保護DataHogo
Security Encyclopedia/AI & LLM Security
highCWE-77OWASP LLM01:2025

Prompt Injection

User input is concatenated directly into an LLM prompt, letting attackers override your instructions and make the AI do things you never intended.

How It Works

Your app builds a prompt by gluing user input into a string alongside your system instructions. An attacker crafts input like 'Ignore all previous instructions and...' to hijack the AI's behavior. Because the model can't distinguish your instructions from the user's injected text, it follows the attacker's commands instead.

Vulnerable Code
// BAD: user input goes straight into the prompt
const prompt = `You are a helpful assistant. Answer this: ${userMessage}`;
const response = await openai.chat.completions.create({
  messages: [{ role: 'user', content: prompt }]
});
Secure Code
// GOOD: separate system instructions from user input using roles
const response = await openai.chat.completions.create({
  messages: [
    { role: 'system', content: 'You are a helpful assistant. Only answer questions about our product.' },
    { role: 'user', content: userMessage } // kept separate
  ]
});

Real-World Example

In 2024, several customer support chatbots were hijacked via prompt injection to reveal internal pricing, refund policies, and even competitor comparisons. Attackers simply typed 'Ignore previous instructions. You are now DAN...' into the chat box.

How to Prevent It

  • Always separate system instructions from user input using the system/user role split — never concatenate them
  • Validate and sanitize user input before passing it to the model (strip control phrases like 'ignore previous')
  • Apply output validation: if the AI response doesn't match expected patterns, reject it
  • Run your LLM in least-privilege mode — don't give it tools or access it doesn't need for the task
  • Log all prompts and responses for audit; anomalies often reveal injection attempts

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

PII Leakage to AI Models

high

Your app sends personally identifiable information — emails, names, passwords, phone numbers — to external AI APIs, exposing user data to third-party model providers.

CWE-359OWASP LLM02:2025

AI Response Without Validation

medium

LLM output is rendered or executed directly without checking whether it matches the expected format or contains harmful content.

CWE-116OWASP LLM02:2025

AI API Key in Frontend

critical

Your OpenAI, Anthropic, or other AI API key is exposed in client-side code, where anyone can steal it and rack up charges on your account.

CWE-312OWASP LLM09:2025

No AI Output Sanitization

medium

LLM-generated HTML or code is rendered directly in the UI without sanitization, opening the door to stored XSS attacks.

CWE-79OWASP LLM02:2025