Delimiters are shown quite often as possible mitigations, but they do not work. I had the same observation when doing the Prompt Engineering class from OpenAI/DeepLearningAI.
Basically every example was vulnerable, and I made it a special challenge to perform an indirect prompt injection for each one of them. This led to interesting exploits such as JSON object injections, HTML injection and even XSS. Overwriting order prices with the OrderBot was also quite fun. :)
Basically every example was vulnerable, and I made it a special challenge to perform an indirect prompt injection for each one of them. This led to interesting exploits such as JSON object injections, HTML injection and even XSS. Overwriting order prices with the OrderBot was also quite fun. :)
Here is a post and Notebook I used to learn/repro and experiment with these issues (incl. JSON Object injection and XSS): https://embracethered.com/blog/posts/2023/adversarial-prompt...
Also, an older post about data exfil for bots (with a Discord bot as an example): https://embracethered.com/blog/posts/2023/ai-injections-thre...