惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Scott Helme
Scott Helme
N
Netflix TechBlog - Medium
AI
AI
Security Latest
Security Latest
GbyAI
GbyAI
P
Proofpoint News Feed
Y
Y Combinator Blog
A
Arctic Wolf
G
Google Developers Blog
U
Unit 42
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threatpost
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
B
Blog RSS Feed
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
博客园 - 【当耐特】
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
Latest news
Latest news
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
WordPress大学
WordPress大学
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
Simon Willison's Weblog
Simon Willison's Weblog
V
V2EX
Project Zero
Project Zero
博客园_首页

A10 Networks

Secure, High-Performance Networking Solutions | A10 Battling Bots, Fraud & AI Threats Summit | Retail IT & Cybersecurity What Is Healthcare Data Compliance? | A10 Networks Interop Best of Show Runner's Up - People's Choice | A10 Networks Interop Best of Show Runner's Up - Security for AI | A10 Networks What Is FIX Protocol Trading? | A10 Networks A10 Joins OpenAI's Trusted Access for Cyber Flexible Licensing for Multiple Clouds | A10 Networks A10 Acquires TrojAI to Advance Enterprise AI Security HFT Infrastructure: High Frequency Trading Explained | A10 Networks A10 Networks Acquires TrojAI Inc., Expanding AI Roadmap | A10 Networks What Is Low-latency Trading? | A10 Networks Multi-Vector DDoS: 11 Amplification Vectors | A10 Healthcare Cloud Compliance: HIPAA & GDPR Guide | A10 LLM Unbounded Consumption & DoS Attacks | OWASP LLM10 LLM Hallucination & Misinformation | OWASP LLM09:2025 Healthcare Network Protection for Hospitals & Clinics RAG Security: Vector & Embedding Weaknesses | OWASP LLM08 System Prompt Leakage | OWASP LLM07:2025 Explained LLM Excessive Agency | OWASP LLM06:2025 Explained LLM Supply Chain Security | OWASP LLM03:2025 Trust, Control and Security in the Age of Agentic AI Summit | A10 Networks LLM Improper Output Handling | OWASP LLM05:2025 Data Poisoning Attacks in LLMs | OWASP LLM04:2025 Sensitive Information Disclosure | OWASP LLM02:2025 Game Over for DDoS Attacks in Gaming | How to Achieve Resilience Beyond PCI Summit: Battling Bots, Fraud, and AI-powered Threats Web Application Security Best Practices for 2026 | A10 Networks A10’s 5 Key Takeaways on Application & API Security Trends Securing Financial Applications in the AI Era Summit Unified Application Delivery, Security, and AI Protection for Financial Services The Most Famous DDoS Attacks in History Post-quantum Cryptography Comes to A10 SSL/TLS Data Plane Real-time DDoS Carpet-bombing: NTP Amplification Evasion Shadow AI | Glossary AI & LLM Security: Hype vs. Reality and What to Prioritize App Delivery in the Age of AI Summit | Hybrid & Cloud-Native Strategies A Day in the Life of a Stressed Web Application | ADC & WAF Resilience Avans University of Applied Sciences Modernizes Hybrid Application Delivery with A10 Networks Preparing Government Infrastructure for AI Adoption | Expert Summit Report: IDC Spotlight Report: Modernizing Application Delivery Infrastructure for AI-powered Applications Broken Object Level Authorization (BOLA): The #1 API Security Risk | Free Webinar | A10 Networks Product Demo: A10 AI Firewall by A10 Networks AI Firewall for Enterprise AI Security | A10 Networks API Traffic Management for AI and Agentic Systems | Expert Summit AI is Here: How Ready Is Your Infrastructure? | A10 Networks Pulse Campaign Analysis: Brazil ISPs Expose Next-Gen DDoS Automation Trends Tech Companies Lead GenAI Adoption but Face Infrastructure Gaps Cyber Defense Magazine's 2026 Global InfoSec award – Editor's Choice – API Security | A10 Networks Load Balancing Solutions for Availability & Security | A10 Networks Top 9 Generative AI Security Risks in 2026 LLM Security: Protecting AI Models & Applications
Prompt Injection | OWASP LLM01:2025 Explained
Richard Tuma · 2026-05-20 · via A10 Networks

Prompt injection is one of the most critical risks facing applications built on large language models (LLMs).

A prompt injection vulnerability occurs when an input alters the behavior or output of an LLM in unintended ways. These manipulations may not even be visible to humans. If the model parses the content, it can be influenced.

Unlike traditional injection flaws, prompt injection does not exploit syntax parsing in a database or interpreter. It exploits how models process language itself. When an attacker successfully influences the prompt context, they can cause the model to ignore instructions, override safeguards, access sensitive data, or perform actions beyond its intended scope.

Techniques such as Retrieval-augmented Generation (RAG) and fine-tuning improve relevance and accuracy, but they do not eliminate prompt injection risk.

