Web Request Triggering
Type: technique
Description: The adversary triggers the AI system to issue a web request to an attacker-controlled domain, encoding data into the URI. The adversary can also perform granular web triggering by using questions about the data to determine which URL will be browsed. In both cases the request is triggered by the client application with no user clicks required.
Version: 0.1.0
Created At: 2025-07-23 10:23:39 -0400
Last Modified At: 2025-07-23 10:23:39 -0400
External References
Related Objects
- --> Exfiltration (tactic): An adversary can exfiltrate data by embedding it in a URI and triggering the AI system to query it via its browsing capabilities.
- --> Index-Based Browsing (mitigation): Limiting an AI System to query a search index rather than perform a URL retrieval Setting a Content Security Policy can mitigate this technique by disrupting an attacker's ability to provide a URL to a domain under their control.
- --> URL Anchoring (mitigation): Limiting an AI System to visit only URLs that were explicitly written by the user reduces an attacker's ability to exfiltrate data through request parameters.
- <-- Exfiltration of personal information from ChatGPT via prompt injection (procedure): Triggering a web request to multiple website pages
www.attacker.com/send/<code>where<code>is chosen based on the AI system's answer to the adversary questions. In this scenario, the researcher uses<code>to exfiltrate a single digit number of their postal code by choosing<code>with length proportional to that digit.