# prompt-injection

labdelimiter-injectionprompt-injectionxmlmarkdownbeginner

Lab: Delimiter Injection Attacks

Craft payloads that exploit XML, markdown, and special 符元 delimiters to break instruction boundaries and manipulate how LLMs parse 系統提示詞s versus user input.

labdelimiter-escapeprompt-injectionboundariesbeginnerhands-on

實作：分隔符逃脫攻擊

Craft payloads that escape delimiter boundaries separating system and user content, testing how models handle broken fences, nested delimiters, and format confusion.

labfew-shotin-context-learningprompt-injectionbeginner

Lab: Few-Shot Manipulation Attacks

Craft fake few-shot examples that teach the model to bypass its safety training by demonstrating the desired 對抗性 behavior through fabricated conversation examples.

labprompt-injectionbeginnerhands-on

實作：你的第一個提示詞注入

動手實作 where you perform your first 提示詞注入 attacks against a chatbot, progressing from basic overrides to more sophisticated 技術.

labprompt-injectionsurveytechniquesbeginnerhands-on

實作：注入技術概覽

Survey and test ten fundamental 提示詞注入技術 against a local LLM, measuring effectiveness and cataloging behavioral patterns for each approach.

labmulti-languageprompt-injectiontranslationbeginnerhands-on

實作：多語言注入

測試提示詞注入技術 using multiple natural languages, exploring how safety training coverage varies across languages and how translation requests can mask payloads.

laboutput-steeringprompt-injectionoutput-manipulationbeginnerhands-on

實作：輸出引導

學習 to steer LLM outputs into specific formats, tones, and content using injection 技術 that manipulate how the model structures and presents its responses.

labpayload-craftingprompt-injectionred-teamingbeginnerhands-on

實作：載荷製作

學習 to craft effective 提示詞注入 payloads from scratch by understanding payload structure, testing iteratively, and optimizing for reliability against a local model.

labprompt-injectionsystem-promptoverridebeginnerhands-on

實作：系統提示詞覆寫

探索技術 to override system-level instructions with user-level inputs, testing how models prioritize conflicting directives across different prompt architectures.

labprompt-injectiontokenizerunicode

實驗室: 進階 Token Smuggling via Unicode Normalization

利用 Unicode normalization differences between input validators與LLM tokenizers to bypass content filters與inject hidden instructions.

simulationchatbotenterpriseprompt-injectiondata-exfiltration

Simulation: Enterprise Chatbot Engagement

Full red team engagement simulation targeting a customer-facing chatbot deployed by a fictional e-commerce company, covering reconnaissance, prompt injection, data exfiltration, and PII harvesting.

simulationvoice-assistantaudiosmart-homeprivacyprompt-injection

模擬：語音助理紅隊

針對部署於智慧家庭平台之 AI 語音助理之紅隊委任模擬，涵蓋音訊型提示注入、喚醒詞利用，以及隱私外洩。

claudevulnerabilitiesmany-shotalignment-fakingcrescendoprompt-injection

Claude 已知漏洞

已記錄之 Claude 漏洞，包括 many-shot jailbreak、對齊偽裝研究、crescendo 攻擊、經由 artifact 之提示注入，以及系統提示擷取技術。

audioadversarialmultimodalvoiceprompt-injectionspeech-llmresearch

Audio Modality 攻擊s

Comprehensive attack taxonomy for audio-enabled LLMs: adversarial audio generation, voice-based prompt injection, cross-modal split attacks, and ultrasonic perturbations.

multimodalprompt-injectionimagestypographicvisual

圖像型提示詞注入攻擊

透過圖像注入對抗性提示詞的完整技術，涵蓋印刷型注入、隱寫術嵌入，以及針對多模態 AI 系統的視覺載荷傳遞。

image-injectionprompt-injectionmultimodalvlm

以圖像為本之提示注入

將文字指令嵌入圖像以操弄 VLM 之技術，含隱寫注入、可見文字攻擊與 QR 碼利用。

typographicadversarialvlmvisual-textprompt-injection

Typographic Adversarial 攻擊s

How text rendered in images influences VLM behavior: adversarial typography, font-based prompt injection, visual instruction hijacking, and defenses against typographic manipulation.

