Module SDD-B01 — OWASP Agentic AI Top 10 — Offensive Expansion

OWASP Agentic AI Top 10 — Offensive Expansion

B9 handed you the defense checklist. This is the red-team playbook for every row. Each OWASP ASI risk (ASI01–ASI10) expanded into its full offensive attack procedure — the attack in depth, real-world exploitation, the evasion techniques that defeat the standard defenses, and the chaining that turns a single-row finding into a compound impact.

45
minutes
8
artifacts
3
sub-sections
B9 reads the OWASP Agentic Top 10 as a builder: one risk, one control, one test. This deep-dive reads it as an attacker: one risk, one attack procedure, the evasion that defeats the control, and the chain that crosses rows. The distinction is load-bearing. A taint gate that passes its ASI01 test in isolation is not a taint gate that survives an indirect-injection-through-tool-output that the harness marked trusted. A capability enumeration that proves minimality for ASI03 does not catch the load-bearing capability that survived minimization because a benign task needed it. Every defense B2–B8 builds has a gap between how it behaves on its test and how it behaves under an adversary who chains. This deep-dive is that adversary's playbook, one procedure per row, ASI01 through ASI10.
Key Claims
Load-Bearing Claims

Every OWASP ASI defense has a known evasion, and the evasion is almost always the indirect channel the defense's test does not exercise. ASI01's taint gate is tested against direct injection and bypassed by injection-through-tool-output. ASI03's capability enumeration proves minimality and misses the load-bearing capability a benign task requires. ASI05's path normalization stops `../` and misses the semantic-path-confusion in the tool description. The pattern: the test verifies the control on the direct surface; the attacker arrives on the indirect surface the test never touched. This is why B9's per-row tests PASS and real engagements still produce findings — the gap is between the test and the adversary.

The two MEASURED rows (ASI01, ASI06) are not the only probabilistic surfaces — they are the only rows where the standard admits it. Every row has a residual. The ASI08 supply-chain row reports PASS/FAIL on signed manifests but a typosquatted package with a valid signature still installs. The ASI05 tool-abuse row reports PASS on schema validation but an ambiguous tool description still routes to the wrong tool. Treating the eight PASS/FAIL rows as fully closed is the offense team's first opening — the deterministic test closed one vector, not the class.

The offensive value of the Top 10 is the chaining across rows, not the exploitation of any single row. ASI07 (insecure output handling) feeds ASI01 (goal hijacking) feeds ASI05 (tool abuse) feeds ASI03 (excessive agency) — a single injected tool output becomes a goal hijack becomes a privileged tool call becomes an action beyond the agent's legitimate scope. B9 tests rows in isolation and reports eight PASS; the attacker reads the same eight PASS and chains across the boundaries the isolation created. The compound is the finding; the row is the entry point.

This deep-dive is the offensive companion to B9 — read both, in order, and the gap between 'the control passed its test' and 'the system holds under an adversary' becomes the entire engagement. B9 is what the builder verifies. SDD-B01 is what the red team runs against a system that passed B9. A row that PASSed B9 and FAILed the offensive expansion is not a contradiction — it is the definition of a residual the deterministic test cannot express.

After This Module
01
For each of the ten OWASP ASI risks (ASI01–ASI10), state the full offensive attack procedure — the attack in depth, the real-world exploitation scenario, the evasion technique that defeats the standard defense, and the chaining that turns the single-row finding into compound impact.
02
Explain why every OWASP ASI defense has a known evasion, and why the evasion is almost always the indirect channel the defense's per-row test does not exercise — and connect this to why B9's per-row tests can all PASS while a real engagement still produces findings.
03
Construct the cross-row chains that turn single-row findings into compound impact — the ASI07→ASI01→ASI05→ASI03 chain, the ASI02→ASI04→ASI06 chain, the ASI08→ASI05→ASI10 chain — and explain why the compound is the finding, not the row.
04
Distinguish the two MEASURED rows (ASI01, ASI06) from the eight PASS/FAIL rows, and explain why treating the eight PASS/FAIL rows as fully closed is the offense team's first opening — the deterministic test closed one vector, not the class.
05
Translate each ASI row from a defense-checklist entry (B9) into a red-team attack procedure (SDD-B01), and articulate the precise gap between 'the control passed its B9 test' and 'the system holds under the offensive procedure' — the gap that defines the residual a B12 engagement must characterize.
Artifacts
01
Teaching Document
~3,400 words; 3 sub-sections — the input/state surface (ASI01/02/04/06 offensive expansion), the permission/tool surface (ASI03/05/08/10 offensive expansion), the output/resource surface + cross-row chaining (ASI07/09 + the compound chains); each risk gets attack-in-depth, scenario, evasion-vs-standard-defense, and chaining; with anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — the 10 risks as offensive surface (5 boundary clusters, attacker view), the evasion pattern (test-verified direct surface vs attacker-arrived indirect surface), three cross-row chains (ASI07→01→05→03, ASI02→04→06, ASI08→05→10), the B9-test-vs-SDD-B01-procedure gap, the compound-is-the-finding flow
READ
03
Slide Deck
12 slides — reveal.js, dark theme, design-system teal; covers the thesis (offense companion to B9), the evasion pattern, the input/state surface, the permission/tool surface, the output/resource surface, the three cross-row chains, the MEASURED-vs-PASS/FAIL residual honesty, anti-patterns, the lab
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~2,800 words spoken at ~140 wpm across 12 slide cues
READ
05
Flashcards
20 flashcards (TSV) — mix of recall and analysis; covers the evasion pattern, all 10 ASI offensive procedures, the three cross-row chains, the MEASURED honesty, the B9/SDD-B01 gap
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Run the Offensive Expansion Against a Hardened Sample Agent — runnable simulation (Python 3.10+, type hints, no GPU, no external deps): execute one offensive procedure per ASI row against an agent that PASSED its B9 checklist, confirm which rows produce findings, then construct and execute the ASI07→ASI01→ASI05→ASI03 cross-row chain (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE