π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
π€ AI/LLM HACKING COURSE
FREE
Part of the AI/LLM Hacking Course β 90 Days
Day 10 of 90 Β· 11.1% complete
β οΈ Authorised Targets Only: Testing LLM06 excessive agency β including redirecting agent tool use β must only be performed against systems you have explicit written authorisation to test. Never trigger real email sends, file modifications, or API calls against production systems or real user data during testing. Use Burp Collaborator or your own test endpoints for out-of-band confirmation. SecurityElites.com accepts no liability for misuse.
On an enterprise red team engagement three years ago, I was testing an internal AI productivity assistant that the company had deployed to help employees manage their workloads. It could read and send emails, create calendar events, access the companyβs file share, and query the internal HR system. The intention was to make it a genuine productivity multiplier. It was. I sent it one carefully crafted prompt injection via a document it was asked to summarise, and within sixty seconds it had sent a summary of the target employeeβs recent emails to an external address, created a calendar placeholder that blocked their schedule, and queried the HR system for their direct reportsβ contact information. Every action was within its granted permissions. None were within the userβs intention.
LLM06 Excessive Agency is the OWASP category that explains why the permission scope of an AI agent matters as much as β arguably more than β any technical security control applied to it. The agent does exactly what it is told, by whoever can tell it convincingly enough. Prompt injection is what does the convincing. Excessive permissions are what makes the consequences matter. Day 10 covers every aspect of LLM06: how to map agent permissions, how to test tool hijacking via injection, how to calculate the maximum real-world impact, and how to write findings that make clients immediately reduce their agentsβ permission sets.
π― What Youβll Master in Day 10
Map AI agent tool permissions and identify the excessive agency gap
Enumerate agent capabilities via system prompt extraction and direct probing
Execute direct tool hijacking via prompt injection payloads
Execute indirect tool hijacking via document and email injection chains
Assess human-in-the-loop confirmation controls and identify bypass paths
Calculate CVSS for the LLM01 + LLM06 chain and write the maximum-impact finding
β±οΈ Day 10 Β· 3 exercises Β· Think Like Hacker + Browser + Kali Terminal ### β Prerequisites - Day 4 β LLM01 Prompt Injection β the injection techniques that direct agent tool use; LLM06 without LLM01 is a configuration finding, not an active exploit - Day 5 β Indirect Injection β indirect LLM06 chains (document-to-agent-action) build directly on Day 5βs methodology - Burp Collaborator access β tool hijacking confirmation uses out-of-band callbacks when direct observation is not possible ### π LLM06 Excessive Agency β Day 10 Contents 1. The Excessive Agency Gap β Granted vs Required Permissions 2. Tool Enumeration β Finding What the Agent Can Do 3. Direct Tool Hijacking via Prompt Injection 4. Indirect Tool Hijacking β The Document-to-Action Chain 5. Human-in-the-Loop Controls and Bypass Assessment 6. CVSS Scoring and Maximum Impact Calculation Day 9 was about what the AI produces β XSS, RCE, SSRF via unencoded output. Day 10 is about what the AI does. Real-world actions an over-privileged agent takes when injection redirects its tool use. LLM05 and LLM06 together cover the two ways AI output becomes a weapon: through what it says, and through what it causes to happen.
The Excessive Agency Gap β Granted vs Required Permissions
Every AI agent has a stated purpose β what it was built to do β and a granted permission set β what itβs technically capable of. The gap between those two is the LLM06 risk surface. An agent built to answer product return questions doesnβt need email access, calendar control, or file system permissions. If it has them anyway, every user interaction is a potential injection point for redirecting those capabilities.
The gap exists for understandable reasons. Developers building AI agents want them useful and often add capabilities speculatively β βwe might need email integration later.β Product managers add features without running security reviews. Adding a new tool is literally one line in the tool list. No friction. No checkpoint. The security implication of each additional permission never comes up until it does.
PERMISSION GAP ANALYSIS β GRANTED VS REQUIREDCopy
Example: Customer Service AI for an e-commerce company
STATED PURPOSE: Answer questions about orders and returns
Required permissions:
READ: orders table for current user only
READ: product catalogue (public)
READ: return policy documents
GRANTED PERMISSIONS (excessive):
READ: entire orders table (all customers) β IDOR risk
READ/WRITE: customer records β data modification risk
SEND: emails from support@company.com β phishing/exfiltration risk
EXECUTE: refund API (any order, any amount) β financial fraud risk
READ: internal pricing and margin data β confidential data risk
EXCESSIVE AGENCY SURFACE = granted β required
All customersβ orders + Write access + Email + Refunds + Internal data
β Each of these is a tool-hijacking attack surface
Maximum impact via injection:
Read competitor intelligence from internal pricing
Send phishing emails from legitimate company address
Issue fraudulent refunds
CVSS: 9.8 Critical β board-level finding
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (0)