Red-team a RAG app
Framework-agnostic RAG guide. If you’re on LlamaIndex specifically, see llamaindex.md — but the attack categories overlap heavily.
1. Expose an endpoint
# Any framework — LangChain, LlamaIndex, Haystack, raw — works.
from fastapi import FastAPI
from pydantic import BaseModel
from my_rag import retrieve_and_answer # your retriever + generator
app = FastAPI()
class Req(BaseModel):
query: str
@app.post("/query")
def query(req: Req):
answer, sources = retrieve_and_answer(req.query)
return {"answer": answer, "sources": sources}
2. Copy the config
cp configs/integrations/rag-app.json configs/config.my-rag.json
Edit:
target.baseUrl+agentEndpointtarget.applicationDetails— what’s in the index, who can query it, whether the corpus is user-providedcodebasePath— directory with your retriever, chunker, and embedding code
3. Run
npm start configs/config.my-rag.json
What this catches
RAG-specific failure modes the bundled config targets:
rag_poisoning/rag_corpus_poisoning— adversarial content in your corpusrag_attribution— answer cites a source that doesn’t support the claimvector_store_manipulation— similarity-space attacks to surface attacker chunkschunk_boundary_injection— payloads exploiting yournode_parser/ chunkerretrieval_ranking_attack— keyword stuffing, embedding-near-duplicatesretrieval_tenant_bleed— cross-tenant leakage in shared indicesembedding_inversion— reconstructing source text from embeddings (if exposed)indirect_prompt_injection— instructions hidden in retrieved documentsdata_exfiltration/pii_disclosure— pulling indexed PII back through chathallucination— measuring grounded-vs-fabricated answers
White-box mode reads your chunker config and retriever to tune attacks to your specific pipeline (chunk size, overlap, top-k, reranker).