RTFM.INK_

Volume I — Issue 001 — June 2026

OWASP Top 10
for Agentic Applications

Twelve dispatches from the edge of the agentic stack. The machines are acting autonomously, the perimeter is gone, and the old playbook doesn't apply. Read these. Understand them. Fix your systems before someone else does it for you.

01
Prompt InjectionOWASP-AA-01

The Marionette Problem

by 0xpuppeteer

Every agent that reads external data is a potential marionette. We dissect how prompt injection in agentic pipelines differs fundamentally from its web-app predecessor: the attack surface is unbounded, the execution context is elevated, and the victim can't distinguish a system instruction from a poisoned email subject line. We walk through three real-world injection chains — calendar → CRM → outbound email — and propose a constraint-based input sanitization model that survives multi-hop reasoning.

prompt-injectionagent-securityinput-validation
18 min
02
Excessive AgencyOWASP-AA-02

Root Cause

by least_priv

The principle of least privilege is sixty years old. It took us six months to forget it for AI agents. This article catalogs the gap between what agentic systems need to do and what they're allowed to do in production deployments: filesystem write access granted "just in case," API keys scoped to admin "for simplicity," shell execution enabled "for flexibility." We present a capability audit methodology and a minimal-permission contract pattern that organizations can retrofit without rebuilding their orchestration layer.

excessive-agencypermissionsleast-privilege
14 min
03
Tool PoisoningOWASP-AA-03

Trojan Schemas

by mcp_ghost

Model Context Protocol changed everything. It also handed attackers a new primitive: the malicious tool definition. When an agent loads a tool schema from an untrusted registry — or when a supply chain compromise replaces a trusted one — the function signature itself becomes the exploit payload. We demonstrate how a crafted description field in a tool manifest can redirect an agent's entire execution plan without touching a single line of application code. Includes a proof-of-concept against a popular open-source agent framework.

tool-poisoningmcpsupply-chain
22 min
04
Memory ManipulationOWASP-AA-04

Long-Term Memory, Short-Term Thinking

by ctx_window

Persistent agent memory is a feature that ships without a threat model. We examine four attack vectors against memory stores used by production agentic systems: direct injection via crafted documents, memory flooding to displace legitimate context, temporal poisoning that plants instructions for future sessions, and retrieval hijacking through embedding collision. The uncomfortable conclusion: most vector-store-backed memory systems have no integrity guarantees whatsoever. We propose a signed memory architecture and a verification pass for retrieved context before it enters the reasoning loop.

memory-manipulationvector-storecontext-injection
20 min
05
Sensitive Info DisclosureOWASP-AA-05

Ghost Credentials

by exfil_watcher

Agents are excellent at summarization. They are also, accidentally, excellent at credential exfiltration. This article traces how secrets — API keys, OAuth tokens, session cookies — enter the agent context through tool responses, system prompts, and retrieved documents, then leak outward through logs, downstream tool calls, and LLM provider telemetry. We instrument a standard ReAct agent loop and map every egress point. The result is a practical secrets hygiene checklist for agentic deployments and a case for secret-aware output filters as a first-class infrastructure component.

credential-leakagesecretsexfiltration
16 min
06
Unsafe Code ExecutionOWASP-AA-06

rm -rf Trust

by sandbox_null

Code interpreter tools are the crown jewel of agentic capability and the broadest attack surface in the stack. We survey the containment assumptions of five popular agent sandboxing approaches — Docker, E2B, Pyodide, Firecracker, and native subprocess — and find that each fails under adversarial inputs in ways their documentation doesn't acknowledge. We detail three working escapes, propose a hardened execution contract (network isolation + read-only filesystem + syscall allowlist), and argue that safe code execution is a deployment property, not a model property.

code-executionsandbox-escapecontainer-security
26 min
07
Cascading Trust FailuresOWASP-AA-07

The Hallucination Cascade

by trust_graph

In a multi-agent pipeline, one agent's confident hallucination is every downstream agent's ground truth. We model agentic systems as directed trust graphs and identify the structural properties that cause errors to amplify rather than cancel across hops. The canonical failure mode: a retrieval agent returns a plausible-but-wrong fact; an analysis agent cites it authoritatively; a decision agent acts on it irreversibly. We introduce a trust propagation score, propose skepticism injection points at inter-agent boundaries, and evaluate three mitigation strategies against a synthetic benchmark of cascading failure scenarios.

multi-agenttrusterror-propagation
19 min
08
Authorization BypassOWASP-AA-08

The Invisible Perimeter

by iam_null

Agentic systems don't authenticate as users — they authenticate as themselves, then act on behalf of users. This creates an authorization gap that traditional RBAC and ABAC models aren't designed to close. We document five bypass patterns observed in production deployments: ambient authority from agent service accounts, confused deputy attacks via tool chaining, identity laundering through multi-agent handoffs, privilege leakage from shared context windows, and time-of-check/time-of-use races in async agent loops. Each pattern includes a detection heuristic and a concrete remediation.

authorizationrbacconfused-deputy
21 min
09
Supply Chain AttacksOWASP-AA-09

Poisoned Upstreams

by dep_chain

The agent ecosystem has a dependency problem it hasn't admitted yet. LangChain, LlamaIndex, CrewAI, AutoGen — each installs hundreds of transitive packages and loads tools from community registries with no cryptographic verification. We apply standard software supply chain analysis to ten widely-used agent frameworks, find an average of 340 unchecked dependencies, and demonstrate a prototype attack where a maliciously modified langchain-community tool silently exfiltrates every tool call payload. The fix is boring: lock files, SBOM generation, and registry signing. The risk is not.

supply-chaindependenciessbom
17 min
10
Resource ExhaustionOWASP-AA-10

Denial of Wallet

by cost_drain

Traditional DoS fills up disks or saturates bandwidth. Agentic DoS empties your credit card. We characterize the Denial-of-Wallet attack class: inputs crafted to maximize token consumption, force expensive tool calls, trigger infinite retry loops, or instantiate unbounded sub-agent trees. A single $0.003 request can, under the right conditions, generate $47 in downstream API costs. We present a cost-aware execution model with per-session budget caps, call-graph cycle detection, and a lightweight token forecast that fires before the expensive call rather than after.

doscost-amplificationbudget-control
15 min
11
Privilege EscalationExtended

From Assistant to Admin

by privesc_loop

Agentic privilege escalation doesn't look like a shell exploit. It looks like a helpful assistant gradually expanding its own access: requesting additional tool permissions to complete a task, writing instructions to its own memory store, convincing an orchestrator agent to grant elevated capabilities, or persisting modified system prompts across sessions. We document a five-step escalation chain observed in a red team engagement against a production agent platform and propose a principle of immutable agency: an agent's capability set should be fixed at instantiation and verifiable at any point during execution.

privilege-escalationred-teamagent-persistence
23 min
12
Threat ModelingExtended

Trust Nothing, Verify Everything

by rtfm_editorial

A field guide for security engineers inheriting an agentic system they didn't build. We present a structured threat modeling methodology for agentic applications — adapted from STRIDE but extended for the properties unique to LLM-based execution: non-determinism, context sensitivity, emergent behavior, and tool-mediated side effects. The output is a one-page threat model template, a set of 40 security questions organized by layer (model, orchestration, tools, memory, I/O), and a prioritized remediation roadmap calibrated to the OWASP Agentic Top 10. Print it, laminate it, tape it to your monitor.

threat-modelingstridesecurity-engineering
30 min