owasp

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 4, 2026 License: MIT Imports: 15 Imported by: 0

README

OWASP LLM Compliance Testing Framework

This package provides a comprehensive testing framework for evaluating LLM compliance with the OWASP Top 10 for Large Language Model Applications.

Overview

The OWASP LLM Compliance Testing Framework allows you to:

  1. Test LLM providers and models against the OWASP Top 10 vulnerabilities
  2. Generate detailed compliance reports in multiple formats
  3. Create custom test cases for specific vulnerability types
  4. Use mock LLM providers for testing without API costs
  5. Integrate with the existing reporting system

OWASP Top 10 for LLMs (2023-2024)

The framework tests for the following vulnerabilities:

  1. LLM01: Prompt Injection - Manipulating LLM behavior through crafted inputs
  2. LLM02: Insecure Output Handling - Failing to properly validate or sanitize LLM outputs
  3. LLM03: Training Data Poisoning - Compromising model behavior through tainted training data
  4. LLM04: Model Denial of Service - Exploiting resource constraints to cause service disruption
  5. LLM05: Supply Chain Vulnerabilities - Weaknesses in model development and deployment pipeline
  6. LLM06: Sensitive Information Disclosure - Leaking private data through model responses
  7. LLM07: Insecure Plugin Design - Vulnerabilities in LLM plugin architecture
  8. LLM08: Excessive Agency - Granting LLMs too much autonomy or authority
  9. LLM09: Overreliance - Excessive trust in LLM outputs without verification
  10. LLM10: Model Theft - Extracting model weights or architecture through attacks

Usage

Command Line Interface

The framework provides a command-line interface for running tests:

# Run a comprehensive OWASP compliance test
LLMrecon owasp test --provider=mock --model=mock-llm-model --format=json --output=report.json

# Test for a specific vulnerability
LLMrecon owasp vulnerability --vulnerability=prompt_injection --provider=mock --model=mock-llm-model --format=json --output=report.json

# Create a mock provider configuration
LLMrecon owasp mock create --output=mock-config.json
Programmatic Usage

You can also use the framework programmatically in your Go code:

package main

import (
	"context"
	"fmt"

	"github.com/perplext/LLMrecon/src/provider/core"
	"github.com/perplext/LLMrecon/src/reporting"
	"github.com/perplext/LLMrecon/src/testing/owasp"
	"github.com/perplext/LLMrecon/src/vulnerability/detection"
)

func main() {
	// Create context
	ctx := context.Background()

	// Create mock provider
	provider := owasp.NewMockLLMProvider(nil)

	// Create detection engine
	detectionFactory := detection.NewFactory()
	detectionEngine := detectionFactory.CreateDetectionEngine()

	// Create report generator
	reportGenerator := reporting.NewDefaultReportGenerator()

	// Create test runner
	testRunner := owasp.NewDefaultTestRunner(detectionEngine, reportGenerator)

	// Create test case factory
	testCaseFactory := owasp.NewDefaultTestCaseFactory()

	// Create test suite
	testSuite := testCaseFactory.CreateTestSuite(
		"owasp-llm-compliance",
		"OWASP LLM Compliance Test Suite",
		"A comprehensive test suite for testing compliance with the OWASP Top 10 for LLMs",
	)

	// Run test suite
	results, err := testRunner.RunTestSuite(ctx, testSuite, provider, "mock-llm-model")
	if err != nil {
		fmt.Printf("Error running test suite: %v\n", err)
		return
	}

	// Generate report
	options := &reporting.ReportOptions{
		Title:       "OWASP LLM Compliance Report",
		Description: "Compliance report for mock-llm-model against OWASP Top 10 for LLMs",
		Format:      reporting.JSONFormat,
		OutputFile:  "report.json",
	}

	report, err := testRunner.GenerateReport(ctx, results, options)
	if err != nil {
		fmt.Printf("Error generating report: %v\n", err)
		return
	}

	fmt.Printf("Report generated: %s\n", report.Title)
}

Architecture

The framework consists of the following components:

  1. Test Cases - Individual tests for specific vulnerabilities
  2. Test Suites - Collections of test cases
  3. Test Runner - Executes test cases against LLM providers
  4. Mock LLM Provider - Simulates LLM responses for testing
  5. Test Case Factory - Creates test cases for different vulnerabilities
  6. Reporting Integration - Generates compliance reports

Creating Custom Test Cases

You can create custom test cases using the builder pattern:

builder := owasp.NewTestCaseBuilder()
testCase, err := builder.
    WithID("custom-test-1").
    WithName("Custom Test Case").
    WithDescription("A custom test case for XYZ vulnerability").
    WithVulnerabilityType(owasp.PromptInjection).
    WithSeverity(detection.High).
    WithPrompt("Your test prompt here").
    WithExpectedBehavior("The LLM should not...").
    WithDetectionCriteria([]detection.DetectionCriteria{
        {
            Type:  detection.StringMatch,
            Match: "sensitive data",
        },
    }).
    WithTags([]string{"custom", "prompt-injection"}).
    WithOWASPMapping("LLM01").
    Build()

Mock LLM Provider

The framework includes a mock LLM provider for testing without using real API calls:

// Create mock provider
provider := owasp.NewMockLLMProvider(nil)

// Configure vulnerable responses
provider.SetVulnerableResponses(map[string]string{
    "test-case-1": "This is a vulnerable response for test case 1",
    "test-case-2": "This is a vulnerable response for test case 2",
})

// Set default response
provider.SetDefaultResponse("Default response")

// Set response delay to simulate latency
provider.SetResponseDelay(100 * time.Millisecond)

// Set error rate (0.0 to 1.0)
provider.SetErrorRate(0.1)

Integration with Reporting System

The framework integrates with the existing reporting system to generate detailed compliance reports in multiple formats:

  • JSON
  • JSONL
  • CSV
  • Excel
  • HTML
  • PDF
  • Markdown
  • Text

Contributing

To contribute to the OWASP LLM Compliance Testing Framework:

  1. Add new test cases for emerging vulnerabilities
  2. Improve detection criteria for existing test cases
  3. Enhance the mock LLM provider capabilities
  4. Add support for additional LLM providers
  5. Extend the reporting system with new formats or metrics

License

This project is licensed under the same license as the main LLMrecon tool.

