diff --git a/src/AI/AI-Prompts.md b/src/AI/AI-Prompts.md index 485722c9983..94dd3932def 100644 --- a/src/AI/AI-Prompts.md +++ b/src/AI/AI-Prompts.md @@ -479,6 +479,39 @@ Reproduction/operator notes +### Parameter-to-Prompt Injection via URL Parameters (P2P) + +Some AI-assisted search/chat products accept a natural-language query in a URL parameter such as `?q=` and forward it directly into the model context. If that parameter is treated as **instructions** instead of inert search text, a crafted first-party link becomes a **one-click prompt injection** that executes inside the victim's authenticated session. + +Generic exploitation flow: +1. Attacker crafts a trusted application URL like `https://target/search?q=`. +2. Victim opens it while authenticated. +3. The assistant uses the victim's own permissions/connectors to search private data. +4. The injected prompt transforms the secret and places it into an output sink such as HTML, Markdown, a redirector URL, or an image request. + +Operator notes: +- Hunt for parameters that hydrate the initial prompt, search box, conversation state, or tool arguments **before** any explicit user submission. +- Prompt verbs such as `search`, `open`, `summarize`, `replace`, `format`, `embed`, or `create ` are good indicators that the parameter is reaching the model as executable instructions. +- Treat trusted AI deep links like state-changing CSRF endpoints: if opening the URL causes the model to act, the URL itself is an injection surface. + +### Streaming Output HTML Race -> Scriptless Exfiltration + +Post-processing only the **final** model answer is not enough when tokens/chunks are streamed into the DOM. If raw partial output lands in the page even briefly, the browser may already trigger passive side effects before the final sanitizer wraps or escapes the response: + +- `` -> automatic request +- `