π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
π€ AI/LLM HACKING COURSE
FREE
Part of the AI/LLM Hacking Course β 90 Days
Day 12 of 90 Β· 13.3% complete
β οΈ Authorised Targets Only: RAG pipeline testing including sentinel token submission and knowledge base probing must only be performed against systems you have explicit written authorisation to test. SecurityElites.com accepts no liability for misuse of using llm08 vector, embedding weaknesses against unauthorized targets.
A clientβs AI knowledge base held three years of internal strategy documents, customer contracts, and financial projections. The RAG pipeline connected these to a customer-facing chatbot that answered questions about product pricing and availability. The access control assumption was simple: the chatbot would only surface information relevant to product queries. The vector similarity search had no idea what a product query was. It retrieved whatever was semantically closest to the userβs question. A user who asked βwhat are your plans for Q4?β received a response drawing on the companyβs internal Q4 strategic planning document, complete with unreleased product names and target revenue figures. No injection required. No authentication bypass. Just a query that happened to be semantically similar to a confidential document.
LLM08 Vector and Embedding Weaknesses is the OWASP category that covers the entire RAG attack surface β from knowledge base poisoning to access control failures to cross-user data leakage to prompt injection delivered via retrieved documents. The vulnerability class is underappreciated because the RAG pipeline is invisible to most users β it sits between the userβs query and the modelβs response, silently pulling documents that neither the user nor the developer necessarily knows are being retrieved. Day 12 makes the RAG pipeline visible and testable.
π― What Youβll Master in Day 12
Confirm whether an application uses RAG and map the retrieval pipeline architecture
Test for access control failures β retrieving documents outside your permission scope
Execute RAG poisoning using the sentinel token methodology
Embed prompt injection instructions in knowledge base documents for retrieval-triggered execution
Test for cross-user data leakage via shared vector namespaces
Build a local ChromaDB RAG pipeline and demonstrate each attack class against it
β±οΈ Day 12 Β· 3 exercises Β· Think Like Hacker + Kali Terminal + Browser ### β Prerequisites - Day 5 β Indirect Injection β RAG injection is a specific instance of indirect injection; the document injection methodology from Day 5 applies directly - Day 11 β LLM07 System Prompt Leakage β extracted system prompts often name RAG data sources and their access scope - Python with chromadb and openai libraries β Exercise 2 builds a local RAG pipeline for hands-on attack demonstration ### π LLM08 Vector, Embedding Weaknesses β Day 12 Contents 1. RAG Pipeline Anatomy β The Attack Surface Map 2. Access Control Failures β Retrieving Restricted Documents 3. RAG Poisoning β The Sentinel Token Methodology 4. Prompt Injection via Retrieved Documents 5. Cross-User Data Leakage 6. Severity Assessment and Report Writing In Day 11 you extracted the system prompt β which often names the RAG data sources and their access scope. Day 12 attacks those data sources directly. Day 13 covers LLM09 Misinformation β a distinct but related vulnerability where poisoned RAG content produces false outputs that cause measurable harm.
RAG Pipeline Anatomy β The Attack Surface Map
A RAG pipeline has five components and each one has distinct security implications. The ingestion pipeline converts source documents to vector embeddings and stores them. The retrieval system converts incoming queries to embeddings and finds the closest matches. Context assembly combines retrieved documents with the userβs query. The LLM processes everything. Output delivery returns the response. Each stage is an attack surface. Most assessments test only the last two.
RAG ATTACK SURFACE BY PIPELINE COMPONENTCopy
Component 1: Document ingestion
Attack: Poison the knowledge base by submitting malicious documents
Test: Can users submit documents that enter the retrieval corpus?
Component 2: Vector database
Attack: Cross-user retrieval β no namespace isolation
Test: Can user Aβs query retrieve user Bβs documents?
Component 3: Retrieval / similarity search
Attack: Craft queries that retrieve documents outside intended scope
Test: Can semantically crafted queries surface restricted documents?
Component 4: Context window assembly
Attack: Inject via retrieved documents (indirect prompt injection)
Test: Documents with injection instructions retrieved and executed
Component 5: Output
Attack: LLM05 Improper Output Handling of retrieved content
Test: Retrieved HTML/code rendered without sanitisation
π§ EXERCISE 1 β THINK LIKE A HACKER (20 MIN Β· NO TOOLS)
Map the Full RAG Attack Surface for an Enterprise Knowledge Base AI
β±οΈ 20 minutes Β· No tools needed
Before testing any RAG vulnerability, map the pipeline completely. This planning step determines which attack class applies and which evidence you need to collect for each finding.
SCENARIO: A professional services firm deploys βKnowledgeAIβ β
an internal AI that answers employee questions using the firmβs
document library. Architecture from extracted system prompt:
β Knowledge base: 50,000 documents including HR policies,
client contracts, financial reports, strategy documents
β Vector DB: ChromaDB running on internal server
β Ingestion: employees can upload documents via the portal
β Retrieval: top-5 most similar chunks per query
β Access model: all authenticated employees can query all documents
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (0)