BrowseSafe: Understanding and Preventing Prompt Injection Within AI Browser Agents

TL;DR

This paper investigates prompt injection attacks on AI browser agents, creating a realistic benchmark and evaluating defenses, ultimately proposing a multi-layered strategy to enhance security in web-based AI systems.

Contribution

It introduces a comprehensive benchmark for prompt injection attacks in realistic HTML contexts and evaluates defenses, proposing a multi-layered security approach for AI browser agents.

Findings

Existing defenses have limited effectiveness against complex prompt injections.

The benchmark reveals vulnerabilities in current AI browser agents.

A multi-layered defense strategy improves security against prompt injection attacks.

Abstract

The integration of artificial intelligence (AI) agents into web browsers introduces security challenges that go beyond traditional web application threat models. Prior work has identified prompt injection as a new attack vector for web agents, yet the resulting impact within real-world environments remains insufficiently understood. In this work, we examine the landscape of prompt injection attacks and synthesize a benchmark of attacks embedded in realistic HTML payloads. Our benchmark goes beyond prior work by emphasizing injections that can influence real-world actions rather than mere text outputs, and by presenting attack payloads with complexity and distractor frequency similar to what real-world agents encounter. We leverage this benchmark to conduct a comprehensive empirical evaluation of existing defenses, assessing their effectiveness across a suite of frontier AI models. We propose a multi-layered defense strategy comprising both architectural and model-based defenses to protect against evolving prompt injection attacks. Our work offers a blueprint for designing practical, secure web agents through a defense-in-depth approach.