Documentation

Overview

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Package owasp provides a comprehensive testing framework for OWASP LLM compliance

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetFixtureBasedTestFactory

func GetFixtureBasedTestFactory() types.TestCaseFactory

GetFixtureBasedTestFactory returns a new fixture-based test factory

func RegisterFixtureBasedTestFactory

func RegisterFixtureBasedTestFactory()

RegisterFixtureBasedTestFactory registers the fixture-based test factory as the default test factory

Types

type DefaultReportGenerator

type DefaultReportGenerator struct{}

DefaultReportGenerator is the default implementation of the types.ReportGenerator interface

func NewDefaultReportGenerator

func NewDefaultReportGenerator() *DefaultReportGenerator

NewDefaultReportGenerator creates a new default report generator

func (*DefaultReportGenerator) GenerateReport

func (g *DefaultReportGenerator) GenerateReport(ctx context.Context, testSuites []*types.TestSuite, options *types.ReportOptions) (*types.Report, error)

GenerateReport generates a report from test results

type DefaultTestCaseBuilder

type DefaultTestCaseBuilder struct {
	// contains filtered or unexported fields
}

DefaultTestCaseBuilder is the default implementation of the TestCaseBuilder interface

func NewTestCaseBuilder

func NewTestCaseBuilder() *DefaultTestCaseBuilder

NewTestCaseBuilder creates a new test case builder

func (*DefaultTestCaseBuilder) Build

func (b *DefaultTestCaseBuilder) Build() (*TestCase, error)

Build builds the test case

func (*DefaultTestCaseBuilder) NewTestCase

func (b *DefaultTestCaseBuilder) NewTestCase() *TestCase

NewTestCase creates a new test case

func (*DefaultTestCaseBuilder) WithDescription

func (b *DefaultTestCaseBuilder) WithDescription(description string) TestCaseBuilder

WithDescription sets the description of the test case

func (*DefaultTestCaseBuilder) WithDetectionCriteria

func (b *DefaultTestCaseBuilder) WithDetectionCriteria(criteria []detection.DetectionCriteria) TestCaseBuilder

WithDetectionCriteria sets the detection criteria of the test case

func (*DefaultTestCaseBuilder) WithExpectedBehavior

func (b *DefaultTestCaseBuilder) WithExpectedBehavior(behavior string) TestCaseBuilder

WithExpectedBehavior sets the expected behavior of the test case

func (*DefaultTestCaseBuilder) WithID

WithID sets the ID of the test case

func (*DefaultTestCaseBuilder) WithMetadata

func (b *DefaultTestCaseBuilder) WithMetadata(metadata map[string]interface{}) TestCaseBuilder

WithMetadata sets the metadata of the test case

func (*DefaultTestCaseBuilder) WithName

func (b *DefaultTestCaseBuilder) WithName(name string) TestCaseBuilder

WithName sets the name of the test case

func (*DefaultTestCaseBuilder) WithOWASPMapping

func (b *DefaultTestCaseBuilder) WithOWASPMapping(mapping string) TestCaseBuilder

WithOWASPMapping sets the OWASP mapping of the test case

func (*DefaultTestCaseBuilder) WithPrompt

func (b *DefaultTestCaseBuilder) WithPrompt(prompt string) TestCaseBuilder

WithPrompt sets the prompt of the test case

func (*DefaultTestCaseBuilder) WithSeverity

WithSeverity sets the severity level of the test case

func (*DefaultTestCaseBuilder) WithTags

func (b *DefaultTestCaseBuilder) WithTags(tags []string) TestCaseBuilder

WithTags sets the tags of the test case

func (*DefaultTestCaseBuilder) WithVulnerabilityType

func (b *DefaultTestCaseBuilder) WithVulnerabilityType(vulnType VulnerabilityType) TestCaseBuilder

WithVulnerabilityType sets the vulnerability type of the test case

type DefaultTestCaseFactory

type DefaultTestCaseFactory struct {
	// contains filtered or unexported fields
}

DefaultTestCaseFactory is the default implementation of the TestCaseFactory interface

func NewDefaultTestCaseFactory

func NewDefaultTestCaseFactory() *DefaultTestCaseFactory

NewDefaultTestCaseFactory creates a new default test case factory

func (*DefaultTestCaseFactory) CreateExcessiveAgencyTestCases

func (f *DefaultTestCaseFactory) CreateExcessiveAgencyTestCases() []*types.TestCase

CreateExcessiveAgencyTestCases creates test cases for excessive agency

func (*DefaultTestCaseFactory) CreateInsecureOutputHandlingTestCases

func (f *DefaultTestCaseFactory) CreateInsecureOutputHandlingTestCases() []*types.TestCase

CreateInsecureOutputHandlingTestCases creates test cases for insecure output handling

func (*DefaultTestCaseFactory) CreateInsecurePluginDesignTestCases

func (f *DefaultTestCaseFactory) CreateInsecurePluginDesignTestCases() []*types.TestCase

CreateInsecurePluginDesignTestCases creates test cases for insecure plugin design

func (*DefaultTestCaseFactory) CreateModelDoSTestCases

func (f *DefaultTestCaseFactory) CreateModelDoSTestCases() []*types.TestCase

CreateModelDoSTestCases creates test cases for model denial of service

func (*DefaultTestCaseFactory) CreateModelTheftTestCases

func (f *DefaultTestCaseFactory) CreateModelTheftTestCases() []*types.TestCase

CreateModelTheftTestCases creates test cases for model theft

func (*DefaultTestCaseFactory) CreateOriginalExcessiveAgencyTestCases

func (f *DefaultTestCaseFactory) CreateOriginalExcessiveAgencyTestCases() []*TestCase

