What is the Adapter?
When to use the Adapter vs. the Web Console, and how it controls a real browser under the hood
The Adapter in one sentence
The Adapter is a desktop app that controls a real browser to attack AI chatbots embedded in websites — handling login, dynamic JavaScript rendering, and complex UI interactions that a pure API call can't reach.
Web Console vs Adapter — when to use which
| Situation | Use |
|---|---|
| Target has a public REST API or LLM API key | Web Console |
| Target is an OpenAI / Anthropic / Google model | Web Console |
| Target is a chatbot embedded in a webpage | Adapter |
| Target requires SSO or company login | Adapter |
| Target uses Shadow DOM or iframe widgets | Adapter |
| Target is a React/Vue/Next.js SPA with dynamic UI | Adapter |
| Target is behind a corporate VPN | Adapter |
Quick rule
If you can call the AI with curl — use the Web Console. If you need to open a browser and log in — use the Adapter.
How the Adapter works
The Adapter uses Chrome DevTools Protocol (CDP) to automate a real Chromium browser. It:
- Opens the target website in a controlled browser session
- Discovers the chat interface (input field, submit button, response area) — automatically, without hardcoded selectors
- Types attack prompts, submits them, and captures the AI's response
- Sends each prompt/response pair to Stinger Backend for Judge scoring
- Repeats across all attack strategies and goals
The target sees traffic from a real browser. Sessions (cookies, tokens) stay on your local machine — they are never sent to Stinger's servers.
Three target types
Web Chatbot — A chatbot UI embedded in a website. The Adapter discovers the UI automatically using Vision + DOM analysis. Supports direct chat interfaces, floating widget buttons, iframe-embedded widgets, and Shadow DOM.
LLM API — OpenAI, Anthropic, Google, or any compatible API. No browser needed — the Adapter calls the API directly through the Stinger backend.
Service API (Custom) — A proprietary REST endpoint. Paste a curl command and Stinger auto-parses the endpoint, headers, and body structure.
What the Adapter does NOT do
- It does not store your target's session credentials on Stinger's servers
- It does not attack targets that haven't been approved in your Allowlist
- It does not run without a valid API key and an active Stinger account