Attack Modules
Basilisk ships with 29 attack modules organized into 8 categories. Every module maps directly to an OWASP LLM Top 10 category.
Prompt Injection (LLM01)
5 modules targeting instruction override vulnerabilities:
| Module | Description |
|--------|-------------|
| injection.direct | Direct instruction override ("Ignore previous instructions...") |
| injection.indirect | Indirect injection via context manipulation |
| injection.multilingual | Cross-language payload delivery (Arabic, Chinese, Russian variants) |
| injection.encoding | Base64, ROT13, hex, unicode-encoded payloads |
| injection.split | Fragment injection across multiple messages |
System Extraction (LLM06)
4 modules targeting hidden system prompt disclosure:
| Module | Description |
|--------|-------------|
| extraction.role_confusion | Confuse the model into revealing its instructions |
| extraction.translation | Request system prompt translation to another language |
| extraction.simulation | "Pretend you are debugging..." scenarios |
| extraction.gradient_walk | Incremental probing to reconstruct system prompt |
Data Exfiltration (LLM06)
3 modules targeting sensitive information leakage:
| Module | Description |
|--------|-------------|
| exfiltration.training_data | Extract memorized training data |
| exfiltration.rag_data | Extract documents from RAG pipelines |
| exfiltration.tool_schema | Discover internal tool definitions and API schemas |
Tool Abuse (LLM07/LLM08)
4 modules targeting tool-use vulnerabilities:
| Module | Description |
|--------|-------------|
| tool_abuse.ssrf | Server-side request forgery via tool invocation |
| tool_abuse.sqli | SQL injection through tool parameters |
| tool_abuse.command_injection | OS command injection via tools |
| tool_abuse.chained | Multi-step lateral movement through tool chains |
Guardrail Bypass (LLM01/LLM09)
4 modules targeting content safety filter circumvention:
| Module | Description |
|--------|-------------|
| bypass.roleplay | Character/persona-based bypass |
| bypass.encoding | Technical encoding to evade text filters |
| bypass.logic_trap | Logical reasoning traps that defeat safety filters |
| bypass.systematic | Automated systematic probing of all guardrail boundaries |
Denial of Service (LLM04)
3 modules targeting resource exhaustion:
| Module | Description |
|--------|-------------|
| dos.token_exhaust | Maximize token consumption per request |
| dos.context_bomb | Fill context window to overflow |
| dos.loop_trigger | Trigger infinite reasoning loops |
Multi-Turn Attacks (LLM01)
3 modules targeting conversation-based vulnerabilities:
| Module | Description |
|--------|-------------|
| multiturn.escalation | Gradual trust escalation over 5-10 turns |
| multiturn.persona_lock | Lock model into a compliant persona |
| multiturn.memory_manipulation | Exploit conversation memory/context |
RAG Attacks (LLM03/LLM06)
3 modules targeting Retrieval-Augmented Generation:
| Module | Description |
|--------|-------------|
| rag.poisoning | Inject malicious content into retrieval pipeline |
| rag.document_injection | Override retrieved context with attacker-controlled docs |
| rag.knowledge_enum | Enumerate knowledge base structure and contents |
Running Specific Modules
# Run all modules
basilisk scan -t https://api.target.com/chat
# Run a specific category
basilisk scan -t https://api.target.com/chat --module injection
# Run a specific module
basilisk scan -t https://api.target.com/chat --module injection.encoding
# List all available modules
basilisk modules