REVIEW 3 major objections 6 minor 106 references
Prismata confines cross-site prompt injection in web agents by deriving least-privilege labels from structural page paths so untrusted content cannot raise what the agent may see or do.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-10 12:18 UTC pith:N3O7MFNU
load-bearing objection Solid systems paper: Biba-on-DOM critical paths plus action gating is a real, annotation-free answer to web-agent XSP, with strong ASR numbers and an honest residual-risk story that still leans hard on LLM-measured Case-3 rarity. the 3 major comments →
Prismata: Confining Cross-Site Prompt Injection in Web Agents
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
A contextual least-privilege defense for web agents can be built without developer annotations by deriving permission labels from restricted structural views of the DOM and enforcing them deterministically. Structural confinement guarantees, inspired by classical integrity models, ensure that any labeling error can only decrease privilege and that mislabelings stay local to paths that actually contain the injection.
What carries the argument
Dynamic trust derivation plus mechanical confinement: each element is labeled from its critical path (action gate) and from recursive Biba-style path parsing that masks children until a trust boundary is locked; the effective capability is the min of both labels, then enforced by redaction and action rejection.
Load-bearing premise
The defense assumes that untrusted content almost never sits on the critical path to an actionable control without a preceding structural cue, so nearly all labeling decisions stay free of the attacker’s text.
What would settle it
Measure a large sample of live interactive pages for the fraction of actionable controls whose root-to-element path contains untrusted content with no earlier structural cue; if that residual rate is high, or if adaptive injections placed exactly on those uncued paths reliably elevate capabilities past the min-label enforcement, the central security claim fails.
If this is right
- Web agents can be given page-level least privilege on existing sites without waiting for developers to annotate untrusted regions.
- Attack success that depends on out-of-scope actions (password reset, DMs, form exfiltration) becomes mechanically blocked even when the model itself is prompt-injectable.
- Benign utility under attack rises because the agent is no longer free to follow derailing pop-ups and injected shortcuts.
- The same path-based labeling and min-capability enforcement can be reapplied whenever the page state is re-captured, so dynamic pages stay under the same policy.
- Sites that already follow accessibility and semantic-HTML conventions further shrink the residual uncued-path risk.
Where Pith is reading between the lines
- The same critical-path and Biba-parsing idea could be ported to screenshot or multimodal agents by projecting the DOM-derived capability map onto visual regions rather than accessibility-tree nodes.
- If browsers or frameworks shipped stable provenance or ownership attributes, Case-3 residual risk could be driven near zero without changing Prismata’s enforcement layer.
- High-privilege tasks that legitimately need full read-write access to user content may still need a quarantined sub-agent pattern layered on top of Prismata.
- The modular attack/defense harness suggests a practical path for continuous regression testing of new injection templates against confinement defenses.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. Prismata proposes a system-level defense against Cross-Site Prompting (XSP) in autonomous web agents. It enforces contextual least privilege by (i) dynamic trust derivation—action gating over critical DOM paths plus Biba-style no-read-down/no-write-up parsing that labels content origin and capability from ancestry only—and (ii) mechanical confinement that redacts out-of-policy content and rejects over-privileged tool calls. The security argument is a three-case split on injection placement (Table 1, §2.3–2.4): labels are injection-free by construction in Cases 1–2; residual Case 3 is claimed to be empirically rare (~0.1% of paths, ~0.017% under web best practices) from a 90k-path Common Crawl + Mind2Web corpus (§3). End-to-end WebArena experiments with three pop-up attack templates, WASP, and adaptive WA20 stress tests report average ASR falling from 85.5% to 0.7% and task success under attack rising from 4.5% to 23.0%, with benign TSR only 29.9%→26.6%. A 20-observation human validation study supports allowed-element labeling precision, and a modular evaluation framework is released.
