Prompt injection attacks deceive a large language model into completing an attacker-specified task instead of its intended task by contaminating its input data with an injected prompt, which consists of injected instruction(s) and data. Localizing the injected prompt within contaminated data is crucial for post-attack forensic analysis and data recovery. Despite its growing importance, prompt injection localization remains largely unexplored. In this work, we bridge this gap by proposing PromptLocate, the first method for localizing injected prompts. PromptLocate comprises three steps: (1) splitting the contaminated data into semantically coherent segments, (2) identifying segments contaminated by injected instructions, and (3) pinpointing segments contaminated by injected data. We show PromptLocate accurately localizes injected prompts across eight existing and eight adaptive attacks.
@article{arxiv.2510.12252,
title = {PromptLocate: Localizing Prompt Injection Attacks},
author = {Yuqi Jia and Yupei Liu and Zedian Shao and Jinyuan Jia and Neil Gong},
journal= {arXiv preprint arXiv:2510.12252},
year = {2025}
}
Comments
To appear in IEEE Symposium on Security and Privacy, 2026. For slides, see https://people.duke.edu/~zg70/code/PromptInjection.pdf