OASB
v1.0
Controls/Input Security/3.5
L3 HardenedForward-looking

3.5 Multi-Modal Input Security

3. Input SecurityHow do we protect against malicious input?

Description

Non-text inputs (images, audio, documents) MUST be scanned for embedded malicious content.

Rationale

Attackers can embed prompt injections in images and PDFs that are invisible to humans.

Audit Procedure

1. Identify multi-modal input types
2. Check for file type validation
3. Test with images containing embedded instructions

Remediation

1. Implement file type validation using magic bytes
2. Use image sanitization
3. Implement OCR scanning
4. Sandbox document processing

Framework Mappings

CIS Control 9NIST PR.DS-5OWASP LLM01:2023
Previous3.4 URL and Resource ValidationNext4.1 Output Validation