Table of Contents
Fetching ...

WebInject: Prompt Injection Attack to Web Agents

Xilong Wang, John Bloch, Zedian Shao, Yuepeng Hu, Shuyan Zhou, Neil Zhenqiang Gong

TL;DR

WebInject addresses the security of MLLM based web agents by introducing a prompt injection attack that perturbs rendered webpage pixels through targeted source code modifications. It formulates the perturbation as a constrained optimization that maximizes the probability of an attacker chosen action while restricting perceptibility and ensuring cross monitor compatibility via a shared overlapping region. To overcome non differentiable mappings between webpage pixels and screenshots, it learns per monitor mapping networks and employs a differentiable resizing coupled with projected gradient descent to compute a universal perturbation implemented through code injection. Extensive experiments across real and synthetic webpages and multiple MLLMs demonstrate that WebInject achieves substantially higher attack success than baselines, underscoring the need for defenses against prompt injection in web agents and highlighting practical risk across diverse monitor setups.

Abstract

Multi-modal large language model (MLLM)-based web agents interact with webpage environments by generating actions based on screenshots of the webpages. In this work, we propose WebInject, a prompt injection attack that manipulates the webpage environment to induce a web agent to perform an attacker-specified action. Our attack adds a perturbation to the raw pixel values of the rendered webpage. After these perturbed pixels are mapped into a screenshot, the perturbation induces the web agent to perform the attacker-specified action. We formulate the task of finding the perturbation as an optimization problem. A key challenge in solving this problem is that the mapping between raw pixel values and screenshot is non-differentiable, making it difficult to backpropagate gradients to the perturbation. To overcome this, we train a neural network to approximate the mapping and apply projected gradient descent to solve the reformulated optimization problem. Extensive evaluation on multiple datasets shows that WebInject is highly effective and significantly outperforms baselines.

WebInject: Prompt Injection Attack to Web Agents

TL;DR

WebInject addresses the security of MLLM based web agents by introducing a prompt injection attack that perturbs rendered webpage pixels through targeted source code modifications. It formulates the perturbation as a constrained optimization that maximizes the probability of an attacker chosen action while restricting perceptibility and ensuring cross monitor compatibility via a shared overlapping region. To overcome non differentiable mappings between webpage pixels and screenshots, it learns per monitor mapping networks and employs a differentiable resizing coupled with projected gradient descent to compute a universal perturbation implemented through code injection. Extensive experiments across real and synthetic webpages and multiple MLLMs demonstrate that WebInject achieves substantially higher attack success than baselines, underscoring the need for defenses against prompt injection in web agents and highlighting practical risk across diverse monitor setups.

Abstract

Multi-modal large language model (MLLM)-based web agents interact with webpage environments by generating actions based on screenshots of the webpages. In this work, we propose WebInject, a prompt injection attack that manipulates the webpage environment to induce a web agent to perform an attacker-specified action. Our attack adds a perturbation to the raw pixel values of the rendered webpage. After these perturbed pixels are mapped into a screenshot, the perturbation induces the web agent to perform the attacker-specified action. We formulate the task of finding the perturbation as an optimization problem. A key challenge in solving this problem is that the mapping between raw pixel values and screenshot is non-differentiable, making it difficult to backpropagate gradients to the perturbation. To overcome this, we train a neural network to approximate the mapping and apply projected gradient descent to solve the reformulated optimization problem. Extensive evaluation on multiple datasets shows that WebInject is highly effective and significantly outperforms baselines.
Paper Structure (14 sections, 5 equations, 14 figures, 12 tables)

This paper contains 14 sections, 5 equations, 14 figures, 12 tables.

Figures (14)

  • Figure 1: Illustration of WebInject.
  • Figure 2: Impact of the number of target monitors and $\epsilon$ on the average ASR of WebInject across five agents.
  • Figure 3: Detailed implementation of simulating monitors. Here, the placeholders width and height in driver.set_window_size(width, height) is the width and height of the target monitor, path_of_source_code refers to the path of source code of the target webpage, and path_of_icc_profile refers to the path of the ICC profile for the target monitor.
  • Figure 4: Examples of pop-ups used in the baseline webpage-based attacks. Each pop-up includes three key elements: (i) an attention hook, (ii) an instruction, and (iii) an information banner. The information banner is put on the coordinate specified in the target action, e.g., (525,196).
  • Figure 5: Examples of the perturbed webpages under different perturbation bound $\epsilon$.
  • ...and 9 more figures