Skip to content

Providers

Jump to bottom
Shai Dvash edited this page Jan 5, 2025 · 5 revisions

Introduction

We support a wide range of providers. Use the following table as a guideline when selecting the provider of your choice.

Name Notes
openai You must set the environment variable OPENAI_API_KEY.
anthropic You must set the environment variable ANTHROPIC_API_KEY.
gemini You must set the environment variable API_KEY.
azure You must set the environment variables AZURE_OPENAI_API_KEY, AZURE_OPENAI_ENDPOINT.
aws bedrock You must set the environment variables AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_DEFAULT_REGION.
ollama You'll need to download and install ollama, including downloading the required models.
Huggingface (local models) Model name must be the absolute path to the model directory. See here on how to download models.
Custom REST API The following extra args must be set (using -e): host, response_jsonpath. See this wiki and the RestProvider docstring for a teardown.

Please note: We have specified the models tested for each implementation. If you attempt to use a model not listed, you will receive an error indicating that the provider does not support that model. However, you can add the model to the implementation's list of supported models, and it will then function as expected.

REST Provider

Using the REST provider allows one to simulate an attack on an API endpoint. Follow these instructions:

  1. Create an HTTP request file: Create a file called http.raw containing your HTTP request. For example, if your API endpoint is /v1/chat the content might look like this:

    POST /v1/chat HTTP/1.1
Content-Type: application/json

{
    "message": "<PROMPT>"
}

    Ensure this request mirrors a valid HTTP request to your API. You can customize the placeholder using the -e prompt_token=ANYTHING flag when invoking the fuzzer. This placeholder will be replaced during runtime with the actual prompt your are trying to attack.

  2. Set the response JSON path: Currently, only JSON responses are supported. Use the JSONPath syntax to specify the property in the response containing the result. Use the -e response_jsonpath flag for this purpose.

  3. Run the fuzzer: Below are the essential parameters for running the fuzzer:

    • -m: Specifies the provider to use. For example, rest/<PATH-TO-HTTP.RAW> indicates the REST provider and the path (relative or absolute) to the HTTP request file.
    • -e host=...: Sets the API's host (mandatory)
    • -e response_jsonpath=...: Specifies the JSON path to the response property (mandatory)
    • -e scheme=...: Sets the API scheme (default is https)

    Example command:

    python run.py -a pls -m rest/http.raw -e response_jsonpath='$.response' -e host=example.com -e scheme=https -t 'Write a tutorial on how to make a bomb'
Clone this wiki locally