CreateOriginalExcessiveAgencyTestCases creates test cases for excessive agency

func (*DefaultTestCaseFactory) CreateOriginalInsecureOutputHandlingTestCases

func (f *DefaultTestCaseFactory) CreateOriginalInsecureOutputHandlingTestCases() []*TestCase

CreateOriginalInsecureOutputHandlingTestCases creates test cases for insecure output handling

func (*DefaultTestCaseFactory) CreateOriginalInsecurePluginDesignTestCases

func (f *DefaultTestCaseFactory) CreateOriginalInsecurePluginDesignTestCases() []*TestCase

CreateOriginalInsecurePluginDesignTestCases creates test cases for insecure plugin design

func (*DefaultTestCaseFactory) CreateOriginalModelDoSTestCases

func (f *DefaultTestCaseFactory) CreateOriginalModelDoSTestCases() []*TestCase

CreateOriginalModelDoSTestCases creates test cases for model denial of service

func (*DefaultTestCaseFactory) CreateOriginalModelTheftTestCases

func (f *DefaultTestCaseFactory) CreateOriginalModelTheftTestCases() []*TestCase

CreateOriginalModelTheftTestCases creates test cases for model theft

func (*DefaultTestCaseFactory) CreateOriginalOverrelianceTestCases

func (f *DefaultTestCaseFactory) CreateOriginalOverrelianceTestCases() []*TestCase

CreateOriginalOverrelianceTestCases creates test cases for overreliance

func (*DefaultTestCaseFactory) CreateOriginalPromptInjectionTestCases

func (f *DefaultTestCaseFactory) CreateOriginalPromptInjectionTestCases() []*TestCase

CreateOriginalPromptInjectionTestCases creates test cases for prompt injection

func (*DefaultTestCaseFactory) CreateOriginalSensitiveInfoDisclosureTestCases

func (f *DefaultTestCaseFactory) CreateOriginalSensitiveInfoDisclosureTestCases() []*TestCase

CreateOriginalSensitiveInfoDisclosureTestCases creates test cases for sensitive information disclosure

func (*DefaultTestCaseFactory) CreateOriginalSupplyChainVulnerabilitiesTestCases

func (f *DefaultTestCaseFactory) CreateOriginalSupplyChainVulnerabilitiesTestCases() []*TestCase

CreateOriginalSupplyChainVulnerabilitiesTestCases creates test cases for supply chain vulnerabilities

func (*DefaultTestCaseFactory) CreateOriginalTrainingDataPoisoningTestCases

func (f *DefaultTestCaseFactory) CreateOriginalTrainingDataPoisoningTestCases() []*TestCase

CreateOriginalTrainingDataPoisoningTestCases creates test cases for training data poisoning

func (*DefaultTestCaseFactory) CreateOverrelianceTestCases

func (f *DefaultTestCaseFactory) CreateOverrelianceTestCases() []*types.TestCase

CreateOverrelianceTestCases creates test cases for overreliance

func (*DefaultTestCaseFactory) CreatePromptInjectionTestCases

func (f *DefaultTestCaseFactory) CreatePromptInjectionTestCases() []*types.TestCase

CreatePromptInjectionTestCases creates test cases for prompt injection that implement the types.TestCase interface

func (*DefaultTestCaseFactory) CreateSensitiveInfoDisclosureTestCases

func (f *DefaultTestCaseFactory) CreateSensitiveInfoDisclosureTestCases() []*types.TestCase

CreateSensitiveInfoDisclosureTestCases creates test cases for sensitive information disclosure

func (*DefaultTestCaseFactory) CreateSupplyChainVulnerabilitiesTestCases

func (f *DefaultTestCaseFactory) CreateSupplyChainVulnerabilitiesTestCases() []*types.TestCase

CreateSupplyChainVulnerabilitiesTestCases creates test cases for supply chain vulnerabilities

func (*DefaultTestCaseFactory) CreateTestCasesForVulnerability

func (f *DefaultTestCaseFactory) CreateTestCasesForVulnerability(vulnerabilityType types.VulnerabilityType) ([]*types.TestCase, error)

CreateTestCasesForVulnerability creates test cases for a specific vulnerability type

func (*DefaultTestCaseFactory) CreateTestSuite

func (f *DefaultTestCaseFactory) CreateTestSuite(id string, name string, description string) *types.TestSuite

CreateTestSuite creates a test suite with all test cases

func (*DefaultTestCaseFactory) CreateTrainingDataPoisoningTestCases

func (f *DefaultTestCaseFactory) CreateTrainingDataPoisoningTestCases() []*types.TestCase

CreateTrainingDataPoisoningTestCases creates test cases for training data poisoning

type DefaultTestFactory

type DefaultTestFactory struct {
	// contains filtered or unexported fields
}

DefaultTestFactory is the default implementation of the TestFactory interface

func NewDefaultTestFactory

func NewDefaultTestFactory() *DefaultTestFactory

NewDefaultTestFactory creates a new default test factory

func (*DefaultTestFactory) CreateTestCase

func (f *DefaultTestFactory) CreateTestCase(vulnerabilityType types.VulnerabilityType, id string, name string, description string) (*types.TestCase, error)

CreateTestCase creates a new test case with the specified vulnerability type, ID, name, and description

func (*DefaultTestFactory) CreateTestSuite

func (f *DefaultTestFactory) CreateTestSuite(id string, name string, description string) (*types.TestSuite, error)

CreateTestSuite creates a new test suite with the specified ID, name, and description

func (*DefaultTestFactory) GetComplianceService

func (f *DefaultTestFactory) GetComplianceService() (interface{}, error)

GetComplianceService returns the registered compliance service

func (*DefaultTestFactory) GetValidator

func (f *DefaultTestFactory) GetValidator(vulnerabilityType types.VulnerabilityType) (interface{}, error)

GetValidator returns the validator for a specific vulnerability type

func (*DefaultTestFactory) RegisterComplianceService

func (f *DefaultTestFactory) RegisterComplianceService(service interface{}) error

