Prompt Injection
Description
Prompt Injection is a threat where an attacker manipulates the inputs to alter the behavior of a GenAI system, often via user prompts, forms, or attached data. By disguising malicious inputs, an adversary can bypass guardrails and induce the AI to perform unauthorized actions, or execute arbitrary code.
Note
In Gurple, distinction is made between Prompt Injection and Jailbreaking.
The next section is dedicated to Jailbreaking, which is a subset of Prompt Injection. In this case, the goal is to abuse the model’s safety guardrails stack (e.g., RLHF, fine-tuning, AI Judges) to generate restricted content or behaviors.
To create a clear separation, the present section, named Prompt Injection, is restricted to attacks that bypass the security layers of the GenAI system (e.g. authentication, authorization, input / output validation).
One must also recognize that threats are not found in isolation in the wild, and that most real-world threats are chained attacks, where a hacker uses multiple techniques to achieve their goal. For example, a hacker may utilize a sequence of prompts that manipulate context to bypass the model’s safety guardrails stack while also concealing inputs that will trigger code execution. In such cases, the line between Prompt Injection and Jailbreaking becomes blurred.
Map
| Framework | ID | Title |
|---|---|---|
| Gurple | G-1.1 | Prompt Injection |
| MITRE ATLAS | AML.TA0005 | Execution |
| MITRE ATLAS | AML.T0051 | LLM Prompt Injection |
| MITRE ATT&CK | TA0002 | Execution |
| MITRE CWE | CWE-77 | Improper Neutralization of Special Elements used in a Command (“Command Injection”) |
| MITRE CWE | CWE-94 | Improper Control of Generation of Code (“Code Injection”) |
| MITRE CWE | CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code |
| MITRE CWE | CWE-116 | Improper Encoding or Escaping of Output |
| MITRE CWE | CWE-1426 | Improper Validation of Generative AI Output |
| MITRE CWE | CWE-1427 | Improper Neutralization of Input Used for LLM Prompting |
| NIST AI 100-2 E2023 | 3.3 | Direct Prompt Injection Attacks and Mitigations |
| NIST AI 100-2 E2025 | NISTAML.018:2025 | Prompt Injection |
| OWASP Top 10 | A03:2021 | Injection |
| OWASP Top 10 for LLM Applications | LLM01:2025 | Prompt Injection |
| OWASP Top 10 for LLM Applications | LLM05:2025 | Improper Output Handling[1] |
| OWASP Top 10 for Agentic Applications | ASI01:2026 | Agent Goal Hijack |
[1] Improper Output Handling is a Vulnerability that is central to the vast majority of Prompt Injection Threats, although listed separately in the OWASP Top 10 for LLM Applications. The reason is that OWASP Top 10 framework does not make a distinction between Threats and Vulnerabilities based on SCF C|P-RMM, as Gurple does.