Scenario 07: RAG Pipeline Poisoning¶
Difficulty: Intermediate Time: ~30 minutes Prerequisites: Complete Scenario 04 Target: ailab-ds:8080 (Weaviate), ailab-dev:11434 (Ollama)
Background¶
Retrieval Augmented Generation (RAG) pipelines combine a vector database (retrieval) with an LLM (generation) to produce contextually grounded responses. If an attacker can write to the vector store, they can inject malicious documents that will be retrieved and presented as authoritative answers. This is analogous to SEO poisoning but for enterprise knowledge bases.
Objective¶
Inject a poisoned document into a vector database and demonstrate that an LLM retrieves and cites it as a legitimate source.
Commands¶
# First, enumerate the Weaviate collections to understand the schema
aipostex vectordb --type weaviate --target 172.16.50.30:8080 enum
# Explore the Ollama instance to see available models
aipostex ollama --target 172.16.50.10:11434 enum
Expected Finding¶
Weaviate (ailab-ds:8080): - Collections with open write access - No authentication required for object creation - Existing documents that reveal the RAG schema and naming conventions
Ollama (ailab-dev:11434): - Available models that could be used for generation - Model details revealing context window sizes and capabilities
The attack surface is: 1. Attacker reads existing documents to learn the schema 2. Attacker injects a crafted document with misleading content 3. When a user queries the RAG system, the poisoned document is retrieved 4. The LLM presents the poisoned content as fact
Example finding:
{
"finding_type": "vulnerability",
"service": "weaviate",
"detail": "Write access to vector store - RAG poisoning possible",
"collections_writable": 2
}
Scoring objective: Weaviate collections are confirmed writable without authentication.
Real-World Impact¶
RAG poisoning is one of the most impactful AI-specific attacks. Enterprise RAG systems power internal chatbots, customer support, and decision-making tools. A poisoned vector store can spread disinformation through every system that queries it — from customer-facing chatbots giving wrong medical/financial advice to internal tools providing incorrect security guidance.
Follow-On¶
- Scenario 10: Combine RAG poisoning with model tampering
- Scenario 12: Use poisoning as part of a multi-vector campaign