Output Injection (Markdown / HTML)
LLM emits malicious markdown (data: URLs, image probes, JS) that fires when its output is rendered in a downstream UI (chat, ticket, email).
§ Where this technique fits
AI-OUTPUT-INJECT is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 4.3 on average.
§ Dossiers chaining this technique
- step 2 / 5
Output injection → admin XSS in support panel
Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires.
- step 5 / 5
Direct prompt injection → exfil another user's data
Multi-tenant LLM assistant. Attacker's prompt overrides instructions and tricks the model into emitting another user's session content / RAG-cached data.
- step 6 / 6
Malicious MCP server → silent supply chain for agent tools
User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.
§ What commonly comes next
- 01User Executionseen 1×T1204 · Execution