prompt-injectionencodingbypassobfuscation

進階編碼鏈攻擊（提示詞注入）

深入探討如何鏈結多個編碼方案來打造能繞過多層輸入過濾器與內容分類器的注入載荷。

prompt-injectionoptimizationgradientsearch

對抗性提示詞最佳化

使用系統化搜尋與最佳化演算法，為特定目標行為發掘最有效的對抗性提示詞。

prompt-injectioncompetitionctftechniques

競賽風格注入技術

AI 紅隊競賽與 CTF 挑戰中常用的注入技術。

prompt-injectioncontext-overflowattentioncontext-windowred-teaming

上下文溢位攻擊

以填塞內容填滿大型語言模型上下文視窗，把系統指令推出注意力之外，降低其對模型行為影響力的技術。

prompt-injectioncontext-windowattentionkv-cachepositional-encoding

上下文視窗利用

利用大型語言模型上下文視窗機制的進階技術，包含注意力稀釋、位置編碼攻擊、KV 快取操控與上下文邊界混淆。

prompt-injectioncontextsemanticstealth

情境注入技術

打造能無縫融入預期對話脈絡、以規避內容分類器偵測的注入載荷。

prompt-injectionconversationhijackingmulti-turn

對話劫持技術

透過注入轉折點接管進行中的對話，重導模型行為而不觸發安全機制。

prompt-injectionconversationsteeringmulti-turn

對話引導

在不觸發安全機制下逐步將對話上下文重導向攻擊目標的技術。

prompt-injectioncross-contextpersistencemulti-agent

跨情境注入（提示詞注入）

跨越情境邊界持續存在的提示詞注入技術：於對話重置、工作階段切換、記憶體邊界與多代理交接中存活。

prompt-injectiondata-exfiltrationharvestingprivacy

透過注入進行資料收割

使用注入技術從大型語言模型應用程式中萃取訓練資料、系統提示詞、使用者資料與其他敏感資訊。

prompt-injectiondelimitersxmlmarkdownspecial-tokensboundary-attacks

基於分隔符的攻擊

利用 XML、markdown、JSON、特殊符元邊界與結構化格式，逃逸輸入沙箱並於提升的權限層級注入指令。

prompt-injectiondirect-injectioninstruction-overridered-teaming

直接提示詞注入

直接將指令注入大型語言模型提示詞以覆寫系統行為的技術，包含指令覆寫、上下文操控與格式模仿。

prompt-injectionencodingbase64unicodeobfuscationfilter-evasionred-teaming

編碼繞過技術

使用 Base64、ROT13、Unicode 轉換、十六進位編碼與其他混淆方法，在保留語意意義的同時，規避提示詞注入過濾器與安全分類器。

prompt-injectionjailbreakllm-securityfundamentals

提示詞注入與越獄

提示詞注入的完整入門——大型語言模型應用程式中最根本的漏洞類別——以及它與越獄技術的關係。

prompt-injectionindirect-injectionragdata-poisoningsupply-chain

間接提示詞注入

攻擊者如何在大型語言模型處理的外部資料來源中嵌入惡意指令，無需直接存取模型輸入即可發動攻擊。

prompt-injectionautomationchainingorchestration

注入鏈自動化

自動化發掘並鏈結多種注入技術，建立對強化目標的可靠多步攻擊序列。

prompt-injectiontaxonomyclassificationred-teamingframework

提示詞注入分類

提示詞注入攻擊的完整分類框架，涵蓋直接與間接向量、遞送機制、目標層級與嚴重度評估，用於系統化紅隊測試。

prompt-injectionfunction-callingtool-useindirect

透過函式呼叫的注入

利用函式呼叫與工具使用介面，透過結構化工具輸入與輸出注入對抗指令。

prompt-injectionstructured-datajsonxml

透過結構化資料格式的注入

透過 JSON、XML、YAML 與 SQL 等結構化資料格式注入提示詞。

prompt-injectioninstruction-hierarchymessage-priorityrole-confusionsystem-promptred-teaming

