Prompt Injection Attacks: Direct vs. Indirect, and Why They're Hard to Prevent

~14 min read

Prompt injection — OWASP's #1 LLM vulnerability — tricks a model into treating attacker text as instructions. Direct injection comes straight from the user; indirect injection hides in retrieved content the model reads.

Prompt Injection Attacks: Direct vs. Indirect, and Why They're Hard to Prevent is a Pro topic

Sign in, then upgrade to Pro or Power to unlock this topic and the full AI Engineering curriculum.

Key points

  • Prompt injection is OWASP's #1-ranked LLM vulnerability (LLM01) — it exploits the LLM's lack of structural separation between instructions and data
  • Direct injection: malicious instructions typed straight into user-facing input (e.g. 'ignore previous instructions and...')
  • Indirect injection: malicious instructions hidden inside content the model reads as part of its task (a webpage, email, or retrieved document) — the user never typed it and may never see it
  • The root cause is structural, not a bug: an LLM's usefulness (flexibly following natural-language instructions) is the same capability that makes it vulnerable to instructions smuggled in from untrusted sources
  • This is why prompt injection remains an actively-researched open problem, addressed through layered mitigations rather than one single fix