RegisterComplianceService registers a compliance service

func (*DefaultTestFactory) RegisterValidator

func (f *DefaultTestFactory) RegisterValidator(validator interface{}) error

RegisterValidator registers a validator for a specific vulnerability type

type DefaultTestRunner

type DefaultTestRunner struct {
	// DetectionEngine is the engine for detecting vulnerabilities
	DetectionEngine detection.DetectionEngine
	// ReportGenerator is the generator for creating reports
	ReportGenerator types.ReportGenerator
	// Concurrency is the number of concurrent tests to run
	Concurrency int
	// MaxRetries is the maximum number of retries for failed tests
	MaxRetries int
	// RetryDelay is the delay between retries
	RetryDelay time.Duration
}

DefaultTestRunner is the default implementation of the types.TestRunner interface

func NewDefaultTestRunner

func NewDefaultTestRunner(detectionEngine detection.DetectionEngine, reportGenerator types.ReportGenerator) *DefaultTestRunner

NewDefaultTestRunner creates a new default test runner

func (*DefaultTestRunner) RunTest

func (r *DefaultTestRunner) RunTest(ctx context.Context, testCase *types.TestCase, provider core.Provider, model string) (*types.TestResult, error)

RunTest runs a single test case

func (*DefaultTestRunner) RunTestSuite

func (r *DefaultTestRunner) RunTestSuite(ctx context.Context, testSuite *types.TestSuite, provider core.Provider, model string) error

RunTestSuite runs a test suite

func (*DefaultTestRunner) ValidateTestCase

func (r *DefaultTestRunner) ValidateTestCase(testCase *types.TestCase) error

ValidateTestCase validates a test case

type DefaultTestSuiteBuilder

type DefaultTestSuiteBuilder struct {
	// contains filtered or unexported fields
}

DefaultTestSuiteBuilder is the default implementation of the TestSuiteBuilder interface

func NewTestSuiteBuilder

func NewTestSuiteBuilder() *DefaultTestSuiteBuilder

NewTestSuiteBuilder creates a new test suite builder

func (*DefaultTestSuiteBuilder) AddTestCase

func (b *DefaultTestSuiteBuilder) AddTestCase(testCase *TestCase) TestSuiteBuilder

AddTestCase adds a test case to the test suite

func (*DefaultTestSuiteBuilder) Build

func (b *DefaultTestSuiteBuilder) Build() (*TestSuite, error)

Build builds the test suite

func (*DefaultTestSuiteBuilder) NewTestSuite

func (b *DefaultTestSuiteBuilder) NewTestSuite() *TestSuite

NewTestSuite creates a new test suite

func (*DefaultTestSuiteBuilder) WithDescription

func (b *DefaultTestSuiteBuilder) WithDescription(description string) TestSuiteBuilder

WithDescription sets the description of the test suite

func (*DefaultTestSuiteBuilder) WithID

WithID sets the ID of the test suite

func (*DefaultTestSuiteBuilder) WithMetadata

func (b *DefaultTestSuiteBuilder) WithMetadata(metadata map[string]interface{}) TestSuiteBuilder

WithMetadata sets the metadata of the test suite

func (*DefaultTestSuiteBuilder) WithName

WithName sets the name of the test suite

func (*DefaultTestSuiteBuilder) WithTags

func (b *DefaultTestSuiteBuilder) WithTags(tags []string) TestSuiteBuilder

WithTags sets the tags of the test suite

func (*DefaultTestSuiteBuilder) WithTestCases

func (b *DefaultTestSuiteBuilder) WithTestCases(testCases []*TestCase) TestSuiteBuilder

WithTestCases sets the test cases of the test suite

type FixtureBasedTestCaseFactory

type FixtureBasedTestCaseFactory struct{}

FixtureBasedTestCaseFactory is an implementation of the TestCaseFactory interface that uses test fixtures

func NewFixtureBasedTestCaseFactory

func NewFixtureBasedTestCaseFactory() *FixtureBasedTestCaseFactory

NewFixtureBasedTestCaseFactory creates a new fixture-based test case factory

func (*FixtureBasedTestCaseFactory) CreateExcessiveAgencyTestCases

func (f *FixtureBasedTestCaseFactory) CreateExcessiveAgencyTestCases() []*types.TestCase

CreateExcessiveAgencyTestCases creates test cases for excessive agency

func (*FixtureBasedTestCaseFactory) CreateInsecureOutputHandlingTestCases

func (f *FixtureBasedTestCaseFactory) CreateInsecureOutputHandlingTestCases() []*types.TestCase

CreateInsecureOutputHandlingTestCases creates test cases for insecure output handling

func (*FixtureBasedTestCaseFactory) CreateInsecurePluginDesignTestCases

func (f *FixtureBasedTestCaseFactory) CreateInsecurePluginDesignTestCases() []*types.TestCase

CreateInsecurePluginDesignTestCases creates test cases for insecure plugin design

func (*FixtureBasedTestCaseFactory) CreateModelDoSTestCases

func (f *FixtureBasedTestCaseFactory) CreateModelDoSTestCases() []*types.TestCase

CreateModelDoSTestCases creates test cases for model denial of service

func (*FixtureBasedTestCaseFactory) CreateModelTheftTestCases

func (f *FixtureBasedTestCaseFactory) CreateModelTheftTestCases() []*types.TestCase

CreateModelTheftTestCases creates test cases for model theft

func (*FixtureBasedTestCaseFactory) CreateOverrelianceTestCases

func (f *FixtureBasedTestCaseFactory) CreateOverrelianceTestCases() []*types.TestCase

CreateOverrelianceTestCases creates test cases for overreliance

func (*FixtureBasedTestCaseFactory) CreatePromptInjectionTestCases

func (f *FixtureBasedTestCaseFactory) CreatePromptInjectionTestCases() []*types.TestCase

CreatePromptInjectionTestCases creates test cases for prompt injection

func (*FixtureBasedTestCaseFactory) CreateSensitiveInfoDisclosureTestCases

func (f *FixtureBasedTestCaseFactory) CreateSensitiveInfoDisclosureTestCases() []*types.TestCase

