This research was presented at: DEF CON 33 - AI Village and AppSec Village, BSides Kraków 2025 and BSides Tirana 2025.

Agents based on Large Language Models (LLMs) are increasingly susceptible to vulnerabilities reminiscent of early-2000s software bugs. One such emerging technique is Special Token Injection (STI), which targets the model’s tokenizer. By injecting sequences of reserved tokens that are interpreted as privileged control-flow instructions rather than normal text, an attacker can hijack the model to perform arbitrary instructions. These manipulations can include the use of unintended special tokens such as role separators, function or tool call, beginning- or end-of-sequence tokens within structured prompts, allowing attackers to hijack the agent’s functionality.

When successfully exploited, Special Token Injection can lead to a range of security failures, including:
- Context poisoning
- Agent instruction (system prompt) manipulation
- Function/Tool call misuse and unauthorized invocation
- Cross-turn state corruption for multi-step agents
- Multi-agent workflow corruption
- Unbounded token consumption

In this talk, we’ll demystify STI: what it is, how we found it, where it lurks, and why it matters. We’ll walk through real‑world examples, explore its broader implications in AI security from a pentester's perspective.

Armend, Robert, and Anit are from the Republic of Kosovo.