T1-AT-006HIGH
Prompt Template Injection
T1 · Prompt & Context Subversion →Risk score230
RatingHigh
Procedures5
Severity
Mechanism
Exploits the model's training on templating languages (Jinja2, Handlebars, JSX, shell variable expansion). }}`, `{% ... }`), the model may process the content as a template directive rather than user data — activating the "execute template logic" behavior trained on code corpora.
Detection
- Detect template syntax in user input: {{, }}, {% %}, ${...}, <template>, [SYSTEM:]
- Detect special token sequences: <|system|>, <|im_start|>, [INST], <|endoftext|>
- YARA rule: yara/t01-prompt-injection.yar
Mitigation
Input sanitization (escape or strip template syntax)HIGH
Instruction hierarchy (system tags only accepted from API-level, never user-level)HIGH
Policy Puppetry format detection (XML/INI/JSON policy structures)MEDIUM
Chaining
Direct escalation path to Policy Puppetry (T2-level attack when combined with encoding). Chains to T1-AT-016 (Session State Manipulation) — template injection that claims to modify session variables creates persistent state claims.
Framework mapping
Open in the technique browser →OWASP LLMLLM01
MITRE ATLASAML.T0051.001