AI Prompt Injection Tester
Paste any prompt or user message and get a deterministic risk score with a per-finding breakdown of prompt-injection and jailbreak patterns — override, exfiltration, persona hijack, encoded payloads, and more. Anchored to OWASP LLM01. Runs 100% in your browser; no text ever leaves the page.
How it works
The tester is a deterministic rule engine: the same text with the same settings always produces the same score. It never calls a model or a server, so it is fast, private, and reproducible. The method has five steps, and every rule category maps to a technique documented in OWASP LLM01:2025 Prompt Injection.
- Normalise. A working copy is matched case-insensitively. Zero-width and bidirectional control characters, and non-Latin look-alike (homoglyph) letters, are flagged as obfuscation because they are used to smuggle keywords past naive filters.
- Match categories. Each of seven categories holds regex/substring patterns and a base weight. A category contributes its weight once, however many of its patterns match.
- Decode & re-scan. Detected base64, URL-encoded, and hex/unicode-escaped blobs are decoded and the decoded text is run back through the categories, so an override hidden inside base64 is still caught.
- Score.
raw = Σ matched category weights, thenscore = min(100, round(raw × sensitivity))where the multiplier is 1.25 (strict), 1.0 (balanced), or 0.8 (lenient). - Band. Low = 0–29, Medium = 30–69, High = 70–100.
The seven categories and their base weights:
- Instruction override (+40) — Directly tries to cancel the system/developer instructions and replace them with attacker-supplied ones — the core prompt-injection technique in OWASP LLM01.
- System-prompt exfiltration (+30) — Attempts to make the model disclose its hidden system prompt or rules — leaked instructions let an attacker craft reliable bypasses.
- Role / persona manipulation (+25) — Coerces the model into an unrestricted alter-ego (DAN, “developer mode”, jailbroken persona) to escape its guardrails.
- Refusal suppression (+20) — Pre-empts the model's ability to decline (“never say you can't”, “no restrictions”) so it can't fall back on a safe refusal.
- Encoded / obfuscated payload (+20) — Hides an instruction inside base64 / hex / URL-encoding, or uses zero-width and look-alike (homoglyph) characters, to slip past naive keyword filters.
- Delimiter / format smuggling (+15) — Fakes conversation boundaries (</system>, [INST], ### System, HTML comments) to trick the model into treating attacker text as a trusted turn.
- Tool / function abuse (+15) — Tries to drive a connected tool, function, or shell toward a destructive or data-exfiltrating action — the “excessive agency” failure mode of injection.
One caveat, stated plainly: the numeric weights are an editorial heuristic, not an official OWASP score. This is a screening aid to catch obvious patterns quickly — a Low result means “no known pattern matched”, never a guarantee of safety. Static detection always has false negatives, so treat all model input as untrusted and validate output before acting on it.
Worked examples
Frequently asked questions
Sources & references
- OWASP Top 10 for LLM Applications — LLM01:2025 Prompt Injection
- OWASP GenAI Security Project — LLM Top 10
- NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1)
The ruleset and mitigations were last cross-checked against OWASP LLM01:2025 on 2026-07-02. The numeric weights are an editorial heuristic; the categories and guidance are OWASP-anchored. Reviewed whenever the OWASP LLM Top 10 is updated.
Related tools
Comments & feedback
Spotted a bug or want an improvement? Tell us — our team reviews every comment, and good ideas get built. Comments are public and anonymous.
Found a false positive, a missed pattern, or want a new rule category?
Email me at [email protected] — most fixes ship within 24 hours.