Significance. If the structural confinement claims hold, this is a substantial contribution to agent security: it reframes prompt injection on the web as an integrity/confinement problem, applies classical Biba-style rules to DOM ancestry in a way that requires no site-developer annotations, and reports large ASR reductions with modest benign utility loss. Strengths that should be credited include the clean case taxonomy and informal composition argument (§2.3–2.4), the large-scale path corpus (§3), end-to-end results with means and standard deviations over three runs (Tables 2–3), the human labeling validation (§5.3), the deployment cost/caching analysis (§5.4), and the reusable attack/defense evaluation harness (§4). These go beyond typical model-only guardrails and address the web entanglement problem that blocks direct transfer of tool-API defenses such as CaMeL.
major comments (3)
- §3 and Table 1: The load-bearing claim that Case 3 is only ~0.10% (0.017% under best practices) of 90,408 untrusted paths rests on LLM provenance and structural-cue annotators, with no reported human audit of the residual 94 paths (or of a stratified sample of cue-positive paths). Because the informal security argument (§2.3–2.4) attributes injection-free labeling to Cases 1–2 and treats residual risk as “empirically rare,” the corpus measurement must be independently validated; otherwise the structural guarantee cannot be separated from annotator error. A human re-label of the residual set (and a sample of Case-2 cues) is needed before the rarity claim can support the security narrative.
- §5.2, Tables 2–3: The attack suite (pop-up Shortcut/Completion/Ignore, WASP, adaptive WA20) does not isolate true Case-3 placements—injections on a critical path to an actionable element with no preceding structural cue. Pop-ups are typically external/origin-prunable by the task-only policy model (§2.2), so large ASR reductions may be driven by origin pruning and LLM robustness rather than critical-path isolation and Biba no-read-down. Without a controlled Case-3 stress test (adaptive placement into cue-free paths to in-scope or near-scope actions), the paper cannot attribute the 85.5%→0.7% ASR drop primarily to the structural confinement guarantees advertised in the abstract and §2.3.
- §2.3–2.4 and §2.1 Limitations: The composition argument correctly notes that cap(e)=min(cap_gate, cap_biba) and that mechanical enforcement is deterministic, but residual Case-3 risk plus free parameters (choice of labeling/policy LLMs; task-origin policy decisions) are not quantified under adaptive attack on labeling itself. The threat model explicitly allows adaptive attackers against trust derivation “without assuming adversarial robustness of the labeling models,” yet the evaluation does not report ASR when the attacker optimizes for cue-free critical paths or for fooling the action gate/Biba labeler. Either add such an adaptive labeling attack or narrow the security claim to “Cases 1–2 plus origin pruning under the evaluated attack templates.”
minor comments (6)
- Fig. 5–6 and §3: Report inter-annotator or model–human agreement for provenance and cue detection on a held-out page sample so readers can calibrate the 1.2%/0.10% figures.
- §4.3 / §5.2: ASR and DSR are correctly noted as non-complements; add a short breakdown of “attack failed but defense did not neutralize” vs. “defense neutralized” per template to make Table 2 easier to interpret.
- §5.3, Fig. 8–9: The validation study (20 observations, ~20 hours) is useful but small; state confidence intervals or bootstrap variance for precision/recall, and clarify whether experts saw the same restricted critical-path view as the model.
- §6.3 / multimodal limitation: The text acknowledges non-textual attacks; a one-sentence statement in the abstract or intro that the evaluation is accessibility-tree/text-primary would set expectations earlier.
- Appendix action table and model snapshot tables: Ensure snapshot slugs and providers are consistent with the main-text model names (gpt-5.4-mini vs. nano for agent vs. labeler) so experiments are reproducible.
- Terminology: “Cross-Site Prompting (XSP)” is clear; on first use, briefly distinguish it from generic indirect prompt injection to help readers outside the web-agent subcommunity.
Circularity Check
No circularity: structural confinement and ASR/TSR results are independent measurements, not forced by construction or self-citation chains.
full rationale
Prismata's core claims rest on (1) a design that isolates labeling to critical paths with Biba-style no-read-down/no-write-up locking so that effective capability is the min of two independent assignments, and (2) end-to-end measurements of ASR/TSR on published attack templates plus a separate 90k-path corpus frequency count. Neither quantity is defined in terms of the other: the action-gate and Biba rules are fixed design choices whose success is then measured externally on WebArena/WASP trajectories; the Case-1/2 coverage percentages are empirical frequencies obtained by LLM annotation of Common Crawl + Mind2Web DOMs, not parameters fitted to the attack-success numbers. The informal composition argument (§2.4) simply enumerates the three placement cases and notes that only Case 3 can expose the labeler; it does not redefine ASR as a function of those cases. Self-citations (e.g., the rllm evaluation harness) are infrastructural and non-load-bearing for the security or utility claims. No uniqueness theorem, ansatz, or fitted scale is imported from prior author work and then re-presented as a prediction. The derivation chain is therefore self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
free parameters (2)
- choice of labeling / policy / agent LLMs (e.g. gpt-5.4-mini, gpt-5.4-nano)
- task-origin policy model decisions (which origins the task requires)
axioms (4)
- domain assumption Sites implement standard XSS mitigations (sanitization, sandboxed ads, CSP); arbitrary same-origin JS is out of scope.