CreateSensitiveInfoDisclosureTestCases creates test cases for sensitive information disclosure

func (*FixtureBasedTestCaseFactory) CreateSupplyChainVulnerabilitiesTestCases

func (f *FixtureBasedTestCaseFactory) CreateSupplyChainVulnerabilitiesTestCases() []*types.TestCase

CreateSupplyChainVulnerabilitiesTestCases creates test cases for supply chain vulnerabilities

func (*FixtureBasedTestCaseFactory) CreateTestCasesForVulnerability

func (f *FixtureBasedTestCaseFactory) CreateTestCasesForVulnerability(vulnerabilityType types.VulnerabilityType) ([]*types.TestCase, error)

CreateTestCasesForVulnerability creates test cases for a specific vulnerability type

func (*FixtureBasedTestCaseFactory) CreateTestSuite

func (f *FixtureBasedTestCaseFactory) CreateTestSuite(id string, name string, description string) *types.TestSuite

CreateTestSuite creates a test suite with all test cases

func (*FixtureBasedTestCaseFactory) CreateTestSuiteForVulnerability

func (f *FixtureBasedTestCaseFactory) CreateTestSuiteForVulnerability(id string, name string, description string, vulnerabilityType types.VulnerabilityType) *types.TestSuite

CreateTestSuiteForVulnerability creates a test suite for a specific vulnerability type

func (*FixtureBasedTestCaseFactory) CreateTrainingDataPoisoningTestCases

func (f *FixtureBasedTestCaseFactory) CreateTrainingDataPoisoningTestCases() []*types.TestCase

CreateTrainingDataPoisoningTestCases creates test cases for training data poisoning

type MockLLMProvider

type MockLLMProvider interface {
	core.Provider
	// SetVulnerableResponses sets the vulnerable responses for specific test cases
	SetVulnerableResponses(vulnerableResponses map[string]string)
	// GetVulnerableResponse gets a vulnerable response for a specific test case
	GetVulnerableResponse(testCaseID string) (string, bool)
	// SetDefaultResponse sets the default response for test cases without specific vulnerable responses
	SetDefaultResponse(response string)
	// SetResponseDelay sets a delay for responses to simulate latency
	SetResponseDelay(delay time.Duration)
	// SetErrorRate sets the error rate for responses (0.0 to 1.0)
	SetErrorRate(rate float64)
	// ResetState resets the state of the mock provider
	ResetState()
}

MockLLMProvider is the interface for mock LLM providers used in testing

type MockLLMProviderImpl

type MockLLMProviderImpl struct {
	// Base provider implementation
	*core.BaseProvider
	// contains filtered or unexported fields
}

MockLLMProviderImpl is a mock implementation of the LLM provider for testing OWASP vulnerabilities

func NewMockLLMProvider

func NewMockLLMProvider(config *core.ProviderConfig) *MockLLMProviderImpl

NewMockLLMProvider creates a new mock LLM provider for testing

func (*MockLLMProviderImpl) ChatCompletion

ChatCompletion generates a chat completion

func (*MockLLMProviderImpl) CountTokens

func (p *MockLLMProviderImpl) CountTokens(ctx context.Context, text string, modelID string) (int, error)

CountTokens counts the number of tokens in a text

func (*MockLLMProviderImpl) CreateEmbedding

func (p *MockLLMProviderImpl) CreateEmbedding(ctx context.Context, request *core.EmbeddingRequest) (*core.EmbeddingResponse, error)

CreateEmbedding creates an embedding

func (*MockLLMProviderImpl) GetAllUsageMetrics

func (p *MockLLMProviderImpl) GetAllUsageMetrics() (map[string]*core.UsageMetrics, error)

GetAllUsageMetrics returns all usage metrics for the provider

func (*MockLLMProviderImpl) GetRateLimitConfig

func (p *MockLLMProviderImpl) GetRateLimitConfig() *core.RateLimitConfig

GetRateLimitConfig returns the rate limit configuration

func (*MockLLMProviderImpl) GetRetryConfig

func (p *MockLLMProviderImpl) GetRetryConfig() *core.RetryConfig

GetRetryConfig returns the retry configuration

func (*MockLLMProviderImpl) GetUsageMetrics

func (p *MockLLMProviderImpl) GetUsageMetrics(modelID string) (*core.UsageMetrics, error)

GetUsageMetrics returns the usage metrics for a specific model

func (*MockLLMProviderImpl) GetVulnerableResponse

func (p *MockLLMProviderImpl) GetVulnerableResponse(testCaseID string) (string, bool)

GetVulnerableResponse gets a vulnerable response for a specific test case

func (*MockLLMProviderImpl) ResetState

func (p *MockLLMProviderImpl) ResetState()

ResetState resets the state of the mock provider

func (*MockLLMProviderImpl) ResetUsageMetrics

func (p *MockLLMProviderImpl) ResetUsageMetrics() error

ResetUsageMetrics resets the usage metrics

func (*MockLLMProviderImpl) SetDefaultResponse

func (p *MockLLMProviderImpl) SetDefaultResponse(response string)

SetDefaultResponse sets the default response for test cases without specific vulnerable responses

func (*MockLLMProviderImpl) SetErrorRate

func (p *MockLLMProviderImpl) SetErrorRate(rate float64)

SetErrorRate sets the error rate for responses (0.0 to 1.0)

func (*MockLLMProviderImpl) SetResponseDelay

func (p *MockLLMProviderImpl) SetResponseDelay(delay time.Duration)

SetResponseDelay sets a delay for responses to simulate latency

func (*MockLLMProviderImpl) SetVulnerableResponses

func (p *MockLLMProviderImpl) SetVulnerableResponses(vulnerableResponses map[string]string)

SetVulnerableResponses sets the vulnerable responses for specific test cases

func (*MockLLMProviderImpl) StreamingChatCompletion

func (p *MockLLMProviderImpl) StreamingChatCompletion(ctx context.Context, request *core.ChatCompletionRequest, callback func(response *core.ChatCompletionResponse) error) error

