Back to Blog
Security

Indirect Prompt Injection Attacks Against Web Agents

J
Jiankimr
November 15, 20248 min read

Introduction

In recent years, web agents have become instrumental in maximizing human productivity and efficiency. These agents, powered by LLMs and VLMs, are designed to interpret user interactions within web environments and automatically execute tasks based on user requests. From booking flights and managing finances to providing medical consultations, web agents are increasingly integrated into both everyday life and business operations.

However, alongside these technological advancements, serious security vulnerabilities have emerged as web agents process user data and interact with external web content. Interaction with maliciously crafted environments by attackers can lead to severe issues, such as the leakage of Personally Identifiable Information (PII) or distortion of the agent's intended behavior.

This article delves into the security vulnerabilities of web agents, introducing three advanced attack methods: EIA, AdvWeb, and WIPI.

EIA: Environmental Injection Attack

Environmental Injection Attack (EIA) is an innovative attack method designed to exploit vulnerabilities in VLM-powered web agents, specifically targeting their interactions with malicious environments.

Core Mechanism

EIA involves injecting Persuasive Instructions (PI) into the HTML environment, manipulating web agents to interpret these malicious instructions as legitimate task commands. Attackers strategically insert instructions into specific fields of the HTML, such as aria-label, input placeholder, or hidden attributes. These malicious instructions are made visually undetectable by setting their opacity to zero.

Attack Strategies

  1. Form Injection (FI): Leveraging input fields or aria-label attributes to extract PII.
  2. Mirror Injection (MI): Replicating legitimate elements with malicious counterparts.

Results

  • Specific PII extraction achieved up to a 70% success rate with Mirror Injection
  • Relaxed-EIA recorded a 16% success rate for extracting complete task requests
  • The attack evaded detection by traditional security tools like VirusTotal

AdvWeb: Controllable Black-box Attacks

AdvWeb is a black-box control attack framework aimed at exploring the vulnerabilities of generalized web agents. This framework maintains stealth and control while reducing the search space of adversarial HTML content.

Key Features

  • RLAIF Optimization: Uses Reinforcement Learning from AI Feedback to efficiently optimize adversarial strings
  • Automated Generation: Minimizes reliance on manual input
  • Controllability: Attackers can alter goals by modifying specific portions of the prompt

Results

  • Achieved 97.5% attack success rate on GPT-4V-based SeeAct
  • Maintained 98.5% success rate even when objectives were changed
  • Reinforcement learning improved performance from 69.5% to 97.5%

WIPI: Web Indirect Prompt Injection

WIPI represents a new era of web threats. Unlike traditional attacks which rely on executable code, WIPI leverages natural language prompts embedded in external web content to manipulate Web Agents.

Attack Phases

  1. Retrieval Phase: Web Agents collect content from external websites
  2. Execution Phase: Collected content (including malicious prompts) is processed

Framework Design

  • Malicious prompts strategically placed at the start of web pages
  • Repetition at sentence and paragraph levels reinforces visibility
  • Counter-prompts override system safeguards
  • Stealth techniques: reduced font sizes, matching colors, adjusted opacity

Results

  • Average attack success rate exceeded 90% in black-box environments
  • Open-source Web Agents achieved 100% success rate
  • When applying jailbreaking techniques, attack success reached 100%
  • Popular security tools like VirusTotal and IPQS failed to detect WIPI

Implications and Risks

These studies reveal critical security vulnerabilities:

Privacy Risks

  • Sensitive user data can be extracted through environmental manipulation
  • PII leakage through form and mirror injection attacks

System Manipulation

  • Web agents can be controlled to perform unintended actions
  • Attackers can achieve goals without knowledge of internal systems

Detection Challenges

  • Traditional security tools are ineffective against these attacks
  • Stealth techniques make detection exceedingly difficult

Defense Recommendations

To address these vulnerabilities:

  1. Context-Aware Validation: Implement systems to distinguish malicious prompts from legitimate instructions
  2. Security-Focused Training: Train LLMs with greater emphasis on security
  3. Input Sanitization: Develop robust filtering for external content
  4. Behavior Monitoring: Deploy anomaly detection systems for web agent activities

Conclusion

These studies underscore that as LLM- and VLM-powered web agents continue to evolve, strengthening their security is imperative. To protect user privacy and maintain system trustworthiness, more advanced and robust security techniques are required.

The fact that high-performance LLM agents can autonomously exploit vulnerabilities highlights both the potential and the risks of this technology. Future research must focus on developing practical and efficient countermeasures against these attack methods.

By doing so, VLM-powered web agents can become reliable and secure digital tools, ensuring their place in an increasingly interconnected digital ecosystem.

Back to all posts
AIM Intelligence

Red Dot on Aim Scope's crosshair - detecting, targeting, and eliminating AI threats

Product

AIM Supervisor

Resources

BlogLinkedin

Company

CompanyContact

Copyright © 2026 AIM Intelligence, Inc. All rights reserved.

sales@aim-intelligence.com
Indirect Prompt Injection Attacks Against Web Agents | AIM Intelligence Blog | AIM Intelligence - AI Security & Safety