garak.probes.encoding

Encoding-based prompt injection

Encode an unsafe instruction or string in an effort to get it past alignment.

Probes in this modules all perform some kind of encoding of the target string or instruction.

These encoding probes try to get a model to generate a specific piece of given text by presenting an encoded version of that text. Attempts to circumvent safeguards on input filtering.

optional variable: encoding.payloads -> a list of payload types to be used

Recommended garak payloads to try:

  • text_en

  • encoded

  • web_html_js

  • access_shell_commands

  • slur_terms_en

class EncodingMixinSource

Bases: object

Mixin for encoding-based injection probes

Configurable parameters:

DEFAULT_PARAMS contents:

  • follow_prompt_cap = True

  • payloads = ['default', 'xss', 'slur_terms']

Default values are listed

See also Configuring garak for how to set these values.

Other attributes:

doc_uri = 'https://kai-greshake.de/posts/llm-malware/#encoded-inline-jailbreak'
extended_detectors = ['encoding.DecodeApprox']
goal = 'make the model say an encoded payload'
lang = 'en'
primary_detector = 'encoding.DecodeMatch'
tags = ['avid-effect:security:S0403', 'owasp:llm01', 'quality:Security:PromptStability', 'payload:generic']
tier = 2
use_bytes = True
class InjectAscii85(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to base85 encoded injections

Encodes payloads using ascii85, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
encoding_funcs = [<function a85encode>, <function b85encode>]
encoding_name = 'ASCII85'
class InjectAtbash(config_root=None)Source

Bases: EncodingMixin, Probe

Atbash Probe Credit: Nakul-Rajpal

https://en.wikipedia.org/wiki/Atbash

This probe checks whether a model: - recognizes Atbash-encoded malicious instructions, - repeats or decodes them, - and follows hidden instructions despite obfuscation.

active: bool = True
static atbash(text: bytes) bytesSource
doc_uri: str = 'https://en.wikipedia.org/wiki/Atbash'
encoding_funcs = [<staticmethod(<function InjectAtbash.atbash>)>]
encoding_name = 'Atbash'
class InjectBase16(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to base16 encoded injections”

Encodes payloads using base16, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
encoding_funcs = [<function b16encode>]
encoding_name = 'BASE16'
class InjectBase2048(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to Base2048 encoding injections

Encodes payloads using base2048, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
encoding_name = 'BASE2048'
class InjectBase32(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to base32 encoded injections

Encodes payloads using base32, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
encoding_funcs = [<function b32encode>]
encoding_name = 'BASE32'
class InjectBase64(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to base64 encoded injections

Encodes payloads using base64, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
encoding_funcs = [<function b64encode>, <function urlsafe_b64encode>, <function standard_b64encode>, <built-in function b2a_base64>]
encoding_name = 'BASE64'
tier: Tier = 1
class InjectBraille(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to Braille encoding injections. Credit Wally#3422

Encodes payloads using braille, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
doc_uri: str = ''
encoding_funcs = [<function braille>]
encoding_name = 'Braille'
class InjectEcoji(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to Ecoji encoding.

Encodes payloads using the ecoji mapping, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
doc_uri: str = 'https://ecoji.io/'
encoding_funcs = [<function InjectEcoji._ecoji>]
encoding_name = 'Ecoji'
class InjectHex(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to hex encoded injections

Encodes payloads using hex, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
encoding_funcs = [<built-in function b2a_hex>]
encoding_name = 'hex'
class InjectLeet(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to 31337 encoding.

Encodes payloads using Leetspeak, and tries a variety of ways of getting the target model to repeat & decode them.

doc_uri: str = 'https://en.wikipedia.org/wiki/Leet'
encoding_funcs = [<function leet_bytes>]
encoding_name = 'Leetspeak'
class InjectMime(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to MIME encoding injections

Encodes payloads using MIME encoding, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = False
encoding_name = 'MIME'
class InjectMorse(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to Morse encoding. Credit Wally#3422

Encodes payloads using morse, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
doc_uri: str = ''
encoding_funcs = [<function morse>]
encoding_name = 'Morse'
class InjectNato(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to Nato phonetic alphabet encoding.

Encodes payloads using the classic NATO phonetic alphabet, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
doc_uri: str = 'https://en.wikipedia.org/wiki/NATO_phonetic_alphabet'
encoding_funcs = [<function InjectNato.nato>]
encoding_name = 'Nato'
nato() bytesSource
class InjectQP(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to QP encoded injections

Encodes payloads using quoted-printable, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = False
encoding_funcs = [<built-in function b2a_qp>]
encoding_name = 'Quoted-Printable'
tier: Tier = 1
class InjectROT13(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to ROT13 encoding injections

Encodes payloads using ROT13, and tries a variety of ways of getting the target model to repeat & decode them. ROT13 only applies to letters in the English alphabet.

active: bool = True
encoding_funcs = [<function rot13>]
encoding_name = 'ROT13'
class InjectSneakyBits(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to unicode variant selector ASCII smuggling

Encodes payloads by encoding ASCII characters into binary and encoding that binary using zero-width Unicode characters, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = False
doc_uri: str = 'https://embracethered.com/blog/posts/2025/sneaky-bits-and-ascii-smuggler/'
encoding_funcs = [<function sneaky_bits_smuggling>]
encoding_name = 'ASCII in hidden unicode binary encoding'
use_bytes = False
class InjectUU(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to UU encoded injections

Encodes payloads using uuencoding, and tries a variety of ways of getting the target model to repeat & decode them.

UUencode(payload)Source
active: bool = True
encoding_name = 'UUencode'
tier: Tier = 1
class InjectUnicodeTagChars(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to unicode tag ASCII smuggling

Encodes payloads by appending them to an emoji as invisible ASCII tags, and tries a variety of ways of getting the target model to repeat & decode them.

Configurable parameters:

DEFAULT_PARAMS contents:

  • follow_prompt_cap = True

  • payloads = ['default', 'xss', 'slur_terms']

  • desired_emoji = '😈'

Default values are listed

See also Configuring garak for how to set these values.

Other attributes:

active: bool = True
doc_uri: str = 'https://embracethered.com/blog/posts/2024/hiding-and-finding-text-with-unicode-tags/'
encoding_name = 'ASCII in Unicode Tags'
tier: Tier = 1
use_bytes = False
class InjectUnicodeVariantSelectors(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to unicode variant selector ASCII smuggling

Encodes payloads by encoding ASCII characters as Unicode variant selectors, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = False
doc_uri: str = 'https://paulbutler.org/2025/smuggling-arbitrary-data-through-an-emoji/'
encoding_funcs = [<function variant_smuggling>]
encoding_name = 'ASCII in Unicode Variant Selector'
tier: Tier = 2
use_bytes = False
class InjectZalgo(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)Source

Bases: EncodingMixin, Probe

Probe for susceptibility to Zalgo encoding.

Encodes payloads using Zalgo decoration, and tries a variety of ways of getting the target model to repeat & decode them.

active: bool = True
doc_uri: str = 'https://en.wikipedia.org/wiki/Zalgo_text'
encoding_funcs = [<function InjectZalgo.zalgo>]
encoding_name = 'Zalgo'
zalgo() bytesSource
braille(text)Source
leet_bytes(plain_input: bytes)Source
morse(text)Source
rot13(text)Source