OWASP Agentic AI Top 10 — Offensive Expansion
B9 handed you the defense checklist. This is the red-team playbook for every row. Each OWASP ASI risk (ASI01–ASI10) expanded into its full offensive attack procedure — the attack in depth, real-world exploitation, the evasion techniques that defeat the standard defenses, and the chaining that turns a single-row finding into a compound impact.
Every OWASP ASI defense has a known evasion, and the evasion is almost always the indirect channel the defense's test does not exercise. ASI01's taint gate is tested against direct injection and bypassed by injection-through-tool-output. ASI03's capability enumeration proves minimality and misses the load-bearing capability a benign task requires. ASI05's path normalization stops `../` and misses the semantic-path-confusion in the tool description. The pattern: the test verifies the control on the direct surface; the attacker arrives on the indirect surface the test never touched. This is why B9's per-row tests PASS and real engagements still produce findings — the gap is between the test and the adversary.
The two MEASURED rows (ASI01, ASI06) are not the only probabilistic surfaces — they are the only rows where the standard admits it. Every row has a residual. The ASI08 supply-chain row reports PASS/FAIL on signed manifests but a typosquatted package with a valid signature still installs. The ASI05 tool-abuse row reports PASS on schema validation but an ambiguous tool description still routes to the wrong tool. Treating the eight PASS/FAIL rows as fully closed is the offense team's first opening — the deterministic test closed one vector, not the class.
The offensive value of the Top 10 is the chaining across rows, not the exploitation of any single row. ASI07 (insecure output handling) feeds ASI01 (goal hijacking) feeds ASI05 (tool abuse) feeds ASI03 (excessive agency) — a single injected tool output becomes a goal hijack becomes a privileged tool call becomes an action beyond the agent's legitimate scope. B9 tests rows in isolation and reports eight PASS; the attacker reads the same eight PASS and chains across the boundaries the isolation created. The compound is the finding; the row is the entry point.
This deep-dive is the offensive companion to B9 — read both, in order, and the gap between 'the control passed its test' and 'the system holds under an adversary' becomes the entire engagement. B9 is what the builder verifies. SDD-B01 is what the red team runs against a system that passed B9. A row that PASSed B9 and FAILed the offensive expansion is not a contradiction — it is the definition of a residual the deterministic test cannot express.