Output injection → admin XSS in support panel

§ Context

Assumed environment: the LLM's output is later rendered in a back-office admin tool with markdown-to-HTML pipeline that doesn't sanitize attacker-controllable URLs or HTML.

§ Steps

1. 01
   Open support chat as customerInitial Access

   T1078— Valid Accounts
2. 02
   Admin opens conversationExecution

   T1204— User Execution
3. 03
   Leak admin session cookie via referrerCredential Access

   T1539— Steal Web Session Cookie
4. 04
   Markdown rendered → request firesImpact

   W-XSS-STORED— Stored XSS
5. 05
   Inject prompt to emit  markdownImpact

   AI-OUTPUT-INJECT— Output Injection (Markdown / HTML)

§ References

• T1078Valid Accounts
• T1204User Execution
• T1539Steal Web Session Cookie

§ Frequently asked

What is the "Output injection → admin XSS in support panel" attack path?

Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Open support chat as customer (T1078) — a initial access primitive. Assumed environment: the LLM's output is later rendered in a back-office admin tool with markdown-to-HTML pipeline that doesn't sanitize attacker-controllable URLs or HTML.

What is the final impact of this kill-chain?

The final step lands on Inject prompt to emit  markdown (AI-OUTPUT-INJECT), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Malicious browser extension → cookie harvest → ATO

  Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.

• Shared techniques3

  Browser-in-the-Browser → credential theft on a trusted page

  Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.

• Shared techniques2

  5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

• Shared techniques2

  Malicious MCP server → silent supply chain for agent tools

  User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.

• Shared techniques2

  Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)

  Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.

• Shared techniques2

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.