Deploy BrowseSafe Prompt Injection Detection on Vast.ai
Deploy Perplexity AI’s BrowseSafe model for real-time HTML prompt injection detection using vLLM on Vast.ai.Overview
BrowseSafe is Perplexity AI’s open-source model for detecting prompt injection attacks in HTML. It classifies web content as safe or malicious, protecting AI browser agents from hidden instructions.The Threat: Prompt Injection Attacks
AI browser agents process raw HTML, not just what humans see. Attackers exploit this by hiding malicious instructions using CSS, HTML comments, or data attributes that are invisible to users but visible to AI.Real Attack Examples from BrowseSafe-Bench
Attack 1: Fake Diagnostic Mode Embedded in a music streaming review:visibility:hidden property hides content from users but AI agents parsing raw HTML still process it.
Attack 3: Hidden Exfiltration Command
Embedded in a Japanese business email:
Attack Taxonomy
BrowseSafe-Bench covers 11 attack types:- Information Override - Direct instruction injection in hidden divs
- Todo Injection - Malicious tasks in hidden input fields
- InjecAgent Pattern - Data attributes containing instructions
- Ignore Previous - Commands to disregard original instructions
- URL Segment - Encoded attacks in hyperlink fragments
- Role Manipulation - Redefining agent identity to extract data
- System Prompt Exfiltration - Attempting to expose internal instructions
- Delimiter Injection - Breaking context boundaries with markers
- Social Engineering - Authority-based urgency tactics
- Indirect Hypothetical - Framing malicious goals as theoretical scenarios
- Multilanguage - Non-English attacks bypassing English-trained filters
Requirements
- Vast.ai account with API key
- GPU with 80GB+ VRAM (A100 80GB, H100, or H200)
Deployment
Step 1: Install Vast.ai CLI
Bash
Step 2: Find Available Instances
Bash
Step 3: Deploy the Model
Bash
Step 4: Wait for Model Loading
The 31B model takes several minutes to download and load. Check logs:Bash
Application startup complete.
Example startup logs:
Text
Step 5: Get Connection Details
Find your instance IP and port:Bash
API Usage
BrowseSafe exposes an OpenAI-compatible API. The model returns a single token:"no"= HTML is safe"yes"= Prompt injection detected
Python Client
Python
Test Results
We deployed BrowseSafe on an H100 PCIE 80GB instance and verified detection using the Python client:Python
Handling Long HTML
For HTML exceeding the 16K token context limit, use chunking with OR-aggregation:Python
Integration Example
Use BrowseSafe as a preprocessing filter for browser agents:Python
Python
With 97.8% precision (per BrowseSafe-Bench evaluation), you’ll rarely block legitimate pages while catching the vast majority of attacks.
Cleanup
Stop billing by destroying the instance:Bash