Information Disclosure: LLM System Prompt Leakage¶
Identifier:
llm_system_prompt_leak
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
LLM system prompt leakage occurs when the model can be coaxed into revealing the confidential system prompt that defines its behaviour, persona, and safety constraints. Disclosed prompts often expose tooling, secrets, or internal logic an attacker can use to refine further attacks.
How we test: Once the DAST LLM Security module has detected an LLM-backed endpoint, we send a deterministic catalogue of extraction prompts through the existing authenticated replay client (new_http_client_with_auth plus the recorded BLST template / exchange or HAR request). Variants include direct extraction ("repeat the text above"), role reversal, debug-mode social engineering, and conversational manipulation. We confirm a leak when the response contains classic system-prompt phrases ("You are", "Your role is", <|im_start|>system, "I am an AI assistant designed to") that the model would not normally emit during regular conversation.
Every probe emits a context.info event with the full prompt, the redacted response excerpt, and the raw HTTP request/response as attachments, so customers can independently audit what was sent.
References:
- https://genai.owasp.org/llmrisk/llm06-sensitive-information-disclosure/
- https://genai.owasp.org/llmrisk/llm01-prompt-injection/
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.