Indirect Prompt Injection (RAG / Web)
Malicious content lives in a document, web page, or PDF that the LLM later ingests via RAG / browse tools — injection fires when the model reads it.
§ Where this technique fits
AI-INDIRECT-INJECT is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 3 on average.
§ Dossiers chaining this technique
- step 3 / 6
Multi-agent confused-deputy → tool-call escalation
User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.
- step 3 / 5
Prompt injection → tool-call shell RCE
Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help.
- step 3 / 5
Indirect prompt injection via RAG document
Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc.
§ What commonly comes next
- 01Tool / Function-Call Abuseseen 3×AI-TOOL-ABUSE · Execution