指令階層攻擊

利用系統、使用者與助理訊息間的優先順序以覆寫安全控制、操控指令優先權，並透過訊息角色混淆進行權限提升。

prompt-injectioninstruction-priorityhierarchyoverride

指令優先權濫用

利用系統提示詞、使用者訊息與助理回應間的隱性優先階層，以提升注入效果。

prompt-injectionlanguagemultilinguallow-resource

語言落差利用

利用低資源語言中的安全訓練落差，以及跨語言注入技術。

prompt-injectionmany-shotjailbreakinganthropic

Many-Shot 越獄分析

對 many-shot 越獄技術及其對上下文學習意涵的深入分析。

prompt-injectionmetaprompt-engineering

元提示詞注入

注入關於模型應如何處理未來指令的指令。

prompt-injectionmulti-turnescalationcrescendo

多輪升級攻擊

透過多輪對話逐步升級以繞過安全訓練的技術。

prompt-injectionmulti-turncrescendocontext-steeringred-teaming

多輪提示詞注入

跨對話回合的漸進升級攻擊，包含漸強模式、脈絡引導、信任建立與規避逐訊息偵測系統的技術。

prompt-injectionmultilingualtranslationevasion

多語言注入攻擊

利用語言多樣性與翻譯不一致，打造規避以英語為中心之安全過濾器的注入載荷。

prompt-injectionmultimodalvisionaudioocr

多模態文字注入向量

透過非文字模態注入對抗性文字指令，包含嵌入文字的影像、音訊轉錄與文件解析。

prompt-injectionobfuscationencodingevasion

進階載荷混淆

提示詞注入載荷的進階混淆技術，包含編碼鏈與語意偽裝。

prompt-injectionpayload-splittingfragmentationevasionred-teaming

載荷分割

將惡意指令拆分至多則訊息、變數或資料來源，以規避單點偵測，同時讓模型在處理過程中重新組合完整載荷。

prompt-injectionpersonaroleplayjailbreak

基於人格的注入攻擊

利用指令遵循行為的進階人格與角色扮演攻擊。

prompt-injectionprefixprimingcontext-manipulation

前綴注入攻擊

於使用者查詢前附加精心打造的內容，以預先制約模型行為並為後續注入嘗試建立有利脈絡。

prompt-injectionrecursivepropagationself-reference

遞迴注入模式

自我參照與遞迴注入模式，使模型透過其自身輸出放大並傳播對抗指令。

prompt-injectionrole-escalationprivilege-escalation

透過注入的角色提升

透過精心打造的注入序列，從使用者層級提升至系統層級指令權威的技術。

prompt-injectionsandbox-escaperceagents

透過注入的沙箱逃逸

使用提示詞注入作為逃逸應用沙箱並達成未授權程式碼執行或系統存取的向量。

prompt-injectionsemantic-camouflageparaphrasingevasion

語意偽裝攻擊

使用語意相似度與改寫技術將對抗指令偽裝為無害內容，同時保留攻擊效果。

prompt-injectionsuffixgcgadversarial

後綴操控攻擊

於使用者輸入後附加最佳化的對抗性後綴，利用模型延續傾向產出攻擊者期望的輸出。

prompt-injectionsystem-promptextractionreconnaissance

系統提示詞竊取技術

從生產大型語言模型應用程式萃取隱藏系統提示詞的完整技術，從簡單直接請求到精密的間接方法。

prompt-injectiontemporaltime-basedseasonal

時序注入攻擊

利用模型中時間依賴的行為，包含季節性安全變化與更新視窗利用。

prompt-injectiontime-basedcachingsession

基於時間的注入攻擊

利用模型互動時序面向的攻擊，包含對話歷史管理、快取行為與工作階段處理。

prompt-injectiontoken-leveladversarialgcg

符元層級對抗攻擊

使用基於梯度的最佳化與符元操控，發掘能可靠觸發不安全模型行為的對抗性後綴。

prompt-injectionunicodehomoglyphinvisible-charsevasion

Unicode 與同形字注入

利用 Unicode 正規化不一致、同形字替換與隱形字元，建構匿蹤的注入載荷。

prompt-injectionuniversal-triggeradversarialgcgtransfer

通用對抗性觸發

發掘並部署能跨多個大型語言模型家族可靠覆寫安全對齊的通用對抗性觸發序列，包含基於梯度的搜尋、轉移攻擊與防禦規避。

專家

通用越獄技術

跨多個模型與供應商轉移的越獄技術分析。

prompt-injectionuniversaljailbreaktransfer

prompt-injectionuniversal-suffixgcgtransfer

通用後綴攻擊

跨模型與提示詞轉移的通用對抗性後綴的研究與實務。

專家

攻擊載荷參考

AI 紅隊演練常見攻擊載荷的分類參考,包含提示詞注入、越獄、資料萃取與對抗輸入,附有效性備註。

payloadsattack-referenceprompt-injectionjailbreaksdata-extractionadversarial

cheat-sheetprompt-injectiontechniquespayloadsquick-reference

提示詞注入備忘錄

按類別組織的提示詞注入技術快速參考，每種技術附有範例載荷與防禦考量。

referencespayloadslibraryprompt-injection

提示詞注入載荷庫

策展的提示詞注入載荷庫,依技術與目標防禦組織。

prompt-injectioncheat-sheetquick-referenceexamples

提示詞注入快速參考

具體範例的提示詞注入攻擊模式、混淆技術、防禦繞過與測量指標快速參考。

system-promptextractionprompt-injectionautomationdetectiontradecraft

系統提示擷取技術

針對 LLM 應用之系統提示擷取方法的目錄：直接攻擊、間接技術、多輪策略與規避偵測。

專家

音訊提示詞注入

透過音訊輸入向語音轉文字和多模態模型注入對抗性指令，利用音訊通道作為替代注入向量。

multimodalaudioprompt-injectionspeechred-teaming

prompt-injectionmarkdowncode-injectionxssred-teamingintermediate

透過 Markdown 進行代碼注入

透過 LLM 輸出中的 Markdown 渲染注入可執行載荷，利用網頁型 LLM 介面中文字生成與內容渲染之間的差距。

prompt-injectionattack-chainingcompound-attacksred-teamingadvanced

複合攻擊鏈詳解

將多種提示詞注入技術組合成複合攻擊以擊敗分層防禦，構建利用每種技術各自優勢的攻擊鏈。

prompt-injectioncontext-windowtoken-manipulationred-teamingintermediate

上下文視窗填充攻擊

填充 LLM 上下文視窗以將系統指令推出活躍記憶體的技術，透過操控符元預算來稀釋或取代防禦性提示詞。

multimodalcross-modalprompt-injectionfusionred-teaming

Cross-Modal Confusion

