# Prompt Injection Testing Checklist

## Step-by-Step Guide for Testing LLM Prompt Injection

### Pre-Engagement

- [ ] Define scope and boundaries
- [ ] Identify target LLM endpoints
- [ ] Document allowed vs prohibited testing activities
- [ ] Set up monitoring and logging
- [ ] Prepare test environment

### Direct Prompt Injection

- [ ] Test basic prompt override ("Ignore previous instructions...")
- [ ] Test role-playing attacks (DAN, Developer Mode)
- [ ] Test delimiter manipulation
- [ ] Test encoding attacks (base64, URL encoding, Unicode)
- [ ] Test context window overflow
- [ ] Test multi-turn conversation exploitation
- [ ] Test system prompt leakage

### Indirect Prompt Injection

- [ ] Test malicious document ingestion (PDF, DOCX)
- [ ] Test poisoned web content (RAG scenarios)
- [ ] Test email-based injection
- [ ] Test third-party data source manipulation
- [ ] Test plugin/tool parameter injection
- [ ] Test image-based prompt injection (multimodal)

### Jailbreak Techniques

- [ ] Test persona-based jailbreaks
- [ ] Test fictional scenario attacks
- [ ] Test emotional manipulation
- [ ] Test authority-based attacks
- [ ] Test logic puzzle approaches
- [ ] Test code execution requests
- [ ] Test translation-based attacks

### Impact Assessment

- [ ] Document successful injection vectors
- [ ] Assess data exfiltration potential
- [ ] Evaluate privilege escalation possibilities
- [ ] Test for system prompt extraction
- [ ] Check for PII disclosure
- [ ] Assess harmful content generation
- [ ] Evaluate agentic action manipulation

### Remediation Testing

- [ ] Verify input validation effectiveness
- [ ] Test output filtering bypasses
- [ ] Verify rate limiting enforcement
- [ ] Test sandbox isolation
- [ ] Verify audit log completeness
- [ ] Test alert mechanisms

### Severity Ratings

| Severity | Criteria |
|----------|----------|
| **Critical** | System prompt extraction, PII disclosure, unauthorized actions |
| **High** | Partial instruction override, harmful content generation |
| **Medium** | Information leakage, minor bypasses |
| **Low** | Cosmetic changes, non-exploitable anomalies |

---
*Generated by AI Hacking - ai-hacking.cyberchaos.nl*
*Last updated: April 2026*