Prompt Injection in Flask with Bearer Tokens

Prompt injection in a Flask API that uses Bearer tokens typically occurs when an LLM endpoint is exposed publicly and the request flow mixes authorization data (the token) with user-controlled content that can reach the LLM. Even though middleBrick does not perform authentication or inspect token validity, the scanner flags unauthenticated LLM endpoints and tests for prompt injection via a series of five sequential probes: system prompt extraction, instruction override, DAN jailbreak, data exfiltration, and cost exploitation. When a Flask route passes both token metadata and untrusted input to an LLM client, the model may treat injected text as part of the system or user message, causing the token to be echoed, the instructions to be overridden, or sensitive information to be revealed in the model output.

Consider a Flask route that forwards a user query and an Authorization header to an LLM without strict separation:

from flask import Flask, request, jsonify
import httpx

app = Flask(__name__)

@app.route("/chat")
async def chat():
    token = request.headers.get("Authorization", "").replace("Bearer ", "")
    user_query = request.args.get("q", "")
    payload = {
        "model": "gpt-4o-mini",
        "messages": [
            {"role": "system", "content": f"You are a support bot. Use internal token {token} for tracing."},
            {"role": "user", "content": user_query}
        ]
    }
    async with httpx.AsyncClient() as client:
        r = await client.post("https://api.openai.com/v1/chat/completions", json=payload)
    return jsonify(r.json())

In this pattern, the Bearer token is interpolated into the system prompt. An attacker can send a query such as q with a jailbreak string, attempting to leak the token or override instructions. Because the system prompt includes the token, the model might echo it or change behavior based on the injected content. The LLM/AI Security checks in middleBrick detect this by probing for system prompt leakage and instruction override, highlighting that tokens should never be embedded in prompts that are exposed to user-controlled text.

Additionally, if the Flask route reflects user input into the LLM message without sanitization, data exfiltration probes may succeed, returning pieces of the token or other sensitive data in the model output. Even when the Bearer token is used by the backend to call another service, mixing it with untrusted input in the LLM context creates a cross-stage risk where the model is tricked into revealing what it has been instructed to do with that token. The scanner flags unauthenticated LLM endpoints and excessive agency patterns, such as tool calls or function_call usage in the model responses, which can amplify the impact of prompt injection by enabling automated actions based on manipulated instructions.

Because middleBrick scans the unauthenticated attack surface, it intentionally does not rely on valid tokens. The presence of an Authorization header format does not prevent the scanner from testing prompt injection vectors, and findings will include system prompt leakage, instruction override, and data exfiltration with severity and remediation guidance mapped to frameworks such as OWASP API Top 10.

To mitigate prompt injection when Bearer tokens are involved, keep authorization data separate from LLM prompts and avoid interpolating tokens into messages sent to the model. Use backend-only handling of tokens and enforce strict input validation. The following examples show a safer approach where the token is used for upstream service calls but never exposed to the LLM context.

Instead of embedding the token in the system prompt, pass it only as an authorization header when the Flask service calls internal APIs:

from flask import Flask, request, jsonify
import httpx

app = Flask(__name__)

@app.route("/chat")
async def chat():
    token = request.headers.get("Authorization", "").replace("Bearer ", "")
    user_query = request.args.get("q", "")
    llm_payload = {
        "model": "gpt-4o-mini",
        "messages": [
            {"role": "system", "content": "You are a support bot."},
            {"role": "user", "content": user_query}
        ]
    }
    headers = {"Authorization": f"Bearer {token}"} if token else {}
    async with httpx.AsyncClient() as client:
        r = await client.post(
            "https://api.openai.com/v1/chat/completions",
            json=llm_payload,
            headers=headers
        )
    return jsonify(r.json())

This pattern ensures the token is not part of the LLM prompt while still allowing the backend to authenticate requests to the LLM provider. If the token must be forwarded to a downstream service invoked by the model, return it as a safe tool result rather than as model instructions, and validate and sanitize all user input before any processing.

Additional remediation steps include implementing strict input validation, using allowlists for expected query formats, and applying rate limiting to reduce abuse risk. For CI/CD and pipeline safety, the middleBrick Pro plan includes GitHub Action integration that can fail builds if risk scores drop below a configured threshold, helping catch regressions before deployment. Continuous monitoring in the Pro plan can schedule regular scans so that changes to prompt handling or token usage are flagged early.

When integrating into AI coding assistants, the MCP Server allows you to scan APIs directly from your IDE, providing rapid feedback during development. The dashboard can track scores over time, making it easier to correlate changes in prompt design with security findings. These capabilities help teams maintain robust defenses against prompt injection without relying on the scanner to fix or block issues, as middleBrick only provides findings and remediation guidance.