Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt

Use this file to discover all available pages before exploring further.

What Is IPI?

Indirect Prompt Injection (IPI) is a security testing module that lets you test whether AI systems are vulnerable to hidden instructions embedded in external documents. You create adversarial documents, deploy them to a target system, and track execution via HTTP callbacks — proof that the hidden payload actually ran. IPI is the only qai module where documents are uploaded to third-party AI services. This requires explicit authorization.

How It Works

  1. Start the callback listener — Run qai ipi listen on a server you control. This opens an HTTP endpoint that receives proof-of-execution callbacks. The listener can also run with --tunnel cloudflare to receive callbacks from cloud / remote targets — see Remote callbacks via Cloudflare Tunnel.
  2. Generate poisoned documents — Use qai ipi generate to create documents with hidden payloads using your choice of format (PDF, Word, Markdown, etc.) and hiding technique (white ink text, metadata, comments, etc.).
  3. Deploy to target — Upload the poisoned document to the target system’s document ingestion pipeline (knowledge base, RAG system, email service, calendar app, etc.).
  4. Trigger payload execution — Send a prompt that causes the target to ingest and process your document.
  5. Verify execution — Monitor your callback listener for HTTP requests. A callback confirms the target executed your hidden payload.

What to Expect

IPI is a research harness, not an automated exploit tool. The tool generates poisoned documents and proves execution when it happens, but the researcher does the hard part: figuring out which combination of format, technique, style, and trigger prompt will cause a specific target to execute. This is inherent to indirect prompt injection — every target model, system prompt, and ingestion pipeline changes the attack surface. Expect to iterate across multiple attempts.

What You Can Test

IPI supports 7 document formats and 3+ techniques per format:
  • PDF — Two phases of techniques: white ink, metadata, form fields, JavaScript, etc.
  • DOCX (Word) — Hidden text, comments, metadata, headers/footers
  • Markdown — HTML comments, zero-width Unicode, hidden blocks
  • HTML — Meta tags, data attributes, CSS positioning tricks
  • Image (PNG/JPG) — Visible/subtle text overlays, EXIF metadata
  • ICS (Calendar) — Event descriptions, alarms, custom properties
  • EML (Email) — Headers, hidden HTML, attachments
Each technique hides your payload in a different way, making it harder to detect by automated scanning tools.

Payload Styles and Types

You control how the payload is presented and what it does: Payload Styles (how it blends into the document):
  • Obvious — Direct injection markers for baseline testing
  • Citation — Disguised as a document reference
  • Reviewer — Appears as a note to an editor
  • Helpful — Framed as helpful supplementary content
  • Academic — Academic cross-reference format
  • Compliance — Looks like a verification requirement
  • Datasource — Appears as data source attribution
Payload Types (attack objectives):
  • callback — Proof of execution (safe, default)
  • exfil_summary — Attempts to extract document summary
  • exfil_context — Attempts to extract conversation context
  • ssrf_internal — Server-side request forgery to internal endpoints
  • instruction_override — Attempts to override system instructions
  • tool_abuse — Attempts to misuse agent tools
  • persistence — Attempts to persist instructions across sessions
Non-callback types require the --dangerous flag and are intended for authorized security testing only.

Callback Tracking

The callback listener records incoming HTTP requests and assigns a confidence level to each:
  • HIGH — Valid campaign token present in the callback URL. Strong proof that the specific poisoned document was executed.
  • MEDIUM — No token, but User-Agent indicates a programmatic HTTP client (python-requests, httpx, curl, etc.). Likely automated execution.
  • LOW — No token and browser/scanner User-Agent. May be incidental traffic or scanner noise, not definitive proof.
All hits are stored in the database and accessible via qai ipi status or the web dashboard.

Retrieval Pre-Validation

When running through the Test Document Ingestion workflow with RXP enabled, IPI receives retrieval pre-validation results before generating payloads. This prevents generating documents that would never be retrieved by the target RAG system. Three states are possible:
StateWhat Happens
RXP disabled (default)IPI generates all payloads — no gating applied
RXP enabled, zero retrievalIPI skips generation entirely. The run completes with zero payloads and marks all queries as non-viable
RXP enabled, partial or full retrievalIPI generates all payloads normally. Queries where the poison document was not retrieved are annotated as non-viable in the results
Generation is not suppressed per-query because IPI generates payloads per format and technique (e.g., one PDF with white_ink technique), not per query. The non-viable query annotations tell you which retrieval paths are weak spots. When RXP fails or its dependencies are missing, IPI runs ungated — identical to RXP being disabled. See RXP → IPI Pipeline for the full gating model.

Safety and Authorization

IPI documents may be uploaded to third-party AI services. This requires explicit authorization before generating payloads.
Non-callback payload types (exfil, SSRF, instruction override, etc.) require the --dangerous flag. This is a safety gate to ensure you’re intentionally running a high-risk test. The callback listener returns a spoofed HTTP 404 response to avoid alerting the target system that the payload was detected.

Key Components

  • CLI (qai ipi commands) — Generate payloads, manage campaigns, monitor hits
  • Callback Server — FastAPI listener that receives and logs execution confirmations
  • Database — Stores campaigns, hits, and campaign metadata
  • Web UI — IPI tab in run results with live hit feed and deployment playbook (when running through the web UI)
  • Guidance Builder — Generates deployment workflows and trigger prompts tailored to your format and target platform

Next Steps

  • CLI Reference — All qai ipi commands and options
  • Techniques — Detailed breakdown of all hiding techniques by format
  • Formats — Implementation status and format-specific capabilities
  • Templates — Document context templates that frame payloads in realistic content
  • Payloads — Payload styles, types, and the --dangerous safety gate
  • Callbacks — Listener setup, hit tracking, and confidence scoring
  • Deployment Playbook — Guided workflow for poisoning and monitoring