LLM01:2025 - Prompt Injection

Prompt Injection is the number-one risk in the OWASP Top 10 for LLM Applications 2025. It occurs when an attacker manipulates LLM behavior through crafted inputs, either directly via user-submitted prompts or indirectly through malicious content embedded in data the LLM processes. Because LLMs cannot inherently distinguish between developer instructions and user input, prompt injection remains a fundamental and pervasive attack surface for AI-powered applications.

Overview

Prompt injection exploits the way large language models process natural language instructions. In a direct attack, the user sends a malicious prompt designed to override system instructions, bypass guardrails, or extract sensitive information. In an indirect attack, malicious content is planted in external data sources (documents, web pages, emails, or database records) that the LLM later retrieves and processes as part of its context. Both attack vectors can lead to unauthorized actions, data exfiltration, privilege escalation, and social engineering through the LLM. As AI applications grow in capability and autonomy, the blast radius of prompt injection increases accordingly.

What Radar Detects

  • User input concatenated directly into LLM prompts.**Raw string concatenation or f-string formatting that injects user-controlled values into prompt strings without sanitization or structural delimiters, allowing attackers to break out of the intended context.

  • Missing input validation before LLM API calls.**Code paths where user input reaches LLM provider APIs (OpenAI, Anthropic, Azure OpenAI, and others) without prior validation for length, character set, or known injection patterns.

  • System prompts constructed with user-controlled variables.**System-level instructions that include user-supplied values, enabling attackers to modify the behavioral directives the model follows.

  • RAG pipelines injecting retrieved content without sanitization.**Retrieval-Augmented Generation pipelines that insert fetched documents directly into the prompt context without escaping or delimiting external content from trusted instructions.

  • Missing prompt templates.**Raw string formatting used to build prompts instead of structured prompt construction with explicit role separation (system, user, assistant) and content boundaries.

  • Absence of input/output boundary markers.**Prompt construction that lacks clear delimiters between system instructions, user input, and retrieved context, making it trivial for injected content to override intended behavior.

CWE-77 (Command Injection), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

See the CWE Reference for details.

Overlap with OWASP Top 10 Web

Prompt injection is conceptually similar to A05:2025 Injection in the traditional OWASP Top 10. In both cases, untrusted input reaches an interpreter without proper neutralization. The difference is the interpreter: instead of a SQL engine, shell, or LDAP server, the target is the LLM itself. The same principle applies: never trust user input, always enforce boundaries between data and instructions.

Prevention

  • Use structured prompt templates with clear delimiters that separate system instructions, user input, and retrieved context into distinct, labeled sections.
  • Validate and sanitize all user input before including it in any prompt. Enforce length limits, strip control characters, and reject known injection patterns.
  • Adopt role-based message formatting (system/user/assistant roles) provided by LLM APIs rather than concatenating everything into a single string.
  • Implement input length limits appropriate to your use case to reduce the attack surface for complex injection payloads.
  • Apply output validation to detect cases where the LLM response indicates successful injection (e.g., the model reveals its system prompt or performs unauthorized actions).
  • For RAG pipelines, sanitize and clearly delimit retrieved content before injecting it into the prompt context.
  • Monitor LLM interactions for anomalous patterns that may indicate prompt injection attempts.

Next Steps

Previous: A10:2025

Mishandling of Exceptional Conditions in the OWASP Top 10 Web.

Next: LLM02:2025

Sensitive Information Disclosure. Private data exposed through LLM interactions.

OWASP Top 10 Overview

All OWASP standards mapped by Radar.

Previous
A10 - Exceptional Conditions
Next
LLM02 - Info Disclosure