Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

WIPI: A New Web Threat for LLM-Driven Web Agents

Fangzhou Wu, Shutong Wu, Yulong Cao, Chaowei Xiao

TL;DR

WIPI identifies a novel, practical threat to LLM-driven Web Agents where malicious indirect prompts embedded in publicly accessible web pages steer agent behavior in a fully online black-box setting. The authors develop a universal prompt template and four stealth-oriented techniques to ensure execution while remaining inconspicuous, and validate the approach across seven plugin-based GPT-4 Web Agents, eight Web GPTs, and three open-source Web Agents with assault success rates exceeding 90%. They show that prompt design, prefix robustness, and stealth strategies significantly shape attack performance, and demonstrate real-world risks through case studies and stealth assessments under existing safeties. The study reveals critical vulnerabilities in current Web Agents and detectors, prompting a push toward more secure architectures and safeguards for web-enabled LLM systems.

Abstract

With the fast development of large language models (LLMs), LLM-driven Web Agents (Web Agents for short) have obtained tons of attention due to their superior capability where LLMs serve as the core part of making decisions like the human brain equipped with multiple web tools to actively interact with external deployed websites. As uncountable Web Agents have been released and such LLM systems are experiencing rapid development and drawing closer to widespread deployment in our daily lives, an essential and pressing question arises: "Are these Web Agents secure?". In this paper, we introduce a novel threat, WIPI, that indirectly controls Web Agent to execute malicious instructions embedded in publicly accessible webpages. To launch a successful WIPI works in a black-box environment. This methodology focuses on the form and content of indirect instructions within external webpages, enhancing the efficiency and stealthiness of the attack. To evaluate the effectiveness of the proposed methodology, we conducted extensive experiments using 7 plugin-based ChatGPT Web Agents, 8 Web GPTs, and 3 different open-source Web Agents. The results reveal that our methodology achieves an average attack success rate (ASR) exceeding 90% even in pure black-box scenarios. Moreover, through an ablation study examining various user prefix instructions, we demonstrated that the WIPI exhibits strong robustness, maintaining high performance across diverse prefix instructions.

WIPI: A New Web Threat for LLM-Driven Web Agents

TL;DR

WIPI identifies a novel, practical threat to LLM-driven Web Agents where malicious indirect prompts embedded in publicly accessible web pages steer agent behavior in a fully online black-box setting. The authors develop a universal prompt template and four stealth-oriented techniques to ensure execution while remaining inconspicuous, and validate the approach across seven plugin-based GPT-4 Web Agents, eight Web GPTs, and three open-source Web Agents with assault success rates exceeding 90%. They show that prompt design, prefix robustness, and stealth strategies significantly shape attack performance, and demonstrate real-world risks through case studies and stealth assessments under existing safeties. The study reveals critical vulnerabilities in current Web Agents and detectors, prompting a push toward more secure architectures and safeguards for web-enabled LLM systems.

Abstract

With the fast development of large language models (LLMs), LLM-driven Web Agents (Web Agents for short) have obtained tons of attention due to their superior capability where LLMs serve as the core part of making decisions like the human brain equipped with multiple web tools to actively interact with external deployed websites. As uncountable Web Agents have been released and such LLM systems are experiencing rapid development and drawing closer to widespread deployment in our daily lives, an essential and pressing question arises: "Are these Web Agents secure?". In this paper, we introduce a novel threat, WIPI, that indirectly controls Web Agent to execute malicious instructions embedded in publicly accessible webpages. To launch a successful WIPI works in a black-box environment. This methodology focuses on the form and content of indirect instructions within external webpages, enhancing the efficiency and stealthiness of the attack. To evaluate the effectiveness of the proposed methodology, we conducted extensive experiments using 7 plugin-based ChatGPT Web Agents, 8 Web GPTs, and 3 different open-source Web Agents. The results reveal that our methodology achieves an average attack success rate (ASR) exceeding 90% even in pure black-box scenarios. Moreover, through an ablation study examining various user prefix instructions, we demonstrated that the WIPI exhibits strong robustness, maintaining high performance across diverse prefix instructions.
Paper Structure (25 sections, 12 figures, 14 tables)

This paper contains 25 sections, 12 figures, 14 tables.

Table of Contents

  1. Introduction
  2. New Web Threat: WIPI
  3. Motivation
  4. Threat Model
  5. Challenges
  6. Methodology
  7. Solutions to Challenges in Retrieval Step.
  8. Solutions to Challenges in Execution Step.
  9. Steathiness in the Wild.
  10. Experiments
  11. Experimental Settings
  12. Main Results
  13. Robustness on Preset Prompts.
  14. Effectiveness of Prompt Template Design
  15. Effectiveness under Stealthiness Strategies
  16. ...and 10 more sections

Figures (12)

  • Figure 1: Overview of practical black-box WIPI attack.
  • Figure 2: Universal indirect instruction template design.
  • Figure 3: During the Execution step of a vanilla attack, 3 challenges arise that hinder the execution of payload instructions.
  • Figure 4: The $ASR_{page}$ of attacking Web GPTs.
  • Figure 5: When ChatGPT accesses page1 via the WebPilot plugin, malicious indirect prompts successfully instruct ChatGPT to visit the target external website.
  • ...and 7 more figures