LLM01:2025 — Prompt Injection

Slide 9 · The Two Types

There are two types of prompt injection. They work very differently.

OWASP defines them separately. Understanding the difference shapes both how attacks happen and how you defend against them.

📄 OWASP LLM Top 10:2025 · LLM01

🔴 Direct Injection

The attacker talks to the AI directly

They type the injection themselves

They are the user — or pretending to be

Attack surface: Any public-facing AI interface

Real example: Freysa — p0pular.eth typed the injection directly and extracted $47,000

🟠 Indirect Injection

The attacker plants the injection in content the AI will read

They never talk to the AI directly

A legitimate user unknowingly triggers it

Attack surface: Any AI that reads external content

Real example: EchoLeak CVE-2025-32711 — a crafted email triggered Copilot with zero user interaction

Why Indirect Is More Dangerous

With direct injection, the attacker has to interact with the system — leaving a trail. With indirect injection, a legitimate user unknowingly triggers the attack. The attacker may never appear in any logs. EchoLeak was rated CVSS 9.3 precisely because the victim didn't have to do anything wrong — just receive a normal-looking email.

← Back Next → Direct injection, deep dive