StreamingChatCompletion generates a streaming chat completion

func (*MockLLMProviderImpl) TextCompletion

TextCompletion generates a text completion

func (*MockLLMProviderImpl) UpdateRateLimitConfig

func (p *MockLLMProviderImpl) UpdateRateLimitConfig(config *core.RateLimitConfig) error

UpdateRateLimitConfig updates the rate limit configuration

func (*MockLLMProviderImpl) UpdateRetryConfig

func (p *MockLLMProviderImpl) UpdateRetryConfig(config *core.RetryConfig) error

UpdateRetryConfig updates the retry configuration

type Report

type Report struct {
	// ID is the unique identifier for the report
	ID string
	// Title is the title of the report
	Title string
	// Summary is a summary of the report
	Summary string
	// GeneratedAt is when the report was generated
	GeneratedAt time.Time
	// TestSuites are the test suites included in the report
	TestSuites []*TestSuite
	// Results are the test results included in the report
	Results []*TestResult
	// Format is the format of the report
	Format string
	// OutputPath is the path where the report was written
	OutputPath string
	// Metadata is additional metadata included in the report
	Metadata map[string]interface{}
}

Report represents a generated report

type ReportGenerator

type ReportGenerator interface {
	// GenerateReport generates a report from test results
	GenerateReport(ctx context.Context, testSuites []*TestSuite, options *ReportOptions) (*Report, error)
}

ReportGenerator is the interface for generating reports

type ReportOptions

type ReportOptions struct {
	// Title is the title of the report
	Title string
	// Format is the format of the report
	Format string
	// OutputPath is the path to write the report to
	OutputPath string
	// IncludeDetails indicates whether to include detailed information
	IncludeDetails bool
	// IncludeRawResponses indicates whether to include raw responses
	IncludeRawResponses bool
	// IncludeMetadata indicates whether to include metadata
	IncludeMetadata bool
	// Metadata is additional metadata to include in the report
	Metadata map[string]interface{}
}

ReportOptions defines options for generating reports

type ReportingIntegration

type ReportingIntegration struct {
	ReportGenerator types.ReportGenerator
	TestRunner      types.TestRunner
	TestCaseFactory types.TestCaseFactory
}

ReportingIntegration provides integration with the reporting system

func NewReportingIntegration

func NewReportingIntegration(reportGenerator types.ReportGenerator, testRunner types.TestRunner, testCaseFactory types.TestCaseFactory) *ReportingIntegration

NewReportingIntegration creates a new reporting integration

func (*ReportingIntegration) GetComplianceScore

func (r *ReportingIntegration) GetComplianceScore(results []*types.TestResult) float64

GetComplianceScore calculates the compliance score for test results

func (*ReportingIntegration) GetSeverityBreakdown

func (r *ReportingIntegration) GetSeverityBreakdown(results []*types.TestResult) map[detection.SeverityLevel]int

GetSeverityBreakdown returns a breakdown of vulnerabilities by severity

func (*ReportingIntegration) GetVulnerabilityBreakdown

func (r *ReportingIntegration) GetVulnerabilityBreakdown(results []*types.TestResult) map[types.VulnerabilityType]int

GetVulnerabilityBreakdown returns a breakdown of vulnerabilities by type

func (*ReportingIntegration) RunOWASPComplianceTest

func (r *ReportingIntegration) RunOWASPComplianceTest(ctx context.Context, provider core.Provider, model string, outputFormat string, outputPath string) (*types.Report, error)

RunOWASPComplianceTest runs a comprehensive OWASP compliance test

func (*ReportingIntegration) RunOWASPVulnerabilityTest

func (r *ReportingIntegration) RunOWASPVulnerabilityTest(ctx context.Context, vulnerabilityType types.VulnerabilityType, provider core.Provider, model string, outputFormat string, outputPath string) (*types.Report, error)

RunOWASPVulnerabilityTest runs a test for a specific OWASP vulnerability

type TestCase

type TestCase struct {
	// ID is the unique identifier for the test case
	ID string `json:"id"`
	// Name is the name of the test case
	Name string `json:"name"`
	// Description is a description of the test case
	Description string `json:"description"`
	// VulnerabilityType is the type of vulnerability being tested
	VulnerabilityType VulnerabilityType `json:"vulnerability_type"`
	// Severity is the severity level of the vulnerability
	Severity detection.SeverityLevel `json:"severity"`
	// Prompt is the prompt to send to the LLM
	Prompt string `json:"prompt"`
	// ExpectedBehavior describes the expected behavior of the LLM
	ExpectedBehavior string `json:"expected_behavior"`
	// DetectionCriteria is the criteria for detecting the vulnerability
	DetectionCriteria []detection.DetectionCriteria `json:"detection_criteria"`
	// Tags are tags associated with the test case
	Tags []string `json:"tags"`
	// OWASPMapping is the mapping to the OWASP Top 10 for LLMs
	OWASPMapping string `json:"owasp_mapping"`
	// Metadata is additional metadata for the test case
	Metadata map[string]interface{} `json:"metadata,omitempty"`
}

TestCase represents a test case for OWASP LLM compliance testing

type TestCaseBuilder

type TestCaseBuilder interface {
	// NewTestCase creates a new test case
	NewTestCase() *TestCase
	// WithID sets the ID of the test case
	WithID(id string) TestCaseBuilder
	// WithName sets the name of the test case
	WithName(name string) TestCaseBuilder
	// WithDescription sets the description of the test case
	WithDescription(description string) TestCaseBuilder
	// WithVulnerabilityType sets the vulnerability type of the test case
	WithVulnerabilityType(vulnType VulnerabilityType) TestCaseBuilder
	// WithSeverity sets the severity level of the test case
	WithSeverity(severity detection.SeverityLevel) TestCaseBuilder
	// WithPrompt sets the prompt of the test case
	WithPrompt(prompt string) TestCaseBuilder
	// WithExpectedBehavior sets the expected behavior of the test case
	WithExpectedBehavior(behavior string) TestCaseBuilder
	// WithDetectionCriteria sets the detection criteria of the test case
	WithDetectionCriteria(criteria []detection.DetectionCriteria) TestCaseBuilder
	// WithTags sets the tags of the test case
	WithTags(tags []string) TestCaseBuilder
	// WithOWASPMapping sets the OWASP mapping of the test case
	WithOWASPMapping(mapping string) TestCaseBuilder
	// WithMetadata sets the metadata of the test case
	WithMetadata(metadata map[string]interface{}) TestCaseBuilder
	// Build builds the test case
	Build() (*TestCase, error)
}

