The Art of Prompt Injection and Making Your AI Turn on You
About This Session
Promptware and prompt injections have been making waves across the cybersecurity world in the last year. Allowing hackers to hijack AI applications of any kind (autonomous agents included) for their own malicious purposes, they open the door to high-impact attacks leading to data corruption, data exfiltration, account takeover and even persistent C&C.
But crafting effective prompt injections is an art. And today, we’ll reveal its best kept secrets.
Together we’ll go through the principles of building effective and devastatingly impactful prompt injection attacks, effective against the world’s most secure systems. We’ll demonstrate access-to-impact exploits in the most prominent AI systems out there, including: ChatGPT, Gemini, Copilot, Einstein and their custom agentic platforms. Penetrating through prompt shields as if they were butter, and revealing every clever technique along the way.
We’ll see how tricking AI into playing games leads to system prompt leakage, and how we can use it to craft even better injections. We’ll understand why training LLMs for political correctness might actually make them more vulnerable. Why special characters are your best friend, if you just know where to place them. How you can present new rules that hijack AI applications without even having direct access to them. Ultimately instilling the ability to look at AI applications from a hacker’s perspective, developing the intuition for how to attack each one for the highest impact.
Finally, after dismantling every layer of prompt protection out there, we’ll discuss going beyond prompt shielding, and explore defense-in-depth for AI applications. Suggesting a new way into how we can truly start managing this threat in the real world.
But crafting effective prompt injections is an art. And today, we’ll reveal its best kept secrets.
Together we’ll go through the principles of building effective and devastatingly impactful prompt injection attacks, effective against the world’s most secure systems. We’ll demonstrate access-to-impact exploits in the most prominent AI systems out there, including: ChatGPT, Gemini, Copilot, Einstein and their custom agentic platforms. Penetrating through prompt shields as if they were butter, and revealing every clever technique along the way.
We’ll see how tricking AI into playing games leads to system prompt leakage, and how we can use it to craft even better injections. We’ll understand why training LLMs for political correctness might actually make them more vulnerable. Why special characters are your best friend, if you just know where to place them. How you can present new rules that hijack AI applications without even having direct access to them. Ultimately instilling the ability to look at AI applications from a hacker’s perspective, developing the intuition for how to attack each one for the highest impact.
Finally, after dismantling every layer of prompt protection out there, we’ll discuss going beyond prompt shielding, and explore defense-in-depth for AI applications. Suggesting a new way into how we can truly start managing this threat in the real world.
Speaker
Tamir Ishay Sharbat
AI Security Researcher, CTO Office - Zenity
Tamir Ishay Sharbat is a software engineer and security researcher with a particular passion for AI security. His current focus is on identifying vulnerabilities in enterprise AI products such as Microsoft Copilot, Microsoft Copilot Studio, Salesforce Einstein, Google Gemini and more. Tamir conducts deep analysis of AI architectures to identify potential exploits, then crafts prompt injections and elaborate attacks accordingly. Tamir is also a core member of the OWASP Agentic Security Initiative where he co-leads the agentic threats and mitigations workstream, helping with understanding the prevailing threats of AI agents.