Hidden-in-Plain-Text: A Benchmark for Social-Web Indirect Prompt Injection in RAG
Haoze Guo, Ziqi Wei
TL;DR
OpenRAG-Soc targets Web-native indirect prompt injection and retrieval poisoning in retrieval-augmented generation by delivering a compact, reproducible ingest→retrieve→generate benchmark with deployable defenses. The framework covers diverse social-Web carriers and enables apples-to-apples evaluation of sanitization, Unicode normalization, and attribution-gated answering across sparse and dense retrievers and multiple LLMs. Key findings show that hygiene defenses substantially reduce instruction-following attacks while preserving utility and keeping latency modest; attribution-gated prompting further strengthens provenance. The work provides actionable, deployable tooling for practitioners to rapidly assess and harden web-facing RAG deployments against real-world web threats.
Abstract
Retrieval-augmented generation (RAG) systems put more and more emphasis on grounding their responses in user-generated content found on the Web, amplifying both their usefulness and their attack surface. Most notably, indirect prompt injection and retrieval poisoning attack the web-native carriers that survive ingestion pipelines and are very concerning. We provide OpenRAG-Soc, a compact, reproducible benchmark-and-harness for web-facing RAG evaluation under these threats, in a discrete data package. The suite combines a social corpus with interchangeable sparse and dense retrievers and deployable mitigations - HTML/Markdown sanitization, Unicode normalization, and attribution-gated answered. It standardizes end-to-end evaluation from ingestion to generation and reports attacks time of one of the responses at answer time, rank shifts in both sparse and dense retrievers, utility and latency, allowing for apples-to-apples comparisons across carriers and defenses. OpenRAG-Soc targets practitioners who need fast, and realistic tests to track risk and harden deployments.
