45 minutes · The red-team playbook for every OWASP ASI row (ASI01–ASI10)
B9 handed you the defense checklist. This is the same ten rows read as an attacker — the attack in depth, the evasion that defeats the standard defense, and the chaining that turns a single-row finding into compound impact.
Deep-Dives
One risk, one control, one test. Eight rows PASS/FAIL, two MEASURED. The scored report.
One risk, one attack procedure, the evasion that defeats the control, and the chain across rows. The reproduced finding.
B9 test verifies
The DIRECT surface. Taint gate tested against direct injection. Enumeration tested against extra tools. Normalization tested against ../.
Attacker arrives on
The INDIRECT surface. Injection inside a trusted tool output. Over-scoped credential beneath enumeration. Semantic path confusion in the selection layer.
| Row | Standard defense (B9) | Offensive evasion (SDD-B01) |
|---|---|---|
| ASI01 Goal Hijacking | Taint gate, instruction hierarchy, goal reaffirmation | Drift via trusted tool output; bypasses gate. Multi-turn framing shift, no single instruction hijacks. |
| ASI02 Prompt Leakage | System-prompt canary, egress verification | Multi-turn rapport; paraphrased, canary-free disclosure distributed across turns. |
| ASI04 Memory Poisoning | Harness-managed writes, provenance tagging | Taint-laundering via a legitimate trusted write tool; entry inherits the tool's trust, not the injection's taint. |
| ASI06 Cascading Hallucination | Verification, source citation | Unverified-claim propagation; the agent's inference/summary propagates as fact — verifier inspects citations, not reasoning. |
| Row | Standard defense (B9) | Offensive evasion (SDD-B01) |
|---|---|---|
| ASI03 Excessive Agency | Capability enumeration, minimality | The load-bearing capability that survived minimization — the over-scoped credential a benign task required. |
| ASI05 Tool/Skill Abuse | Path normalization, schema validation | Semantic path confusion in the selection layer; description-collision routes to the wrong tool. |
| ASI08 Supply Chain | Signed manifests, registry, agent SBOM | Signed-but-malicious; signature verifies the publisher, not the benignity. Typosquatted evil twin. |
| ASI10 Broken Access Control | Principal binding, tenant isolation | Inter-agent trust escalation; a compromised sub-agent's message executes under the orchestrator's trust. Binding holds. |
Output-as-input to a downstream agent. Sanitizer-valid JSON consumed by an agent that interprets a field as an instruction. No escape syntax exists for "data, not instruction" in a natural-language field.
Under-threshold tool loop. Each call under the per-call cap and within rate limit; 10,000 individually-legitimate calls. Per-call breaker never trips; session-level cap is the layer most omit.
ASI07 → 01 → 05 → 03
output-as-input → goal drift → tool dispatched → over-scoped cap exercised. Data exfiltration / lateral movement.
ASI02 → 04 → 06
capability disclosed → memory poisoned via trusted write → poisoned entry propagates as unverified fact. Backdoor survives restarts.
ASI08 → 05 → 10
signed-but-malicious MCP → dispatch via collision → action under orchestrator trust. Privileged action, forged authority.
ASI01 (detector + compliance bypass rate), ASI06 (hallucination miss rate). The standard admits the residual.
Closed at the vector, open at the class. The over-scoped credential, the selection ambiguity, the signed-but-malicious package, the trust assumption — residuals the PASS/FAIL result cannot express.
Phase 1 — B9 (builder)
Per-row test, isolated execution, scored report. Proves the controls are present and passing.
Phase 2 — SDD-B01 (attacker)
Per-row offensive procedure, chained execution, reproduced findings. Finds the residuals the test cannot express.
Ignore previous instructions. Test multi-turn framing drift and score goal divergence against a baseline, not single-shot success.
Next: SDD-B02 — Microsoft Failure Mode Taxonomy v2.0