Customer chatbot security review
What middleBrick covers
- Black-box LLM adversarial probe testing across three scan tiers
- Authentication support for Bearer, API key, Basic, and cookie
- OpenAPI spec parsing with recursive $ref resolution
- Detection of prompt injection, data leakage, and PII exposure
- Continuous monitoring and diff detection for score trends
- Integration options including CLI, GitHub Action, and MCP Server
What is a customer chatbot security review
A customer chatbot security review evaluates how a public-facing conversational interface handles data, authentication, and responses. It maps findings to OWASP API Top 10 controls relevant to LLM interfaces, including injection, prompt tampering, and data exposure. The review checks input handling, session management, logging, and the safeguards around third-party model calls.
What teams get wrong when they skip this review
Without a structured review, teams expose prompts, internal instructions, and PII through model outputs, allow unrestricted user input that can lead to prompt injection, and permit excessive third-party URLs that increase supply chain risk. Missing guardrails can cause session fixation, over-retention of sensitive data, and unclear incident response paths.
- Direct prompt and system message leakage to end users
- Unvalidated user input reaching model or backend calls
- Overly broad third-party model permissions or callbacks
- Inadequate rate limiting enabling cost or abuse scenarios
A good workflow for chatbot security
Start with a design review of data flows, identifying where user input enters the system and how model output is presented. Define acceptable content categories, safe completion rules, and session timeouts. Implement input normalization and strict allowlists for character sets and lengths. Validate that safeguards such as instruction blocking, output filters, and escalation paths are tested with adversarial examples before deployment.
const safeCompletion = (userMessage) => {
if (!validateLength(userMessage) || !isAllowedCharset(userMessage)) {
throw new Error('Input not allowed');
}
const response = model.complete({ message: userMessage, system: sanitizedSystemPrompt });
if (containsPII(response)) {
logAndRedact(response);
}
return response;
};How middleBrick covers chatbot interfaces
middleBrick scans the chatbot API surface using black-box methods, exercising GET, HEAD, and text-only POST interactions. It checks LLM adversarial probes across quick, standard, and deep tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, token smuggling, and multi-turn manipulation. The scanner reviews related API definitions and flags over-exposed fields or missing validation aligned to OWASP API Top 10.
Authenticated scanning supports Bearer, API key, Basic auth, and cookies, gated by domain verification to ensure only domain owners can submit credentials. Header allowlists restrict forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.
Limitations and complementary practices
middleBrick does not fix, patch, or block vulnerabilities; it detects and provides remediation guidance. It does not perform active SQL injection or command injection testing, does not detect blind SSRF, and does not replace a human pentester for high-stakes audits. Business logic flaws specific to your domain require manual review and contextual expertise.
Complement automated scans with periodic human reviews, red-team exercises focused on prompt injection, and monitoring for anomalous model outputs or cost spikes. Maintain an incident response plan that includes prompt rollback and user notification procedures.