FixVibe

// 探测 / 聚焦

LLM Prompt Injection

If your AI feature trusts user input as instruction, the user can rewrite the system prompt.

概要

Prompt injection is the new SQL injection, with one large complication: the parser is a probabilistic neural network whose decision boundaries are not specified anywhere. There is no equivalent of parameterized queries because the LLM does not have a structural separation between code and data — both arrive as text in a single context window. Every developer who builds a chatbot, summarization tool, or RAG-backed search starts with the same naive pattern (concatenate the system prompt with the user's input, send it to the LLM), and every one of them is vulnerable until they layer on defenses. Worse: the attacker doesn't need to be the user. Indirect prompt injection — instructions hidden inside documents, web pages, or emails the LLM consumes — turns content fetching into command execution.

運作方式

Prompt injection appears when LLM-facing inputs can override instructions, leak context, or trigger unsafe tool behavior. The risk depends on what the AI feature can read or do inside the product.

影響范圍

Data exfiltration: system prompts (often containing internal context, business logic, or credentials), conversation history from other users in shared deployments, document contents from RAG systems. Reputation damage when chatbots produce offensive output that screenshots cleanly. Phishing assistance via injected URLs that the LLM presents as legitimate. Financial loss when LLMs with tool access execute unintended operations — sending email, posting messages, hitting paid APIs, calling code-execution sandboxes. In agentic systems with broader tool access, the impact grades up to remote code execution.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Treat user input as untrusted by the LLM. The most reliable structural defense is to constrain output to structured formats (JSON schema with strict validation, function-calling with tool-side permission gates) so the LLM's output is parsed by your code rather than executed. Layer the system prompt to restate boundaries after user content — instructions placed at the end of the context have measurably better adherence than those at the beginning. For tool-using agents, gate every dangerous operation behind a human approval step (don't let an LLM send email, transfer money, or execute code without a confirmation prompt). For indirect injection, sanitize fetched content before adding it to the context — strip HTML attributes, comment markers, and instruction-shaped text patterns. Run a second model as a 'jailbreak detector' over user inputs and outputs in high-stakes deployments; OpenAI's moderation endpoint and Anthropic's classifier APIs cover the common cases. Most importantly, design with assumed compromise: what's the worst the LLM can do if it follows attacker instructions? If the answer is 'leak the system prompt,' you might accept that risk. If the answer is 'send mass email or call paid APIs,' you need the gates.

要点

There is no parameterized-query equivalent for LLMs yet. Defense is currently architectural — constrain what the model can do with its output, not what it can be told to do.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

主動探測
127
本類别中触發的测試
模塊
48
專属 主動探測 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

LLM Prompt Injection — 漏洞聚焦 | FixVibe · FixVibe