Output monitoring
  • Security testing