Artifact for "Prompt-to-SQL Injection Attacks in LLM-Integrated Web Applications: Risks and Defenses"
RQ1: contains all files related to the replication of the RQ1 attackscode: code for the replication of the RQ1 attacksapp-backend-agent: the Langchain backend using SQLDatabaseAgentapp-backend-chain: the Langchain backend using SQLDatabaseChainapp-frontend: used to launch the Gradio chatbot frontendpostgres: a docker-compose file to launch the PostgreSQL databasepgadmin: a docker-compose file to launch the pgAdmin database manager for easy database inspection
prompts: contains the prompts used in the RQ1 attacks
RQ2: contains the code, prompts, and list of models used in RQ2RQ3: contains the red team application testing code used in RQ3automated: contains the code for the automated generation of malicious promptsfinetune: finetuned Mistral-7B model (code, dataset, and model)generated_prompts: contains successful malicious prompts generated by model
red-team: contains the code for the red team testingapps: contains the code for the red team applicationsbackend: contains the code to launch the red team server backenddataset: contains the prompts created by the red teamfrontend: contains the code to launch the red team frontend serverprompt-db: a docker-compose file to launch the PostgreSQL database to save tester prompts
RQ4: contains the code for RQ4langshield-langchain: implementation of Langshield in Langchain's SQL chain and agent (v0.1.0)llm_guard: contains the code and evaluation data for the LLM Guard mitigation. Also contains the our results for the evaluation of the LLM Guard mitigations.eval: contains the LLM Guard evaluation code and dataall_prompts: evaluation of final LLM Guard implementation over 1120 promptsdetections: evaluation of intermediate LLM Guard implementation over 60 promptsfalse_positives: evaluation of false positives of deberta-v3-base-prompt-injection over 120 prompts
final_implementation_standalone: contains the final standalone implementation of the LLM Guard component of Langshield