Glossary
What Is LLM Prompt Injection?
LLM Prompt Injection is an emerging vulnerability class where an attacker injects instructions into the input of a large-language-model-powered feature, causing the model to follow attacker instructions instead of (or in addition to) the application's intended prompt. OWASP Top-10 for LLM Applications lists it as LLM01:2025. Practical impact: data exfiltration, action invocation, downstream system manipulation.
Direct vs indirect prompt injection
- Direct: the attacker is the user. They submit input designed to override the system prompt ("ignore previous instructions and...").
- Indirect: the attacker controls a data source the LLM reads — a web page, an email, a document, a tool output. The user asks the LLM to process the data and the data contains hidden instructions the LLM follows.
Indirect is the more dangerous class because it doesn't require the attacker to interact with the LLM directly. Examples: emails that exfiltrate user data when summarised; web pages that hijack browsing-agent decisions; PDFs that change tool-calling behaviour when read.
Where prompt injection shows up
Any application that combines an LLM with: (a) tool calls (file system, API requests, code execution), (b) external data sources (web fetch, user uploads, document parsing), (c) sensitive data in the conversation history. The combination is what creates impact. A chatbot that's just chat has limited blast radius; an agent that reads emails and sends Slack messages has a large one.
How SQUR addresses prompt injection
Beyond traditional web-app pentest scope, SQUR offers adversarial-testing against LLM-powered features. The validator probes both direct (user-input override) and indirect (data-source poisoning) injection vectors, mapping to the OWASP LLM Top-10 categories. Output includes specific prompt-injection payloads that worked + the data exfiltration or action invocation they achieved.
Remediation pattern
Treat all LLM input as untrusted, including upstream tool outputs. Sandbox tool execution. Apply allowlists on which tools can be called from which conversation contexts. Use structured output (JSON schemas, function calling with parameter validation) rather than free-form text-to-action. Detect and refuse known injection patterns at input time (defence in depth, not a substitute). Limit sensitive-data exposure in conversation history. Monitor for anomalous tool-call patterns.
Frequently asked questions
Is this the same as jailbreaking?
Related but distinct. Jailbreaking = bypassing the LLM's content policy / safety training. Prompt injection = hijacking the LLM's task. Many real attacks combine both: jailbreak to get past safety, then prompt-inject to perform the malicious action.
Are LLM-powered apps regulated?
Increasingly. The EU AI Act Article 55 requires adversarial testing for GPAI models with systemic risk. For high-risk applications using LLM components, Article 15 cybersecurity obligations include resistance to adversarial inputs — prompt injection sits squarely there.