Key Takeaways

  • Prompt injection is ranked #1 in the OWASP LLM Top 10 2025 and occurs when crafted inputs cause an LLM to behave in unintended ways, including bypassing safety guidelines or executing unauthorized actions
  • It comes in two forms: direct injection, where user input manipulates the model, and indirect injection, where malicious instructions are hidden in external content the LLM retrieves
  • Prompt injection and jailbreaking are related but distinct; jailbreaking is a subset of prompt injection specifically aimed at making a model disregard its safety protocols entirely
  • Multi-modal AI systems face an expanded attack surface, as malicious instructions can be hidden within images or other non-text inputs that are difficult to filter and detect
  • No foolproof prevention exists, but mitigation combines system prompt constraints, least-privilege access, input/output filtering, and human approval for high-risk operations

Prompt Injection vs. Jailbreaking

Prompt injection and jailbreaking are closely related, but not identical.

Prompt injection involves manipulating model responses through crafted inputs to change behavior. This may include bypassing guardrails or altering decision-making logic. Jailbreaking is a specific form of prompt injection where the attacker attempts to make the model ignore its safety controls entirely. While developers can introduce safeguards within system prompts and input handling, preventing jailbreaking requires continuous model improvements and ongoing safety updates.

Types of Prompt Injection

Direct Prompt Injection

Direct injection occurs when a user’s input directly alters the model’s behavior. This could be intentional, in that a malicious actor deliberately crafts a prompt to override system controls. Or, actions could be unintentional, where for example, a legitimate user provides input that unexpectedly triggers unsafe behavior. The end result is the same.

Indirect Prompt Injection

Indirect injection occurs when an LLM processes external content such as web pages, documents, emails or repositories. Hidden or embedded instructions within that external content can influence the model when it is parsed. These attacks can be intentional or accidental.

Potential Impacts

The severity of prompt injection depends heavily on how the LLM is integrated and what level of agency it has within the system. Successful prompt injection can lead to the following, but the impact scales with model privileges.

  • Disclosure of sensitive information
  • Exposure of system prompts or internal infrastructure details
  • Manipulated or biased outputs
  • Unauthorized function access
  • Execution of commands in connected systems
  • Manipulation of critical decision-making processes

Multi-modal Injection Risks

As AI systems increasingly process multiple modalities (text, images, audio, documents), the attack surface expands. Malicious instructions may be embedded within images or other non-text inputs. When multi-modal systems interpret these inputs alongside text, hidden prompts can influence behavior in ways that are difficult to detect. Cross-modal attacks represent an evolving area of research and defense.

Prevention and Mitigation Strategies

Prompt injection cannot be fully eliminated due to the probabilistic nature of generative AI. However, organizations can significantly reduce risk through architectural controls and layered defenses such as the following.

  • Constrain model behavior by clearly defining the model’s role, scope, and limitations within system prompts. Enforce strict context adherence and explicitly instruct the model to ignore attempts to override core instructions.
  • Define and validate output formats by requiring structured output formats, requesting reasoning and source attribution where appropriate, and using deterministic validation logic to enforce compliance.
  • Implement input and output filtering by defining sensitive data categories, applying semantic filtering and string scanning, and evaluating responses using context relevance, groundedness, and question-answer alignment.
  • Enforce least privilege by requiring model access to only information that is necessary, using application-level API tokens rather than exposing privileged credentials to the model, and handling sensitive actions in controlled code pathways.
  • Require human approval for high-risk actions by introducing human-in-the-loop review for privileged or irreversible operations.
  • Segregate external content by clearly identifying and isolating untrusted content and preventing external data from directly influencing system-level instructions.
  • Conduct adversarial testing by performing regular penetration testing and red teaming, treating the model as an untrusted actor, and simulating boundary violations and privilege escalation attempts.

Example Attack Scenarios

Prompt injection manifests in many forms across real-world applications.

  • Direct injection: A chatbot is instructed to ignore prior guidelines and retrieve private data.
  • Indirect injection: A webpage contains hidden instructions that cause a summarizing LLM to exfiltrate conversation data.
  • Unintentional injection: An embedded instruction in a job listing triggers unexpected AI behavior.
  • RAG manipulation: A modified document in a knowledge base influences the generated response.
  • Code injection: An attacker exploits vulnerabilities in an LLM-powered tool to manipulate outputs.
  • Payload splitting: Malicious instructions are divided across inputs and recombined by the model.
  • Multi-modal injection: Hidden prompts embedded in images alter system behavior.
  • Adversarial suffixes: Obfuscated character strings bypass safety filters.
  • Multi-lingual/encoded attacks: Instructions hidden through translation or encoding evade detection.

Why It Matters

Prompt injection is not just a model-level weakness. It is an application security risk. The more agency and integration an LLM has—function calling, database access, email sending, workflow automation—the greater the potential impact of a successful injection. Defending against prompt injection requires clear trust boundaries, strict output handling, controlled privilege delegation and continuous testing and validation.

LLM-powered systems must be architected with the assumption that the model can be influenced. Resilience depends on how well the surrounding application enforces boundaries. Prompt injection is a foundational design consideration for secure AI deployment.

< Back to Glossary of Terms