Confusing multimodal AI models by sending conflicting or complementary signals across different input modalities to bypass safety mechanisms and exploit fusion weaknesses.

prompt-injectiondelimiter-escapesandbox-escapered-teamingintermediate

分隔符逃逸攻擊

利用 LLM 應用程式中用於分隔系統和使用者內容的分隔符的技術，突破沙盒輸入區域以注入指令。

prompt-injectiondirect-injectionred-teamingbeginnerpayload-crafting

直接注入基礎

直接向 LLM 提示詞注入指令的核心概念，包括覆寫技術、簡單載荷製作，以及理解模型如何解析衝突指令。

prompt-injectionencodingbase64rot13unicodeevasionred-teamingintermediate

Encoding-Based Evasion

Using base64, ROT13, hexadecimal, Unicode, and other encoding schemes to evade input detection systems and bypass content filters in LLM applications.

prompt-injectionfew-shotin-context-learningred-teamingintermediate

Few-Shot Injection

Using crafted few-shot examples within user input to steer LLM behavior toward unintended outputs, exploiting in-context learning to override safety training.

multimodalprompt-injectionvisionimagesred-teaming

Image-Based 提示詞注入 (攻擊導覽)

Embedding text instructions in images that vision models read, enabling prompt injection through the visual modality to bypass text-only input filters and safety mechanisms.

prompt-injectioninstruction-hierarchyprivilege-escalationred-teamingadvanced

Instruction Hierarchy Bypass

進階 techniques to bypass instruction priority and hierarchy enforcement in language models, exploiting conflicts between system, user, and assistant-level directives.

multimodalchainingprompt-injectionimagesmulti-turn

Multi-Image Chaining

Chaining prompt injection payloads across multiple images in a conversation to deliver complex attacks that evade per-image content filters and build injection context progressively.

prompt-injectionmulti-turnescalationsocial-engineeringred-teamingadvanced

Multi-Turn Progressive Injection

Gradually escalating prompt injection across conversation turns to build compliance, using psychological techniques like foot-in-the-door and norm erosion.

multimodalocrprompt-injectiontext-extractionred-teaming

OCR-Based 攻擊s

利用ing Optical Character Recognition processing pipelines to inject adversarial text into AI systems, targeting the gap between what OCR extracts and what humans see.

prompt-injectionobfuscationevasionpayload-craftingred-teamingintermediate

Payload Obfuscation Techniques

Methods for disguising prompt injection payloads through encoding, splitting, substitution, and other obfuscation techniques to bypass input filters and detection systems.

multimodalpdfprompt-injectiondocumentsred-teaming

PDF Document Injection

Injecting adversarial prompts through PDF documents processed by AI systems, exploiting document parsing pipelines to deliver payloads through text layers, metadata, and embedded objects.

prompt-injectionprompt-leakingsystem-promptextractionred-teamingbeginner

Prompt Leaking Step by Step

Systematic approaches to extract system prompts from LLM applications, covering direct elicitation, indirect inference, differential analysis, and output-based reconstruction.

multimodalqr-codeprompt-injectionvisionencoding

QR Code Injection

Using QR codes as prompt injection vectors against vision-language models, encoding adversarial instructions in machine-readable formats that models decode and follow.

prompt-injectionrecursivemulti-turnchain-attacksred-teamingadvanced

Recursive Injection Chains

Creating self-reinforcing injection chains that amplify across conversation turns, building compound prompts where each step strengthens the next injection's effectiveness.