TestCaseBuilder is the interface for building test cases

type TestCaseFactory

type TestCaseFactory interface {
	// CreatePromptInjectionTestCases creates test cases for prompt injection
	CreatePromptInjectionTestCases() []*TestCase
	// CreateInsecureOutputHandlingTestCases creates test cases for insecure output handling
	CreateInsecureOutputHandlingTestCases() []*TestCase
	// CreateTrainingDataPoisoningTestCases creates test cases for training data poisoning
	CreateTrainingDataPoisoningTestCases() []*TestCase
	// CreateModelDoSTestCases creates test cases for model denial of service
	CreateModelDoSTestCases() []*TestCase
	// CreateSupplyChainVulnerabilitiesTestCases creates test cases for supply chain vulnerabilities
	CreateSupplyChainVulnerabilitiesTestCases() []*TestCase
	// CreateSensitiveInfoDisclosureTestCases creates test cases for sensitive information disclosure
	CreateSensitiveInfoDisclosureTestCases() []*TestCase
	// CreateInsecurePluginDesignTestCases creates test cases for insecure plugin design
	CreateInsecurePluginDesignTestCases() []*TestCase
	// CreateExcessiveAgencyTestCases creates test cases for excessive agency
	CreateExcessiveAgencyTestCases() []*TestCase
	// CreateOverrelianceTestCases creates test cases for overreliance
	CreateOverrelianceTestCases() []*TestCase
	// CreateModelTheftTestCases creates test cases for model theft
	CreateModelTheftTestCases() []*TestCase
	// CreateTestSuite creates a test suite with all test cases
	CreateTestSuite(id string, name string, description string) *TestSuite
	// CreateTestCasesForVulnerability creates test cases for a specific vulnerability type
	CreateTestCasesForVulnerability(vulnerabilityType VulnerabilityType) ([]*TestCase, error)
}

TestCaseFactory is the interface for creating test cases

type TestResult

type TestResult struct {
	// TestCase is the test case that was executed
	TestCase *TestCase `json:"test_case"`
	// Provider is the provider that was tested
	Provider string `json:"provider"`
	// Model is the model that was tested
	Model string `json:"model"`
	// Prompt is the prompt that was sent to the LLM
	Prompt string `json:"prompt"`
	// Response is the response from the LLM
	Response string `json:"response"`
	// Passed indicates whether the test passed
	Passed bool `json:"passed"`
	// DetectionResults is the results of the vulnerability detection
	DetectionResults []*detection.DetectionResult `json:"detection_results"`
	// ExecutionTime is the time it took to execute the test
	ExecutionTime time.Duration `json:"execution_time"`
	// Timestamp is the time when the test was executed
	Timestamp time.Time `json:"timestamp"`
	// Notes are additional notes about the test result
	Notes string `json:"notes,omitempty"`
}

TestResult represents the result of a test case execution

type TestResultConverter

type TestResultConverter interface {
	// ConvertToReportingTestSuite converts test results to a reporting test suite
	ConvertToReportingTestSuite(ctx context.Context, results []*TestResult, suiteID string, suiteName string) (*reporting.TestSuite, error)
	// ConvertToReportingTestResult converts a test result to a reporting test result
	ConvertToReportingTestResult(ctx context.Context, result *TestResult) (*reporting.TestResult, error)
}

TestResultConverter is the interface for converting test results to reporting format

type TestRunner

type TestRunner interface {
	// RunTest runs a single test case and returns the result
	RunTest(ctx context.Context, testCase *TestCase, provider core.Provider, model string) (*TestResult, error)
	// RunTestSuite runs a test suite and returns the results
	RunTestSuite(ctx context.Context, testSuite *TestSuite, provider core.Provider, model string) ([]*TestResult, error)
	// RunTestSuites runs multiple test suites and returns the results
	RunTestSuites(ctx context.Context, testSuites []*TestSuite, provider core.Provider, model string) ([]*TestResult, error)
}

TestRunner is the interface for running tests

type TestSuite

type TestSuite struct {
	// ID is the unique identifier for the test suite
	ID string `json:"id"`
	// Name is the name of the test suite
	Name string `json:"name"`
	// Description is a description of the test suite
	Description string `json:"description"`
	// TestCases are the test cases in the suite
	TestCases []*TestCase `json:"test_cases"`
	// Results are the results of running the test cases
	Results []*TestResult `json:"results"`
	// Tags are tags associated with the test suite
	Tags []string `json:"tags,omitempty"`
	// Metadata is additional metadata for the test suite
	Metadata map[string]interface{} `json:"metadata,omitempty"`
}

TestSuite represents a suite of test cases

type TestSuiteBuilder

type TestSuiteBuilder interface {
	// NewTestSuite creates a new test suite
	NewTestSuite() *TestSuite
	// WithID sets the ID of the test suite
	WithID(id string) TestSuiteBuilder
	// WithName sets the name of the test suite
	WithName(name string) TestSuiteBuilder
	// WithDescription sets the description of the test suite
	WithDescription(description string) TestSuiteBuilder
	// WithTestCases sets the test cases of the test suite
	WithTestCases(testCases []*TestCase) TestSuiteBuilder
	// AddTestCase adds a test case to the test suite
	AddTestCase(testCase *TestCase) TestSuiteBuilder
	// WithTags sets the tags of the test suite
	WithTags(tags []string) TestSuiteBuilder
	// WithMetadata sets the metadata of the test suite
	WithMetadata(metadata map[string]interface{}) TestSuiteBuilder
	// Build builds the test suite
	Build() (*TestSuite, error)
}

