Describe how a Special Token Injection (STI) attack works and what application-layer mitigations can be applied.
Explain the mechanism of a Special Token Injection (STI) attack: how does unsanitized user input become a security vulnerability at the tokenizer level? Describe at least two concrete mitigations that can be applied before or during tokenization.
STI exploits the gap between a special token's string and its id: tokenized under add_special_tokens=True, user-typed markers become real structural ids the model trusts as legitimate boundaries.
Think of a building where doors open only for staff badges. An attacker prints a fake badge that looks exactly like the real one, and the scanner cannot tell the difference, so the fake opens secure doors. In a language model, the special tokens like the system marker are the badges that grant authority over the conversation. If user text containing a marker is scanned the normal way, the model accepts that fake badge as real and follows it. The defenses are to refuse to read user badges at all, to tear up any badge-looking text a user submits, and to keep visitors in a separate lane where they could never carry a staff badge.
Detailed answer & concept explanation~6 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
3-4 min: string vs id gap + forged-boundary consequence + add_special_tokens=False + input sanitization + structural separation + the re-tokenization pitfall.
Real products, models, and research that use this idea.
- HuggingFace Transformers exposes add_special_tokens on encode and __call__, which is the primary knob teams flip to False for untrusted input.
- OWASP's Top 10 for LLM Applications catalogs prompt injection, of which special-token injection is the tokenizer-layer instance.
- OpenAI's GPT-5.5 messages API keeps each user turn structurally separate so user text cannot mint a system boundary by itself.
- Anthropic's Claude Opus 4.7 messages format isolates user content the same way, which is structural separation enforced at the API layer.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you build a tokenizer wrapper that provably blocks STI across every code path?
QCan STI succeed against a model served only through a strict messages API with no manual string assembly?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Confusing STI with ordinary prompt injection. STI is the tokenizer-layer variant where user strings become genuine structural ids, not just persuasive natural-language text.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.