FixVibe

// probes / spotlight

LLM Prompt Injection

If your AI feature trusts user input as instruction, the user can rewrite the system prompt.

Il gancio

Prompt injection is the new SQL injection, with one large complication: the parser is a probabilistic neural network whose decision boundaries are not specified anywhere. There is no equivalent of parameterized queries because the LLM does not have a structural separation between code and data — both arrive as text in a single context window. Every developer who builds a chatbot, summarization tool, or RAG-backed search starts with the same naive pattern (concatenate the system prompt with the user's input, send it to the LLM), and every one of them is vulnerable until they layer on defenses. Worse: the attacker doesn't need to be the user. Indirect prompt injection — instructions hidden inside documents, web pages, or emails the LLM consumes — turns content fetching into command execution.

Come funziona

Prompt injection appears when LLM-facing inputs can override instructions, leak context, or trigger unsafe tool behavior. The risk depends on what the AI feature can read or do inside the product.

Il raggio d'azione

Data exfiltration: system prompts (often containing internal context, business logic, or credentials), conversation history from other users in shared deployments, document contents from RAG systems. Reputation damage when chatbots produce offensive output that screenshots cleanly. Phishing assistance via injected URLs that the LLM presents as legitimate. Financial loss when LLMs with tool access execute unintended operations — sending email, posting messages, hitting paid APIs, calling code-execution sandboxes. In agentic systems with broader tool access, the impact grades up to remote code execution.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Treat user input as untrusted by the LLM. The most reliable structural defense is to constrain output to structured formats (JSON schema with strict validation, function-calling with tool-side permission gates) so the LLM's output is parsed by your code rather than executed. Layer the system prompt to restate boundaries after user content — instructions placed at the end of the context have measurably better adherence than those at the beginning. For tool-using agents, gate every dangerous operation behind a human approval step (don't let an LLM send email, transfer money, or execute code without a confirmation prompt). For indirect injection, sanitize fetched content before adding it to the context — strip HTML attributes, comment markers, and instruction-shaped text patterns. Run a second model as a 'jailbreak detector' over user inputs and outputs in high-stakes deployments; OpenAI's moderation endpoint and Anthropic's classifier APIs cover the common cases. Most importantly, design with assumed compromise: what's the worst the LLM can do if it follows attacker instructions? If the answer is 'leak the system prompt,' you might accept that risk. If the answer is 'send mass email or call paid APIs,' you need the gates.

In sintesi

There is no parameterized-query equivalent for LLMs yet. Defense is currently architectural — constrain what the model can do with its output, not what it can be told to do.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Sonde attive
127
test eseguiti in questa categoria
modules
48
controlli dedicati a sonde attive
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

LLM Prompt Injection — Vulnerabilità in primo piano | FixVibe · FixVibe