prompt-injectionrole-playjailbreakfictional-framingred-teamingintermediate

Role-Play Injection

Using fictional scenarios, character role-play, and narrative framing to bypass LLM safety filters by having the model operate within a permissive fictional context.

multimodalsteganographyprompt-injectionimagescovert

隱寫術載荷投遞

使用隱寫術將提示詞注入載荷藏於影像中,透過人類觀察者不可見的像素級修改投遞對抗性指令。

jailbreakingsystem-promptprompt-injectionauthority-overridered-teaming

System Prompt Override

Techniques to override, replace, or neutralize LLM system prompts through user-level injection, analyzing how system prompt authority can be undermined.

prompt-injectiontranslationmultilinguallow-resource-languagesred-teamingintermediate

Translation Injection

Using translation requests and low-resource languages to bypass content filters, exploiting the uneven distribution of safety training across languages.

multimodaltypographyprompt-injectionvisionevasion

Typography Injection in Images

Using rendered text with specific fonts, styles, and typographic techniques in images to inject prompts into vision-language models while evading detection.

multimodalvideoprompt-injectionframesred-teaming

Video Frame Injection (攻擊導覽)

Embedding prompt injection payloads in specific video frames to attack multimodal models that process video content, exploiting temporal and visual channels simultaneously.

prompt-injectionpersonajailbreakDANcharacter-creationred-teamingintermediate

Virtual Persona Creation

Creating persistent alternate personas within LLM conversations to bypass safety training, establishing character identities that override the model's default behavioral constraints.

input-sanitizationprompt-injectiondefensellm-securityinput-validationwalkthrough

Building a Production Input Sanitizer

Step-by-step walkthrough for building a production-grade input sanitizer that cleans, normalizes, and validates user prompts before they reach an LLM, covering encoding normalization, injection pattern stripping, length enforcement, and integration testing.

canary-tokensprompt-injectiondetectionmonitoringdefensewalkthrough

Canary Token Deployment

Step-by-step walkthrough for deploying canary tokens in LLM system prompts and context to detect prompt injection and data exfiltration attempts, covering token generation, placement strategies, monitoring, and alerting.

instruction-hierarchyprompt-injectionprivilege-separationdefenseadvancedwalkthrough

Instruction Hierarchy Enforcement (防禦導覽)

Step-by-step walkthrough for enforcing instruction priority in LLM applications, ensuring system-level instructions always take precedence over user inputs through privilege separation, instruction tagging, and validation layers.

classifiermachine-learningprompt-injectiondetectiontrainingdefensewalkthrough

Prompt Classifier 訓練

Step-by-step walkthrough for training a machine learning classifier to detect malicious prompts, covering dataset curation, feature engineering, model selection, training pipeline, evaluation, and deployment as a real-time detection service.

prompt-injectionmachine-learningdetectionclassifierdefensewalkthrough

ML-Based 提示詞注入 Detection Systems

導覽 for building and deploying ML-based prompt injection detection systems, covering training data collection, feature engineering, model architecture selection, threshold tuning, production deployment, and continuous improvement.

regexprompt-injectionpattern-matchinginput-filteringdefensewalkthrough

Regex-Based Prompt Filter

Step-by-step walkthrough for building a regex-based prompt filter that detects common injection payloads using pattern matching, covering pattern library construction, performance optimization, false positive management, and continuous updates.

embeddingssemantic-similarityprompt-injectionvector-databasedefensewalkthrough

Semantic Similarity Detection

Step-by-step walkthrough for using text embeddings to detect semantically similar prompt injection attempts, covering embedding model selection, vector database setup, similarity threshold tuning, and production deployment.

chatbotengagementprompt-injectionsystem-promptcontent-filterwalkthrough

Chatbot 紅隊 Engagement

Step-by-step walkthrough for a complete chatbot red team assessment: scoping, system prompt extraction, content filter bypass, PII leakage testing, multi-turn manipulation, and professional reporting.

langchainchainsagentstoolsragmemoryprompt-injectionwalkthrough

LangChain Application 安全 Testing

End-to-end walkthrough for security testing LangChain applications: chain enumeration, prompt injection through chains, tool and agent exploitation, retrieval augmented generation attacks, and memory manipulation.

rebuffprompt-injectiondetectiondefense-testingevasionwalkthrough

Testing 提示詞注入防禦s with Rebuff

導覽 for using Rebuff to test and evaluate prompt injection detection capabilities, covering installation, detection pipeline analysis, adversarial evasion testing, custom rule development, and benchmarking detection accuracy.