BrowseSafe: Understanding and Preventing Prompt Injection Within AI Browser Agents
Kaiyuan Zhang, Mark Tenenholtz, Kyle Polley, Jerry Ma, Denis Yarats, Ninghui Li
TL;DR
This work addresses the security risks posed by prompt injection in AI browser agents by introducing BrowseSafe-Bench, a large-scale, realistic benchmark that embeds attacker payloads in production-style HTML. It then presents BrowseSafe, a defense-in-depth architecture combining trust-boundary enforcement, content preprocessing, parallel detection with chunking, and context-engineered interventions to protect agent execution. Empirical evaluation across frontier open- and closed-weight models shows that even capable reasoning models remain vulnerable to complex payloads, while BrowseSafe achieves state-of-the-art detection with low latency. The findings highlight the importance of realism in benchmarks, the value of domain-specific fine-tuning, and the practical viability of multi-layered defenses for secure AI browser agents.
Abstract
The integration of artificial intelligence (AI) agents into web browsers introduces security challenges that go beyond traditional web application threat models. Prior work has identified prompt injection as a new attack vector for web agents, yet the resulting impact within real-world environments remains insufficiently understood. In this work, we examine the landscape of prompt injection attacks and synthesize a benchmark of attacks embedded in realistic HTML payloads. Our benchmark goes beyond prior work by emphasizing injections that can influence real-world actions rather than mere text outputs, and by presenting attack payloads with complexity and distractor frequency similar to what real-world agents encounter. We leverage this benchmark to conduct a comprehensive empirical evaluation of existing defenses, assessing their effectiveness across a suite of frontier AI models. We propose a multi-layered defense strategy comprising both architectural and model-based defenses to protect against evolving prompt injection attacks. Our work offers a blueprint for designing practical, secure web agents through a defense-in-depth approach.