Red-Team Your Prompt Workflow: 7 Attacks Worth Simulating
A small, running list of adversary techniques that specifically target the seam between your employees and the LLM. Use it as a red-team runbook.
1. Paste-jacking
Attacker publishes a webpage. Employee copies a snippet. The clipboard actually contains a longer payload with hidden instructions. Employee pastes into ChatGPT. Model follows the hidden instructions. Countermeasure: scrub zero-width and RTL-override characters on paste; visually diff long pastes.
2. Invisible-character injection
Bidirectional overrides (U+202A–U+202E) and zero-width joiners can hide instructions inside otherwise innocent text. PromptShielder strips these on paste; you should verify your tools do too.
3. Response exfiltration via markdown image
A prompt-injected model returns ``. When the browser renders the markdown, it makes a GET request that ships the exfil payload. Countermeasure: sanitise or render markdown in a sandboxed context.
4. Extension abuse
A benign-looking browser extension with page-content permission reads every prompt and every response. Countermeasure: extension inventory, page-content permission audit, redaction-before-send so the extension only sees tokens.
5. Screenshot leakage
OS-level screenshot tools sync to a personal cloud. Compliance surface expands without anyone noticing. Countermeasure: policy + endpoint DLP + a habit of redacting before screenshotting.
6. Clipboard scraping
Malware reads the clipboard every 500 ms. If you copy a redacted prompt and paste it into ChatGPT, only the redacted form is exposed. If you copy the raw one, everything is. Countermeasure: only copy the redacted output; auto-clear clipboard on a timer.
7. Prompt-history mining
An attacker with account access reads the target's ChatGPT history. Countermeasure: chat history off, or redact-before-send so history contains only tokens.
Frequently asked
Are these OWASP-mapped?+
Most fall under LLM01 (Prompt Injection), LLM06 (Sensitive Information Disclosure) or LLM08 (Excessive Agency).