Base64 Encoding Strategy

The Base64 Encoding strategy tests an AI system's ability to resist encoded inputs that might bypass security controls. Base64 encoding (using characters A-Z, a-z, 0-9, +, /) exploits a fundamental gap: LLMs learn to decode Base64 during pretraining, but their safety mechanisms often fail on encoded inputs.

Why It Works

• Models learn Base64 from internet data during pretraining
• Safety training rarely includes encoded content, making Base64 inputs out-of-distribution
• More capable models (like GPT-4o, Claude 3.5, and Llama 3.3) are often more vulnerable as they better understand encodings
• Safety training doesn't scale proportionally with model capabilities

Implementation

Use it in your promptfooconfig.yaml:

strategies:
  - base64

How It Works

The Base64 strategy works by:

1. Taking the original text from your test case
2. Converting the text to Base64 format using standard encoding algorithms
3. Replacing the original text in your test case with the Base64-encoded string
4. Testing whether the model can decode and respond to the encoded content

Base64 encoding transforms each group of three bytes into four ASCII characters from a set of 64 characters (A-Z, a-z, 0-9, +, /), making it a widely used method for representing binary data in text form.

Example Scenarios

The strategy helps identify:

• Security filter bypasses through encoded content
• Model's ability to handle obfuscated malicious inputs
• Potential jailbreaking vulnerabilities through encoding

Related Concepts

• Prompt Injection - Similar security bypass technique
• ROT13 Encoding - Alternative encoding strategy
• Leetspeak - Text obfuscation technique
• Hex Encoding - Similar encoding strategy using hexadecimal
• Image Encoding - Similar concept applied to images

For a comprehensive overview of LLM vulnerabilities and red teaming strategies, visit our Types of LLM Vulnerabilities page.