Prompt injection explained for security professionals
Charles Givre's Dev.to article breaks down prompt injection — ranked OWASP LLM01 — covering direct attacks, indirect RAG poisoning, agentic threat escalation, and practical mitigations including least-privilege tool access and tools like Garak and Promptfoo.
Score breakdown
Security teams building or auditing LLM-powered tools should apply least-privilege to every agent tool grant and run red-team testing against deployed applications using tools like Garak or Promptfoo — not just evaluate the underlying model.
- 01Prompt injection is ranked LLM01 — the top vulnerability — on the OWASP LLM Top 10.
- 02Direct injection exploits user-controlled input fields; indirect injection embeds malicious instructions in content retrieved by RAG pipelines.
- 03Indirect injection is described as more operationally dangerous because the attacker never interacts with the application directly.
Charles Givre's article frames prompt injection as the most critical vulnerability class for organizations deploying LLM-powered tools today, holding the top spot (LLM01) on the OWASP LLM Top 10. The attack works by placing attacker-controlled text into the same context window the model uses for trusted instructions — the model processes both as instructions and cannot reliably tell them apart. Direct injection happens in user-controlled input fields and includes techniques like role-switch attacks, goal hijacking, and multi-turn attacks that progressively shift model behavior across a conversation. Indirect injection is described as more dangerous operationally: the attacker never touches the application directly but instead embeds instructions in content the LLM retrieves — a poisoned web page, SharePoint document, or database record in a RAG pipeline. The HouYi framework is specifically designed to test these RAG poisoning scenarios.
Frameworks like LangChain and AutoGen grant LLMs the ability to call APIs, execute code, send emails, and read or write files.
The threat escalates significantly in agentic deployments. Frameworks like LangChain and AutoGen grant LLMs the ability to call APIs, execute code, send emails, and read or write files. An agent that retrieves a maliciously crafted document and also holds email-send capability can complete an exfiltration attack with zero user interaction. The article maps this to MITRE ATT&CK T1059 and MITRE ATLAS AML.T0054. The core mitigation principle is least-privilege: every tool capability granted to an agent expands the attack surface, and capabilities that cannot be justified should be removed.
For systematic testing, the article highlights three tools: Garak (NVIDIA's LLM vulnerability scanner), Promptfoo (an open-source red-teaming framework that integrates into CI/CD pipelines), and PromptBench (Microsoft Research's adversarial robustness evaluation framework). A key practical point is that testing must target the deployed application — including its system prompt, retrieval pipeline, and output filtering — rather than the underlying base model, since those layers fundamentally change the real attack surface. No current defense eliminates prompt injection entirely; the goal is reducing exposure and raising the cost of a successful attack.
Key facts
- 01Prompt injection is ranked LLM01 — the top vulnerability — on the OWASP LLM Top 10.
- 02Direct injection exploits user-controlled input fields; indirect injection embeds malicious instructions in content retrieved by RAG pipelines.
- 03Indirect injection is described as more operationally dangerous because the attacker never interacts with the application directly.