There are 4 attacks in the access-control category. Each shows its technique id, mode, standards mapping, description, and the exact command to run it (swap the provider and target as needed).
Session Hijacking
critical
session-hijacking · multi-turn · MITRE: AML.T0054, AML.T0065Multi-turn attack to learn session token formats and forge authentication tokensRun it:
ai-blackteam run -p anthropic -a session-hijacking -t "your target prompt"
BFLA Exploit
high
bfla-exploit · single-turn · MITRE: AML.T0051.000, AML.T0065Call admin-level functions as a regular user via broken function-level authorizationRun it:
ai-blackteam run -p anthropic -a bfla-exploit -t "your target prompt"
BOLA Exploit
high
bola-exploit · single-turn · OWASP: LLM02 · MITRE: AML.T0051.000, AML.T0065Manipulate object IDs to access other users’ data via broken object-level authorizationRun it:
ai-blackteam run -p anthropic -a bola-exploit -t "your target prompt"
Debug Mode Exploit
medium
debug-mode-exploit · single-turn · MITRE: AML.T0054, AML.T0051.000Attempt to activate hidden debug, developer, or sudo modes to bypass restrictionsRun it:
ai-blackteam run -p anthropic -a debug-mode-exploit -t "your target prompt"