Prompt Injection (LLM01:2025)
Manipulating an LLM’s input prompt to force the model to behave in an unintended manner. Ranked #1 in the OWASP LLM Top 10 (2025). Also a named risk in Google’s SAIF.
What It Is
Prompt injection exploits the fact that the prompt is the LLM’s only text-based input. By crafting or injecting malicious instructions, an attacker can:
- Override the model’s system instructions or intended behavior
- Bypass safety guardrails
- Extract sensitive information
- Cause the model to perform actions outside its intended scope
Relationship to Prompt Engineering
Prompt injection is the offensive application of prompt engineering. The same understanding of how phrasing, context, and constraints steer LLM output is used to craft malicious inputs that redirect the model.
OWASP Classification
LLM01:2025 — Prompt Injection covers security vulnerabilities that arise from manipulating an LLM’s input prompt, including:
- Forcing the LLM to ignore its system prompt
- Indirect injection via external content the LLM reads (documents, web pages)
- Jailbreaking — overriding content policy restrictions
Related Risk: LLM02:2025
LLM02:2025 — Sensitive Information Disclosure — leakage of sensitive information resulting from improper prompt engineering or manipulation of the input prompt. Often achieved via prompt injection.
⚠️ Placeholder: attack techniques section not yet ingested.
See Also
- prompt-engineering — the craft that underpins this attack
- owasp-llm-top-10 — full OWASP LLM Top 10 framework
- google-saif — SAIF risk framework where prompt injection appears
- prompt-engineering-llm-security — prompt engineering & LLM security overview