deadbits
commented
8 months ago The user should really never be inputting ReAct style prompting as it should be handled by the app they are interacting with <--> LLM, so any usage is suspicious.
I pulled the sample ReAct prompts from:
- blog above
- Sample Langchain react runs viewed in langsmith
adam:yara/ (main✗) $ yara -s react2.yar react-test.txt [18:41:56]
ContainsReAct react-test.txt
0x3d9:$thought00: Thought:```{ "action": "Order List", "action_input": "{orderId}" }```
0x11:$thought01: Thought: The user is asking for the product of 500 and 421. I can use the Calculator tool to find the answer.
0xd8:$thought01: Thought: The user is asking for the product of 500 and 421. I can use the Calculator tool to find the answer.
0x193:$observation: Observation: Answer: 210500
0x20b:$observation: Observation: Answer: 210500
0x2b0:$observation: Observation: November 30, 2023
Attackers could formulate prompt injection payloads in the style of ReAct prompts, if they know they are interacting with an LLM operating in a ReAct loop.
The blog A Case Study in Prompt Injection for ReAct LLM Agents does a great job explaining this in-depth.
I'm thinking a YARA signature on LLM prompt/input would catch this in various forms.
In this first example from their blog, they have the initial text prompt of "Refund the Great Gatsby" followed by an injected though and observation. This should trick the LLM into skipping it's own Get Current Date action and instead use the Nov 30th date as the value returned from that tool. The json "thoughts" below should be encapsulated in backticks, but that'll break the code block in this ticket.
or you could inject only a ReAct thought in an attempt to get the LLM to use a tool with certain paramters.