HIGH llm data leakagehapi

Llm Data Leakage in Hapi

How Llm Data Leakage Manifests in Hapi

Llm Data Leakage in Hapi applications typically occurs when LLM endpoints are exposed without proper authentication or input validation. Since Hapi doesn't natively provide LLM-specific middleware, developers often create custom routes that inadvertently expose sensitive system prompts or training data.

A common vulnerability pattern involves routes like /chat or /llm that accept user input and forward it to LLM services without rate limiting or content filtering. Attackers can exploit these endpoints to extract system prompts, which may contain proprietary instructions, API keys, or sensitive business logic.

// Vulnerable Hapi route - no authentication or validation
const server = Hapi.server({ port: 3000 });
server.route({
  method: 'POST',
  path: '/chat',
  handler: async (request, h) => {
    const { message } = request.payload;
    const response = await openai.chat.completions.create({
      model: 'gpt-4',
      messages: [{ role: 'user', content: message }]
    });
    return response.choices[0].message.content;
  }
});

This code exposes several attack vectors: attackers can probe the system prompt through carefully crafted inputs, extract API keys embedded in the request, or cause excessive API usage that leads to cost exploitation. The lack of authentication means anyone can access the endpoint, while missing input validation allows prompt injection attacks.

Another manifestation occurs when Hapi applications serve as proxies to LLM services without proper request sanitization. Attackers can inject malicious prompts that cause the LLM to reveal system instructions or training data, particularly when using models that retain system prompt context in responses.

Hapi-Specific Detection

Detecting Llm Data Leakage in Hapi applications requires both static code analysis and runtime scanning. middleBrick's LLM/AI Security module specifically targets Hapi applications by scanning for exposed LLM endpoints and testing for prompt injection vulnerabilities.

middleBrick identifies Hapi-specific patterns through its OpenAPI spec analysis, detecting routes that match common LLM endpoint patterns like /chat, /llm, /ai, or /completion. The scanner then performs active testing by sending structured prompt injection payloads to these endpoints.

Key detection patterns include:

Routes accepting POST requests with JSON payloads containing messages or prompt fields
Endpoints that forward requests to external LLM services without authentication
Missing rate limiting on AI-related routes
Absence of content filtering or input sanitization
Direct exposure of LLM service credentials in route handlers

middleBrick's active scanning tests 27 regex patterns for system prompt leakage, including ChatML format detection, Llama 2 system prompt markers, and Mistral format recognition. The scanner also performs five sequential prompt injection probes to test for instruction override, DAN jailbreak attempts, and data exfiltration capabilities.

For Hapi applications, middleBrick analyzes the runtime behavior of exposed endpoints, checking if responses contain executable code, PII, or API keys that shouldn't be accessible to unauthenticated users. The scanner also detects excessive agency patterns in responses, such as tool_calls or function_call objects that indicate the LLM is being used for unintended purposes.

Hapi-Specific Remediation

Securing Hapi applications against Llm Data Leakage requires implementing authentication, input validation, and rate limiting at the route level. Hapi's plugin architecture makes it straightforward to add security middleware that protects LLM endpoints.

// Secure Hapi LLM endpoint with authentication and validation
const server = Hapi.server({ port: 3000 });

// Authentication plugin
const authPlugin = {
  name: 'auth',
  version: '1.0.0',
  register: async (server) => {
    server.auth.strategy('jwt', 'jwt', {
      key: process.env.JWT_SECRET,
      validate: async (artifacts) => {
        return { isValid: true, credentials: { userId: artifacts.decoded.payload.sub } };
      }
    });
  }
};

// Input validation schema
const chatSchema = {
  payload: {
    message: Joi.string().max(4000).required(),
    role: Joi.string().valid('user', 'assistant').optional()
  }
};

server.register(authPlugin);
server.route({
  method: 'POST',
  path: '/chat',
  options: {
    auth: 'jwt',
    validate: chatSchema,
    plugins: {
      'hapi-rate-limit': {
        max: 100,
        window: 60000 // 100 requests per minute
      }
    }
  },
  handler: async (request, h) => {
    const { message } = request.payload;
    
    // Sanitize input to prevent prompt injection
    const sanitizedMessage = message.replace(/(
|
)/g, ' ').trim();
    
    const response = await openai.chat.completions.create({
      model: 'gpt-4',
      messages: [{ role: 'user', content: sanitizedMessage }]
    });
    
    // Filter response for sensitive content
    const filteredContent = response.choices[0].message.content.replace(/API_KEY_[A-Za-z0-9]+/g, '[REDACTED]');
    
    return { content: filteredContent };
  }
});

This implementation adds multiple security layers: JWT authentication ensures only authorized users can access the endpoint, input validation prevents malformed requests, rate limiting protects against abuse, and response filtering removes sensitive content before returning to clients.

For applications using multiple LLM services, create a centralized validation plugin that checks all AI-related routes:

const aiSecurityPlugin = {
  name: 'ai-security',
  version: '1.0.0',
  register: async (server) => {
    server.ext('onRequest', (request, h) => {
      const path = request.path.toLowerCase();
      if (path.includes('chat') || path.includes('llm') || path.includes('ai')) {
        // Check for suspicious patterns
        if (request.payload?.message?.includes('system prompt') || 
            request.payload?.message?.includes('DAN') ||
            request.payload?.message?.includes('jailbreak')) {
          return h.response({ error: 'Invalid request' }).code(400);
        }
      }
      return h.continue;
    });
  }
};

Additionally, implement comprehensive logging for all LLM interactions to detect anomalous patterns and potential data exfiltration attempts. Use Hapi's request lifecycle events to log request metadata, response content summaries, and user identifiers for audit trails.

Related CWEs: llmSecurity

CWE ID	Name	Severity
CWE-754	Improper Check for Unusual or Exceptional Conditions	MEDIUM

Frequently Asked Questions

How can I test my Hapi LLM endpoints for data leakage vulnerabilities?

Use middleBrick's self-service scanner by submitting your API URL. It performs active prompt injection testing, scans for system prompt leakage using 27 regex patterns, and checks for unauthenticated access to LLM endpoints. The scan takes 5-15 seconds and provides a security score with prioritized findings specific to your Hapi application's LLM exposure.

What's the difference between Llm Data Leakage and regular API data exposure?

Llm Data Leakage specifically involves system prompts, training data, or proprietary instructions being exposed through LLM endpoints. Unlike regular API exposure where data is simply returned without authorization, Llm Data Leakage can reveal the underlying model's behavior, business logic, or even API keys embedded in system prompts. middleBrick's LLM/AI Security module is the only scanner that actively tests for these AI-specific vulnerabilities with prompt injection and system prompt extraction techniques.