FEAT: Adding Garak Web Injection Scenario#2067
Open
rlundeen2 wants to merge 1 commit into
Open
Conversation
Port garak's web_injection probe family as a PyRIT WebInjection scenario covering all 8 probe variants (markdown data-exfiltration and XSS). Each strategy pairs a SeedObjective with a SeedPrompt in a SeedAttackGroup. Enhances the existing XSSOutputScorer and MarkdownInjectionScorer with garak detection cases and adds local seed datasets. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
romanlutz
reviewed
Jun 25, 2026
| # The Garak scenario family implements encoding-based probes inspired by the | ||
| # [Garak](https://github.com/NVIDIA/garak) framework. These test whether a target model can be | ||
| # tricked into producing harmful content when prompts are encoded in various formats. | ||
| # The Garak scenario family implements probes inspired by the |
Contributor
There was a problem hiding this comment.
Will we always keep it in sync with garak? I suspect not. We may add our own things or they may without us noticing. For that reason, I am not too fond of naming it after another toolkit which may not even be familiar to PyRIT users. I would prefer a name that explains what this actually does.
(Ship of Theseus anybody? 😆 )
romanlutz
approved these changes
Jun 25, 2026
romanlutz
left a comment
romanlutz
left a comment
Contributor
There was a problem hiding this comment.
Other than the naming I have no issues with this. It's a larger point that goes beyond this PR, too, so feel free to ignore.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR ports garak's
web_injectionprobe family into PyRIT as a newWebInjectionscenario (registered asgarak.web_injection), covering all 8 garak probe variants. These split into two groups: markdown-based data exfiltration (markdown-image exfil, Colab AI data leakage, string-assembly exfil, playground markdown exfil, and two combinatorial "extended" URI probes) and cross-site scripting (task-carrier XSS and markdown XSS). The implementation uses PyRIT concepts throughout — each strategy packages aSeedObjective(the attack goal) alongside the literal injectionSeedPromptin aSeedAttackGroup, and aggregate strategies (ALL,DEFAULT,EXFIL,XSS) let callers select probe subsets.Rather than ship a parallel garak-faithful scorer set, the PR enhances the existing
XSSOutputScorerandMarkdownInjectionScorerwith the detection cases garak relies on, and wires them together as a composite OR objective scorer. Three new local seed datasets back the probes (garak_example_domains_xss,garak_markdown_js,garak_xss_normal_instructions), while the existinggarak_web_html_jsdataset is reused; all four are declared as scenario defaults so they auto-load viaLoadDefaultDatasets. Unit tests cover the scenario and the enhanced scorers, and the garak scanner docs are updated.Example usage