WebTrap: Stealthy Mid-Task Hijacking of Browser Agents During Navigation

TL;DR

WebTrap introduces a stealthy mid-task hijacking attack on browser agents, effectively combining attack and user goals to exploit navigation vulnerabilities during long-horizon tasks.

Contribution

It presents a novel multi-step instruction fusion hijacking method that maintains system usability while achieving high attack success rates.

Findings

WebTrap achieves high success rates in two browser agent tasks.

The attack remains stealthy, preserving system usability.

Standard defenses cannot easily detect or prevent the hijacking.

Abstract

Browser agents are increasingly deployed in long-horizon tasks, which require executing extended action chains to accomplish user goals. However, this prolonged execution process provides attackers with more opportunities to inject malicious instructions. Existing prompt injection attacks against browser agents expose two key gaps: (1) low effectiveness, as attacks optimized for toy baselines fail to achieve end-to-end goals in real-world scenarios with complex environments and longer steps; (2) weak stealthiness, since most attacks pit the attack goal against the user goal, causing a significant drop in system usability under attack. To address these gaps, we propose WebTrap, a mid-task hijacking injection attack. It employs multi-step instruction fusion steering to seamlessly combine both goals, enabling the agent to resume the original user task after executing the attack goal. Furthermore, we design a context-grounded generation method to align the injected content with the task environment and system instructions, maximizing the hijacking success rate. Extensive experiments on two browser agent tasks, based on extended WASP and InjecAgent environments, demonstrate that our method achieves a high attack success rate while preserving the usability of the original system. We find that WebTrap exploits the agent's navigation vulnerabilities, binding the two goals so tightly that standard defense mechanisms cannot restore the system to normal operation. These findings reveal a critical vulnerability in agent systems during long-horizon tasks that they can be stealthily hijacked.