LLM / Prompt Injection Kit — Free Payloads & Wordlists tool · XowiaScan

What is LLM / Prompt Injection Kit?

LLM / Prompt Injection Kit is what you reach for when the app you are testing has an AI feature — the newest attack surface of all, and the one most browser tool catalogues completely ignore. It is not a static cheat-sheet: it is four working tools in one.

The Payload library covers eleven categories — direct injection, jailbreak archetypes, adversarial suffixes, system-prompt extraction, indirect / stored injection, RAG poisoning, agent tool-abuse, insecure output handling, multilingual bypasses, memory / persistence injection and model recon. Every payload carries an OWASP LLM Top-10 badge and a severity, and two slots make them ready to fire: {GOAL} for the objective and {OOB} for your canary host.

The Obfuscator defeats guardrails: stack Base64, ROT13, leetspeak, homoglyphs (Cyrillic look-alikes), zero-width injection, char-spacing, hex / unicode escapes and — the standout — Unicode Tags “ASCII smuggling”, which hides an instruction in invisible code-points that render as nothing to a human but many models still read.

The Many-shot generator builds an N-turn fabricated conversation (the published many-shot jailbreak) ending with your real goal, in Q&A, ChatML or JSON-messages format. Everything runs in your browser — no payload, goal or OOB host ever leaves the page.

What it does

11-category payload library — direct injection, jailbreaks, adversarial suffixes, system-prompt extraction, indirect / stored injection, RAG poisoning, agent tool-abuse, output-handling, multilingual, memory injection and recon — each row tagged with its OWASP LLM id and severity.
Stackable evasion engine — toggle transforms to re-encode every payload live: Base64, ROT13, leetspeak, homoglyphs, char-spacing, zero-width, reversed, hex / `\u` escapes and URL-encoding, applied in order with the chain shown per payload.
Unicode Tags smuggling — encode an instruction into the invisible U+E00xx Tags block: it renders as nothing to humans and filters, but many models still decode and obey it.
Many-shot jailbreak generator — build a 4–64-turn fake conversation that primes the model to comply, output as Q&A, ChatML control-tokens or a JSON message array.
OOB self-instrumenting payloads — drop a XowiaTrack canary host into the OOB field and every blind exfiltration payload calls back to you.
Methodology + OWASP legend — recon → fingerprint → direct → evasion → indirect → escalate → prove impact → report, mapped to the OWASP LLM Top 10.
Exports — copy a single payload, copy / download a whole category as a wordlist, or export as JSON with technique, OWASP and severity metadata.

Where it fits in your workflow

→Open this tool the moment you find an “Ask AI”, “Summarise this”, support-bot or agentic feature on a target.
→When a plaintext payload gets blocked, paste it into the Obfuscator, stack a transform or two (homoglyphs and Unicode Tags are the high-hit ones) and re-send — most guardrails only match plaintext.
→Pair with XowiaTrack — spin up an OOB canary first, drop the host into the OOB field, then every blind exfil payload self-instruments.
→For agentic apps (the model can browse, email, run code, query data), focus on the tool-abuse and output-handling categories — that is where high-severity impact lives.
→When direct injection fails on a hardened model, switch to the Many-shot generator — flooding the context with fake compliant turns often succeeds where a single prompt does not.

Use LLM / Prompt Injection Kit

Create free account Sign in

At a glance

CategoryPayloads & Wordlists

RunsIn your browser

Token cost Free — no tokens

Access Pro

Status● Live

Frequently asked questions

Will any of this actually work on a modern model?

A single plaintext override on a hardened chatbot mostly will not — which is exactly why the kit ships an evasion engine and a many-shot generator. Re-encoding a blocked payload (homoglyphs, zero-width, Unicode Tags) or flooding the context with fake compliant turns routinely succeeds where a raw prompt fails. And the highest-severity bugs are not in the chat box at all: indirect injection through data the model reads, tool / function abuse on agents, and insecure rendering of model output.

What is “Unicode Tags” / ASCII smuggling?

There is a block of Unicode code-points (U+E0000–U+E007F) that mirrors ASCII but renders invisibly. You can hide an instruction in it after some innocent visible text; a human reviewer and most string-matching filters see only the visible part, while many LLMs still decode and act on the hidden instruction. The Obfuscator tab generates it for you.

Does the many-shot generator produce real harmful content?

No. The fabricated “assistant complied” turns are abstract placeholders — the technique is in the structure, not the content. Replace the placeholders with realistic, in-scope examples for your own authorised engagement.

Is testing AI features authorised?

Treat AI features like any other feature in scope. Stick to the program rules, do not target other tenants, and use your XowiaTrack canary host for OOB so the only data leaving the model is yours.

Why is the LLM Kit not in the public free tools?

The framing is offensive (jailbreaks, exfiltration, smuggling, agent abuse) and we keep it behind login so the public domain reputation stays clean for search engines and safe-browsing reviewers.