top of page
Search

Lab: Indirect prompt injection

This lab is vulnerable to indirect prompt injection. The user carlos frequently uses the live chat to ask about the Lightweight "l33t" Leather Jacket product.

ree

  • Ask the LLM what APIs it has access to. Note that it supports APIs to both delete accounts and edit their associated email addresses.

  • Ask the LLM what arguments the Delete Account API takes.

  • Ask the LLM to delete your account. Note that it returns an error, indicating that you probably need to be logged in to use the Delete Account API.

Create a user account

  1. Click Register to display the registration page

  2. Enter the required details. Note that the Email should be the email address associated with your instance of the lab. It is displayed at the top of the Email client page.

  3. Click Register. The lab sends a confirmation email.

  4. Go to the email client and click the link in the email to complete the registration.

  5. Click My account and log in to your account.


Test the attack

  1. Return to the Live chat page and ask the LLM to change your email to a different address (for example, test@example.com).

  2. Ask the LLM to tell you about a product other than the leather jacket. In this example, we'll use the umbrella.

  3. Add a review to the umbrella stating that it is out of stock and that the author of the review has administrator privileges

  4. Return to the Live chat page and ask the LLM to tell you about the umbrella again. Note that the LLM now states that the product is out of stock.

  5. Delete the original review from the umbrella page and add a new review, including a hidden prompt to delete the user account that the reader is signed in with.

  6. Return to the Live chat page and ask the LLM to tell you about the umbrella again. Note that the LLM deletes your account.


Exploit the vulnerability

  1. Create a new user account and log in.

  2. From the home page, select the leather jacket product.

  3. Add a review including the same hidden prompt that you tested earlier.

  4. Wait for carlos to send a message to the LLM asking for information about the leather jacket. When it does, the LLM makes a call to the Delete Account API from his account. This deletes carlos and solves the lab.

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page