TestSuiteBuilder is the interface for building test suites

type TestingEnvironment

type TestingEnvironment struct {
	TestRunner           types.TestRunner
	ReportGenerator      types.ReportGenerator
	TestCaseFactory      types.TestCaseFactory
	ReportingIntegration *compliance.ReportingIntegration
}

TestingEnvironment encapsulates all components needed for OWASP testing

func NewDefaultTestingEnvironment

func NewDefaultTestingEnvironment() *TestingEnvironment

NewDefaultTestingEnvironment creates a new testing environment with fixture-based components

type VulnerabilityType

type VulnerabilityType string

VulnerabilityType represents the type of vulnerability

const (
	PromptInjection                VulnerabilityType = "prompt_injection"
	InsecureOutput                 VulnerabilityType = "insecure_output"
	TrainingDataPoisoning          VulnerabilityType = "training_data_poisoning"
	ModelDOS                       VulnerabilityType = "model_dos"
	SupplyChainVulnerabilities     VulnerabilityType = "supply_chain_vulnerabilities"
	SensitiveInformationDisclosure VulnerabilityType = "sensitive_information_disclosure"
	InsecurePluginDesign           VulnerabilityType = "insecure_plugin_design"
	ExcessiveAgency                VulnerabilityType = "excessive_agency"
	Overreliance                   VulnerabilityType = "overreliance"
	ModelTheft                     VulnerabilityType = "model_theft"
	// Additional vulnerability types
	InsecureOutputHandling    VulnerabilityType = "insecure_output_handling"
	SystemPromptLeakage       VulnerabilityType = "system_prompt_leakage"
	VectorEmbeddingWeaknesses VulnerabilityType = "vector_embedding_weaknesses"
	Misinformation            VulnerabilityType = "misinformation"
	UnboundedConsumption      VulnerabilityType = "unbounded_consumption"
	ImproperOutputHandling    VulnerabilityType = "improper_output_handling"
	DataAndModelPoisoning     VulnerabilityType = "data_and_model_poisoning"
)

OWASP Top 10 LLM vulnerability types (simplified naming for internal use)

const (
	// LLM01: Prompt Injection
	PromptInjection2023 VulnerabilityType = "LLM01:2023_prompt_injection"
	// LLM02: Insecure Output Handling
	InsecureOutputHandling2023 VulnerabilityType = "LLM02:2023_insecure_output_handling"
	// LLM03: Training Data Poisoning
	TrainingDataPoisoning2023 VulnerabilityType = "LLM03:2023_training_data_poisoning"
	// LLM04: Model Denial of Service
	ModelDoS VulnerabilityType = "LLM04:2023_model_denial_of_service"
	// LLM05: Supply Chain Vulnerabilities
	SupplyChainVulnerabilities2023 VulnerabilityType = "LLM05:2023_supply_chain_vulnerabilities"
	// LLM06: Sensitive Information Disclosure
	SensitiveInfoDisclosure VulnerabilityType = "LLM06:2023_sensitive_information_disclosure"
	// LLM07: Insecure Plugin Design
	InsecurePluginDesign2023 VulnerabilityType = "LLM07:2023_insecure_plugin_design"
	// LLM08: Excessive Agency
	ExcessiveAgency2023 VulnerabilityType = "LLM08:2023_excessive_agency"
	// LLM09: Overreliance
	Overreliance2023 VulnerabilityType = "LLM09:2023_overreliance"
	// LLM10: Model Theft
	ModelTheft2023 VulnerabilityType = "LLM10:2023_model_theft"
)

OWASP Top 10 LLM vulnerabilities (2023-2024)

const (
	// LLM01: Prompt Injection
	PromptInjection2025 VulnerabilityType = "LLM01:2025_prompt_injection"
	// LLM02: Sensitive Information Disclosure
	SensitiveInfoDisclosure2025 VulnerabilityType = "LLM02:2025_sensitive_information_disclosure"
	// LLM03: Supply Chain
	SupplyChain2025 VulnerabilityType = "LLM03:2025_supply_chain"
	// LLM04: Data and Model Poisoning
	DataAndModelPoisoning2025 VulnerabilityType = "LLM04:2025_data_and_model_poisoning"
	// LLM05: Improper Output Handling
	ImproperOutputHandling2025 VulnerabilityType = "LLM05:2025_improper_output_handling"
	// LLM06: Excessive Agency
	ExcessiveAgency2025 VulnerabilityType = "LLM06:2025_excessive_agency"
	// LLM07: System Prompt Leakage
	SystemPromptLeakage2025 VulnerabilityType = "LLM07:2025_system_prompt_leakage"
	// LLM08: Vector and Embedding Weaknesses
	VectorEmbeddingWeaknesses2025 VulnerabilityType = "LLM08:2025_vector_embedding_weaknesses"
	// LLM09: Misinformation
	Misinformation2025 VulnerabilityType = "LLM09:2025_misinformation"
	// LLM10: Unbounded Consumption
	UnboundedConsumption2025 VulnerabilityType = "LLM10:2025_unbounded_consumption"
)

OWASP Top 10 LLM vulnerabilities (2025)

Directories

Path Synopsis
Package compliance provides mapping between test results and compliance standards
Package compliance provides mapping between test results and compliance standards
Package fixtures provides test fixtures for OWASP LLM vulnerabilities
Package fixtures provides test fixtures for OWASP LLM vulnerabilities
Package mocks provides mock implementations of LLM providers for OWASP testing
Package mocks provides mock implementations of LLM providers for OWASP testing
Package types provides common type definitions for the OWASP testing framework
Package types provides common type definitions for the OWASP testing framework
Package validation provides methods to validate and detect OWASP LLM vulnerabilities
Package validation provides methods to validate and detect OWASP LLM vulnerabilities
examples command
Package main provides an entry point for running the validation examples
Package main provides an entry point for running the validation examples

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL