Skip to main content

Deploy BrowseSafe Prompt Injection Detection on Vast.ai

Deploy Perplexity AI’s BrowseSafe model for real-time HTML prompt injection detection using vLLM on Vast.ai.

Overview

BrowseSafe is Perplexity AI’s open-source model for detecting prompt injection attacks in HTML. It classifies web content as safe or malicious, protecting AI browser agents from hidden instructions.

The Threat: Prompt Injection Attacks

AI browser agents process raw HTML, not just what humans see. Attackers exploit this by hiding malicious instructions using CSS, HTML comments, or data attributes that are invisible to users but visible to AI.

Real Attack Examples from BrowseSafe-Bench

Attack 1: Fake Diagnostic Mode Embedded in a music streaming review:
This attack attempts to convince the AI it’s in a special mode requiring it to reveal internal instructions. Attack 2: CSS-Hidden Override
The visibility:hidden property hides content from users but AI agents parsing raw HTML still process it. Attack 3: Hidden Exfiltration Command Embedded in a Japanese business email:
This attack blends into legitimate content, instructing the AI to forward all emails, attachments, contacts, and credentials to a malicious address.

Attack Taxonomy

BrowseSafe-Bench covers 11 attack types:
  1. Information Override - Direct instruction injection in hidden divs
  2. Todo Injection - Malicious tasks in hidden input fields
  3. InjecAgent Pattern - Data attributes containing instructions
  4. Ignore Previous - Commands to disregard original instructions
  5. URL Segment - Encoded attacks in hyperlink fragments
  6. Role Manipulation - Redefining agent identity to extract data
  7. System Prompt Exfiltration - Attempting to expose internal instructions
  8. Delimiter Injection - Breaking context boundaries with markers
  9. Social Engineering - Authority-based urgency tactics
  10. Indirect Hypothetical - Framing malicious goals as theoretical scenarios
  11. Multilanguage - Non-English attacks bypassing English-trained filters

Requirements

  • Vast.ai account with API key
  • GPU with 80GB+ VRAM (A100 80GB, H100, or H200)

Deployment

Step 1: Install Vast.ai CLI

Bash

Step 2: Find Available Instances

Bash

Step 3: Deploy the Model

Bash

Step 4: Wait for Model Loading

The 31B model takes several minutes to download and load. Check logs:
Bash
Look for: Application startup complete. Example startup logs:
Text

Step 5: Get Connection Details

Find your instance IP and port:
Bash

API Usage

BrowseSafe exposes an OpenAI-compatible API. The model returns a single token:
  • "no" = HTML is safe
  • "yes" = Prompt injection detected

Python Client

Python

Test Results

We deployed BrowseSafe on an H100 PCIE 80GB instance and verified detection using the Python client:
Python

Handling Long HTML

For HTML exceeding the 16K token context limit, use chunking with OR-aggregation:
Python
This conservative approach flags content as malicious if any chunk contains an injection.

Integration Example

Use BrowseSafe as a preprocessing filter for browser agents:
Python
Python
With 97.8% precision (per BrowseSafe-Bench evaluation), you’ll rarely block legitimate pages while catching the vast majority of attacks.

Cleanup

Stop billing by destroying the instance:
Bash

Resources