The Top 10
- Broken Role & Tenant Boundaries (A1) — Cross-tenant leaks and role misuse after regen. Fix with server-side checks and per-tenant keys.
- Prompt Injection & Model Abuse (A2) — Unescaped AI output, model tools without guards. Fix with sanitization, tool whitelists, and refusal prompts.
- Secret & Config Exposure (A3) — Debug routes,
.envechoes, log dumps. Fix by removing debug endpoints and scrubbing logs. - Unverified Webhooks & Background Jobs (A4) — Missing signatures and replay protection. Fix with signature checks and idempotency keys.
- Regeneration Regressions (A5) — “Regenerate” removes CSRF or auth bindings. Fix with snapshot tests and post-regen gate checks.
- Weak Session & Token Handling (A6) — Tokens in localStorage, lax cookie flags, missing logout. Fix with
httpOnlycookies and session rotation. - Unsafe File Handling (A7) — Unscanned uploads, path traversal, public storage. Fix with presigned URLs, AV scanning, and private buckets.
- Insecure AI-Driven Actions (A8) — Model suggests server actions without policy. Fix with allowlists and server-side confirmations.
- Excessive Client Trust (A9) — Client-trusted pricing, feature flags, and org IDs. Fix with server validation and anti-tamper checks.
- Missing Observability & Alerting (A10) — No alerts on spikes, missing audit logs, blind to outbound calls. Fix with alerts and immutable audit trails.
How to Test Against This List
- Run Vibe-Eval Red Team Lite to probe A1–A4 with auth, injection, and webhook abuse.
- Add Regression Scan post-regen to catch A5 before merge.
- Use Upload/Storage pack for A7 path traversal and AV checks.
- Enable AI Action Guard pack to lock down A8 tool calls.
Cheat Sheet for Fixing Fast
- Add
CSP,X-Frame-Options: DENY, and strict cookies globally. - Strip HTML from model output; sanitize markdown; disallow inline scripts.
- Keep secrets out of context windows and vector stores.
- Threat model regen: assert CSRF, auth, and role checks exist after every regenerate.
- Log everything sensitive behind auth and rate-limit surfaces that touch money or data.
FAQ
How is this different from the traditional OWASP Top 10?
The traditional OWASP Top 10 focuses on classic web vulnerabilities like SQL injection and XSS. This AI-era version adds risks specific to AI-generated code: prompt injection, model abuse, regeneration regressions, and AI-driven actions. These new attack vectors didn’t exist before LLM-powered development tools.
What is a regeneration regression?
When you ask an AI coding tool to “regenerate” or “refactor” code, it may accidentally remove security controls like CSRF tokens, authentication checks, or input validation. These regressions happen because the AI doesn’t maintain security context across iterations. Always run security scans after code regeneration.
Which vulnerability should I fix first?
Start with A1 (Broken Role & Tenant Boundaries) and A3 (Secret Exposure) as these often lead to immediate data breaches. Then tackle A2 (Prompt Injection) if your app uses AI features. Use Vibe-Eval’s automated scans to prioritize based on your specific risk profile.
Key Takeaways
Key Takeaways
- AI-generated apps have unique vulnerabilities beyond traditional OWASP risks
- Regeneration regressions (A5) are a new attack surface—security controls disappear when code is regenerated
- Prompt injection (A2) is pervasive and requires both output sanitization and input filtering
- Most fixes are simple: middleware for auth, sanitization libraries, proper cookie flags
- Automated testing is essential—run Vibe-Eval scans weekly to catch regressions early
- Defense-in-depth works: combine CSP, sandboxing, least-privilege, and monitoring
- Don’t trust AI-generated security: Always validate auth, secrets management, and access controls