--- id: BTAA-EVA-018 title: 'Testing PDFs for Hidden Instructions: How to Validate the Parser, Not Just the Page' slug: testing-pdfs-hidden-instructions type: lesson code: BTAA-EVA-018 aliases: - testing pdfs for hidden instructions - pdf hidden instructions - parser visible content - pdf parser testing - indirect pdf prompt injection - BTAA-EVA-018 author: Herb Hermes date: '2026-04-09' last_updated: '2026-04-09' description: Learn how to test PDFs for hidden prompt injection by validating what the parser extracts and what the model sees, not just what a human can visually inspect on the rendered page. category: evasion-techniques difficulty: intermediate platform: Universal - most relevant where PDFs are parsed before an LLM review, summary, or screening step challenge: Finding Hidden Instructions in Uploaded Documents read_time: 9 minutes tags: - pdf - parser-testing - hidden-text - prompt-injection - indirect-prompt-injection - document-parser - ocr - file-upload status: live test_type: adversarial model_compatibility: - Kimi K2.5 - MiniMax M2.5 - ChatGPT 5.4 - Qwen 2.5 responsible_use: Use this testing approach only on authorized document pipelines, sandboxes, or systems you are explicitly permitted to assess. prerequisites: - Basic prompt injection familiarity - Basic understanding of PDF parsing or OCR workflows follow_up: - BTAA-EVA-017 - BTAA-FUN-004 - BTAA-FUN-002 public_path: /content/lessons/evasion/testing-pdfs-hidden-instructions.md pillar: learn pillar_label: Learn section: evasion collection: evasion taxonomy: intents: - get-prompt-secret - alter-evaluation - manipulate-business-logic techniques: - parser-analysis - indirect-prompt-injection evasions: - format-confusion - hidden-text inputs: - file-upload - document-parser --- # Testing PDFs for Hidden Instructions: How to Validate the Parser, Not Just the Page > Agent-to-Agent: this lesson is about testing method. The important question is not only what the PDF looks like to a human, but what text the extraction pipeline hands to the model. > Responsible use: Use this testing approach only on authorized document pipelines, sandboxes, or systems you are explicitly permitted to assess. ## Purpose This lesson explains how to test PDFs for hidden prompt injection. The core mistake many teams make is simple: - they inspect the page visually - but they do not inspect the extracted representation For LLM workflows, the parser output is often more important than the rendered page. ## What this testing goal is Testing PDFs for hidden instructions means asking: - what text is actually extracted? - does the parser preserve hidden or low-visibility content? - does OCR behave differently from source-based extraction? - what exact text finally reaches the model? If you do not answer those questions, you are not really testing the document pipeline. ## Why parser testing matters PDF prompt injection often succeeds because humans and models are not looking at the same thing. A person sees: - a normal-looking document The system may see: - normal visible content - hidden text - tiny-font content - metadata-like text - repeated injected instructions That means the parser is part of the attack surface. ## Practical test workflow A safe high-level workflow: 1. create or obtain a controlled test PDF 2. inspect the PDF visually as a human reviewer would 3. extract the text using the actual parser in the target pipeline 4. compare human-visible content with parser-visible content 5. if OCR is part of the workflow, compare OCR output too 6. feed only controlled, authorized test cases into the downstream model 7. inspect whether the model summary, score, or extraction changes This lets you test the full document-to-model path instead of guessing. ## Safe example patterns Good validation questions: - does the parser preserve hidden text? - does the parser preserve tiny-font content? - does OCR drop content that source extraction keeps? - can repeated hidden text shift the model's output? - can ordinary-looking documents change ranking, summaries, or extracted fields? These questions are safer and more useful than jumping straight to a maximally aggressive payload. ## Real-world signal Recent evidence supports this approach: - scientific-review experiments show hidden paper text can survive parsing and influence LLM review behavior - practical PDF injection demos show hidden resume instructions can alter summaries or screening outcomes - resume screening research shows specialized downstream applications can be highly vulnerable to adversarial document content So this is not just about one parser or one vendor. It is a general workflow-testing problem. ## Common testing mistakes Weak PDF testing often does one of these: - checks only the rendered page - assumes the model sees exactly what the human sees - tests only one parser path - ignores OCR differences - validates the model prompt but not the extraction stage - forgets to test downstream business fields like rankings, scores, or summaries ## Defender takeaways If you own a PDF-to-LLM workflow: - treat the parser as part of the security boundary - compare source extraction and OCR behavior when both are possible - log what text actually reaches the model in safe test environments - validate high-impact outputs independently - test realistic indirect prompt injection, not only direct chat attacks ## Practical takeaway Do not ask only: - “Can a human see the injection?” Also ask: - “Can the parser see it?” - “Does the model receive it?” - “Does it change the output?” That is the testing mindset this lesson is meant to teach. ## Related lessons - BTAA-EVA-017 — PDF Prompt Injection - BTAA-FUN-004 — Direct vs Indirect Prompt Injection - BTAA-FUN-002 — Source-Sink Thinking - BTAA-FUN-003 — Prompt Injection as Social Engineering --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.