◆ What is Prompt Injection?
Prompt injection is an attack where a user crafts input that overrides or manipulates an AI system's instructions. Think of it like SQL injection, but for language models.
Why it matters: AI chatbots are increasingly deployed in customer support, internal tools, and autonomous agents. If an attacker can override the system prompt, they can:
- Extract the system prompt and hidden instructions
- Make the AI ignore safety guidelines
- Exfiltrate data to external servers
- Manipulate the AI into performing unintended actions
Real-world impact: Prompt injection has been used to extract confidential instructions from production chatbots, bypass content filters, and manipulate AI agents into executing arbitrary code. It's currently listed in the OWASP Top 10 for LLM Applications as the #1 vulnerability.
◆ How to Find the Endpoint
Before you can test a chatbot, you need to find the API endpoint it talks to. Here's how:
1
Open the target website in Chrome (or any browser with DevTools)
2
Open DevTools: press F12 or Ctrl+Shift+I (Mac: Cmd+Option+I). Click the Network tab.
3
Type a message in the chatbot and send it. Watch the Network tab -- you'll see requests appear.
4
Look for the POST request that fires. Common paths include:
POST /api/chat
POST /v1/chat/completions
POST /api/messages
POST /completions
POST /generate
5
Right-click the request → Copy → Copy as cURL
6
Paste into Judgement's "Import cURL" field. The tool will auto-detect the URL, headers, and payload format.
Example: What the cURL looks like
curl 'https://api.example.com/v1/chat/completions' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer sk-...' \
--data-raw '{
"messages": [
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "hello"}
],
"model": "gpt-4"
}'
Judgement will replace the user content with attack payloads automatically.
◆ Understanding Results
After an attack run, each pattern gets classified into one of three verdicts:
● Blocked
The AI refused, deflected, or gave a safety response. The defense held. Example: "I'm sorry, I can't help with that."
● Bypass
The AI complied with the attack. It leaked data, followed injected instructions, or changed behavior. This is what you're looking for.
● Partial
The AI partially complied or showed signs of influence but didn't fully comply. Worth investigating further.
What to do when you find a bypass
- Click the result row to expand the full response
- Save the attack pattern and response as evidence
- Download the report (↓ Report button) for a formatted markdown summary
- Try variations of the successful pattern to understand the scope
Writing a good bug report
If you're reporting a prompt injection vulnerability, include:
- Target: What system / chatbot / API was tested
- Payload: The exact attack text that bypassed defenses
- Response: What the AI returned (screenshot or full text)
- Impact: What an attacker could achieve (data leak, safety bypass, etc.)
- Reproducibility: Can it be triggered consistently?
⚠ For authorized security testing and educational purposes only. Only test systems you own or have explicit written permission to test.
Unauthorized access is illegal under the CFAA and equivalent laws. The authors assume no liability for misuse.
Judgement OSS — Fallen Angel Systems