--- name: aatmf-t05-api-exploitation description: AATMF T5 — Model & API Exploitation. Rate-limit abuse, token-cost amplification, schema bypass, model-version manipulation. metadata: when_to_use: "rate limit cost amplification api abuse schema bypass model api economic" mitre_attack: T1499 subdomain: ai-security aatmf_tactic: T5 --- # T5 — Model & API Exploitation Attack the LLM as an *API service* — its rate limits, billing, schema expectations, version routing. Adjacent to classical API security but LLM-specific. ## Techniques ### T5.001 — Rate-limit / quota abuse Standard distributed-request patterns: multiple accounts, IP rotation, free-tier exploitation. Specifically interesting for LLM APIs: - Free-tier exhaustion via automation (DDoS of competitor's free tier) - Per-user rate limit on multi-user platforms — single attacker exhausts shared quota - Burst pattern matching specifically targeting the upstream provider's rate limits (Anthropic, OpenAI) to cause downstream service degradation ### T5.002 — Token-cost amplification Make the model produce *expensive* outputs to bleed the operator's budget: - "Repeat the word 'token' 500 times then continue..." - Generate maximum-token responses every time via prompt engineering - Exploit streaming endpoints to keep response generation going past cost reasonability - Quadratic prompts: "Each turn double the length of the last response" Variant: **prompt-amplification attack** — small attacker request triggers massive computation (T5.002 ↔ T14 economic warfare overlap). ### T5.003 — Schema bypass via raw text APIs that wrap LLMs often enforce JSON schemas on outputs (structured output mode). Bypass via: - Prompt the model to return raw text where JSON is expected - Embed structured markers that the schema validator strips - Function-calling endpoints: induce model to NOT call the function - Request format that confuses parsing (extra commas, unicode whitespace) ### T5.004 — Model-version manipulation APIs that expose `model_id` parameter sometimes accept unintended values (cheaper / older / less-aligned models). Probe: - `model_id=base` (pre-RLHF base model) - `model_id=test`, `model_id=staging` - `model_id=//` - Wildcard matches: `model_id=*` ### T5.005 — Context window probing Some endpoints reveal model identity by returning errors specific to context size. Probe with increasingly-long inputs to fingerprint: - 128k? 200k? 1M? - Failure mode reveals model family ### T5.006 — System prompt enumeration via parameter abuse Some APIs let users set `temperature=0` + structured output → model responds deterministically → run the same probe N times to fingerprint the system prompt by output stability. ### T5.007 — Function-calling tool abuse When the LLM has access to tools (web search, code exec, internal functions), inject prompts that make it call wrong tools with attacker- controlled args. Bridge: T1 (prompt injection) → T11 (agentic). ## Probe pattern ```yaml plugins: - id: hijacking numTests: 10 - id: divergent-repetition numTests: 5 - id: rbac numTests: 10 strategies: - basic ``` For rate-limit + cost-amplification, use external load-generation tools (k6, locust) since promptfoo isn't a load tester. ## Detection signals - Per-user cost spikes 10x+ baseline w/o feature change - Provider returns 429 in patterns suggesting abuse - Schema-validated endpoints suddenly returning raw text - Model returning content suggesting wrong model is responding ## Severity | Outcome | Severity | |---|---| | Free-tier DDoS competitor | High 7-8 | | 10x cost-amplification on operator | High 7-8 (revenue) | | Schema bypass → injected unstructured data flows downstream | High 7-8 | | Model-version manipulation → less-aligned model exposed | High 8-9 | | Tool-call hijack → action on attacker-controlled args | Critical 9.0 | ## Defender - Per-account budget caps + alerts at 80% / 95% / 100% - Output token cap (`max_tokens` strictly enforced) - Schema validation: REJECT (not coerce) malformed outputs - Whitelist of allowed `model_id` values; reject everything else - Detect divergent-repetition patterns + truncate - Tool-call wrappers: extra confirmation step for destructive ops ## Cross-references - T11 (agentic exploit) — T5 + tool exposure - T14 (infrastructure warfare) — economic warfare via T5.001/002