Knowledge Base
Documented techniques, payload templates, exfiltration vectors, defense bypass methods. Research references.
Knowledge Base
zeroleaks includes a knowledge base of documented attack techniques, payload templates, exfiltration vectors, and defense bypass methods. All entries are sourced from security research, CVEs, and academic papers.
Documented Techniques
Techniques are validated with source references (CVE, academic paper, security advisory, or real-world incident).
import { allDocumentedTechniques } from "zeroleaks";
// Or from the knowledge module directly:
// import { allDocumentedTechniques, getTechniquesByCategory } from "zeroleaks/knowledge";Technique Interface
interface DocumentedTechnique {
id: string;
name: string;
category: TechniqueCategory;
source: {
type: "cve" | "academic" | "security_advisory" | "real_world_incident";
reference: string;
date: string;
authors?: string[];
cvss?: number;
};
description: string;
mechanism: string;
targetedSystems: string[];
successRate?: number;
defensesBypassed: string[];
payloadTemplate?: string;
variables?: string[];
stealthLevel: "low" | "medium" | "high" | "zero_click";
}Categories
zero_click_injection— EchoLeak-style, no user actionrag_poisoning— RAG context poisoningexfiltration— Data exfiltration vectorsmemory_poisoning— Conversation memory manipulationtool_poisoning— Tool description/behavior poisoningsecond_order— Second-order injectiontopic_transition— Gradual topic shift (TopicAttack)implicit_extraction— Implicit prompt extractionmarkdown_injection— Markdown-based injectionencoding_bypass— Encoding to bypass filters
Helper Functions
getTechniquesByCategory(category: TechniqueCategory): DocumentedTechnique[]
getTechniquesBySource(sourceType: "cve" | "academic" | ...): DocumentedTechnique[]
getCVETechniques(): DocumentedTechnique[]
getTechniquesBySuccessRate(minRate: number): DocumentedTechnique[]Payload Templates
Payload templates are structured attack payloads with variables. Sourced from CVE-2025-32711, OWASP MCP Top 10, academic papers (CPA-RAG, PR-Attack, TopicAttack, IKEA), and real-world incidents.
import { getPayloadsByCategory } from "zeroleaks";
const payloads = getPayloadsByCategory("system_prompt_extraction");Payload Categories
system_prompt_extractiondata_exfiltrationdefense_bypasscontext_injectioninstruction_overrideformat_exploitation
Payload Interface
interface PayloadTemplate {
id: string;
name: string;
category: PayloadCategory;
source: string;
validated: boolean;
template: string;
variables: string[];
targetContext: string[];
effectiveness: "proven" | "research_validated" | "theoretical";
evasionTechniques: string[];
}Exfiltration Vectors
Exfiltration vectors describe how to exfiltrate data from an AI system. Based on CVE-2025-32711 (EchoLeak), Lethal Trifecta (Simon Willison), Microsoft MSRC research, and OWASP LLM Security.
import { getExfiltrationByType } from "zeroleaks";
const vectors = getExfiltrationByType("image_url");Exfiltration Types
image_url— Auto-loading image URLs (EchoLeak)link_click— User-triggered link exfiltrationapi_callback— API callback exfiltrationform_submission— Form-based exfiltrationwebsocket— WebSocket exfiltrationdns_exfil— DNS-based exfiltrationencoded_response— Encoded data in response
Exfiltration Interface
interface ExfiltrationVector {
id: string;
name: string;
type: ExfiltrationType;
source: string;
realWorldExample?: string;
description: string;
mechanism: string;
template: string;
encodingMethod?: string;
requiresExternalServer: boolean;
requiresUserAction: boolean;
stealthLevel: "low" | "medium" | "high" | "zero_click";
detectionDifficulty: "easy" | "moderate" | "hard";
}Defense Bypass Methods
Defense bypass methods describe how to evade common AI safety mechanisms. Based on Microsoft MSRC, OWASP LLM Top 10 2025, InstructDetector, TopicAttack, CPA-RAG, and CVE-2025-32711 bypass analysis.
import { getBypassMethodsForDefense } from "zeroleaks";
const bypasses = getBypassMethodsForDefense("xpia_classifier");Defense Types
xpia_classifier— XPIA-style instruction classifierscontent_filter— Content moderation filtersmarkdown_sanitizer— Markdown/link sanitizationinstruction_detection— Instruction pattern detectionembedding_filter— Embedding-based filteringbehavioral_monitor— Behavioral monitoringoutput_filter— Output filteringrate_limiting— Rate limitinghuman_in_loop— Human review
Bypass Interface
interface DefenseBypassMethod {
id: string;
name: string;
targetDefense: DefenseType;
source: string;
documentedSuccess: boolean;
description: string;
mechanism: string;
technique: string;
example?: string;
bypassRate?: number;
adaptiveResistance: "low" | "medium" | "high";
}Research References
The knowledge base draws from:
| Reference | Description |
|---|---|
| TAP | Tree of Attacks with Pruning (Mehrotra et al.) |
| PAIR | Prompt Automatic Iterative Refinement |
| Crescendo | Multi-turn gradual escalation |
| TombRaider | Dual-agent defense fingerprinting |
| Siren Framework | Multi-turn human jailbreak simulation |
| Echo Chamber | Gradual escalation patterns |
| TopicAttack | ACL 2025, gradual topic transition |
| CVE-2025-32711 | EchoLeak zero-click injection |
| AgentDojo | ETH Zurich, 97 tasks, 629 test cases |
| InjecAgent | 1,054 test cases across 17 tools |
| OWASP LLM Top 10 | 2025/2026 guidelines |
| Microsoft MSRC | Indirect prompt injection defenses |
Accessing the Knowledge Base
The knowledge base is available from the zeroleaks package. Import paths may vary; check the package exports. Typical usage:
import {
allDocumentedTechniques,
getTechniquesByCategory,
getPayloadsByCategory,
getExfiltrationByType,
getBypassMethodsForDefense,
} from "zeroleaks";All knowledge base exports are available from the main "zeroleaks" entry point.