Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Automating Agent Hijacking via Structural Template Injection

Xinhao Deng, Jiaqing Wu, Miao Chen, Yue Xiao, Ke Xu, Qi Li

TL;DR

Phantom is proposed, an automated agent hijacking framework built upon Structured Template Injection that targets the fundamental architectural mechanisms of LLM agents and significantly outperforms existing baselines in both Attack Success Rate (ASR) and query efficiency.

Abstract

Agent hijacking, highlighted by OWASP as a critical threat to the Large Language Model (LLM) ecosystem, enables adversaries to manipulate execution by injecting malicious instructions into retrieved content. Most existing attacks rely on manually crafted, semantics-driven prompt manipulation, which often yields low attack success rates and limited transferability to closed-source commercial models. In this paper, we propose Phantom, an automated agent hijacking framework built upon Structured Template Injection that targets the fundamental architectural mechanisms of LLM agents. Our key insight is that agents rely on specific chat template tokens to separate system, user, assistant, and tool instructions. By injecting optimized structured templates into the retrieved context, we induce role confusion and cause the agent to misinterpret the injected content as legitimate user instructions or prior tool outputs. To enhance attack transferability against black-box agents, Phantom introduces a novel attack template search framework. We first perform multi-level template augmentation to increase structural diversity and then train a Template Autoencoder (TAE) to embed discrete templates into a continuous, searchable latent space. Subsequently, we apply Bayesian optimization to efficiently identify optimal adversarial vectors that are decoded into high-potency structured templates. Extensive experiments on Qwen, GPT, and Gemini demonstrate that our framework significantly outperforms existing baselines in both Attack Success Rate (ASR) and query efficiency. Moreover, we identified over 70 vulnerabilities in real-world commercial products that have been confirmed by vendors, underscoring the practical severity of structured template-based hijacking and providing an empirical foundation for securing next-generation agentic systems.

Automating Agent Hijacking via Structural Template Injection

TL;DR

Phantom is proposed, an automated agent hijacking framework built upon Structured Template Injection that targets the fundamental architectural mechanisms of LLM agents and significantly outperforms existing baselines in both Attack Success Rate (ASR) and query efficiency.

Abstract

Agent hijacking, highlighted by OWASP as a critical threat to the Large Language Model (LLM) ecosystem, enables adversaries to manipulate execution by injecting malicious instructions into retrieved content. Most existing attacks rely on manually crafted, semantics-driven prompt manipulation, which often yields low attack success rates and limited transferability to closed-source commercial models. In this paper, we propose Phantom, an automated agent hijacking framework built upon Structured Template Injection that targets the fundamental architectural mechanisms of LLM agents. Our key insight is that agents rely on specific chat template tokens to separate system, user, assistant, and tool instructions. By injecting optimized structured templates into the retrieved context, we induce role confusion and cause the agent to misinterpret the injected content as legitimate user instructions or prior tool outputs. To enhance attack transferability against black-box agents, Phantom introduces a novel attack template search framework. We first perform multi-level template augmentation to increase structural diversity and then train a Template Autoencoder (TAE) to embed discrete templates into a continuous, searchable latent space. Subsequently, we apply Bayesian optimization to efficiently identify optimal adversarial vectors that are decoded into high-potency structured templates. Extensive experiments on Qwen, GPT, and Gemini demonstrate that our framework significantly outperforms existing baselines in both Attack Success Rate (ASR) and query efficiency. Moreover, we identified over 70 vulnerabilities in real-world commercial products that have been confirmed by vendors, underscoring the practical severity of structured template-based hijacking and providing an empirical foundation for securing next-generation agentic systems.
Paper Structure (28 sections, 7 equations, 6 figures, 12 tables, 3 algorithms)

This paper contains 28 sections, 7 equations, 6 figures, 12 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. LLM Agents and Chat Templates
  4. Indirect Prompt Injection
  5. Threat Model
  6. Design of Phantom
  7. Key Observation
  8. Overview of Phantom
  9. Design Details
  10. Multi-level Template Augmentation
  11. Latent Space Mapping
  12. Automated Template Search
  13. Evaluation
  14. Experiment Setup
  15. Evaluation on SOTA Agents
  16. ...and 13 more sections

Figures (6)

  • Figure 1: Threat model of Phantom. The adversary injects the structural template into external data sources accessed by the LLM agent, inducing role confusion to hijack the agent's execution flow.
  • Figure 2: The distribution of the Agent's attention over input tokens. Compared to direct injection, structured template injection effectively shifts the Agent's attention from authentic content to the injected prompt.
  • Figure 3: Overview of Phantom.
  • Figure 4: Attack success rates of Phantom across different Agents and scenarios in AgentDojo.
  • Figure 5: ASR convergence over optimization iterations.
  • ...and 1 more figures