- ad hoc to paper Biba no-read-down / no-write-up applied to DOM ancestry yields injection-free labels whenever a structural cue precedes untrusted content (Case 2).
- domain assumption Agent action space is closed (BrowserGym finite actions; no arbitrary JS execution), so capability-map checks mediate all page actions.
- domain assumption Untrusted content is rare on critical paths (~1.2%) and almost always preceded by structural cues when present.
invented entities (3)
-
Cross-Site Prompting (XSP)
independent evidence
-
Biba parsing (DOM)
no independent evidence
-
Case 1 / 2 / 3 injection placement taxonomy
independent evidence
read the original abstract
Autonomous web agents promise to automate everyday browsing tasks, but inherit one of the web's oldest attack surfaces. Cross-Site Scripting proved that mixing trusted and untrusted content is dangerous, even on benign pages. Agents resurface this risk by interpreting natural language as instructions, allowing third-party and user-generated content to hijack the agent via prompt injection. The core challenge is that deriving a task-specific security policy requires reasoning over page structure that is entangled with the attacker's content. We present Prismata, a defense enforcing contextual least privilege for web agents, constraining both what the agent sees and what it can do. Prismata's dynamic trust derivation produces permission labels for page content, with structural confinement guarantees, inspired by classical integrity models, that bound any labeling errors so that labels can only decrease in privilege and mislabelings are bounded. Prismata's mechanical confinement enforces these labels by redacting content and restricting agent capabilities. Importantly, these mechanisms require no developer annotations, so Prismata supports the long tail of websites. Across recent published web agent attacks, including adaptive variants, Prismata substantially reduces attack success while preserving benign task utility.
Figures
Reference graph
Works this paper leans on
-
[1]
Sahar Abdelnabi, Aideen Fay, Ahmed Salem, et al . 2025. LLMail-Inject: A Dataset from a Realistic Adaptive Prompt Injection Challenge. InThe Thirty- ninth Annual Conference on Neural Information Processing Systems Datasets and Benchmarks Track. https://openreview.net/forum?id=FhXoETzdfs
work page 2025
-
[2]
2024.Developing a computer use model
Anthropic. 2024.Developing a computer use model. Technical Report. Anthropic
work page 2024
-
[3]
Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Martin Vechev. 2024. AI Agents with Formal Security Guarantees. InICML 2024 Next Generation of AI Safety Workshop. https://openreview.net/forum?id=c6jNHPksiZ
work page 2024
-
[4]
Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. InProceedings of the 29th IEEE Symposium on Security and Privacy
work page 2008
-
[5]
Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wil- son. 2016. Tracing Information Flows Between Ad Exchanges Using Retargeted Ads. In25th USENIX Security Symposium. 481–496
work page 2016
-
[6]
BerriAI. [n. d.]. LiteLLM. https://github .com/BerriAI/litellm. Accessed August 2025
work page 2025
-
[7]
Luca Beurer-Kellner, Beat Buesser, Ana-Maria Creţu, et al. 2025. Design Pat- terns for Securing LLM Agents against Prompt Injections.arXiv preprint arXiv:2506.08837(2025). doi:10.48550/arXiv.2506.08837
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2506.08837 2025
-
[8]
K. J. Biba. 1977.Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153 (ESD-TR-76-372). The MITRE Corporation
work page 1977
-
[9]
Hwan Chang, Yonghyun Jun, and Hwanhee Lee. 2026. ChatInject: Abusing Chat Templates for Prompt Injection in LLM Agents. InThe Fourteenth International Conference on Learning Representations. https://openreview .net/forum?id= WVhgFSKniL
work page 2026
-
[10]
Sizhe Chen, Julien Piet, Chawin Sitawarin, and David Wagner. 2024. StruQ: Defending Against Prompt Injection with Structured Queries.arXiv preprint arXiv:2402.06363(2024). doi:10.48550/arXiv.2402.06363
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2402.06363 2024
-
[11]
Yulin Chen, Tri Cao, Haoran Li, et al . 2026. WebAgentGuard: A Reasoning- Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents. arXiv preprint arXiv:2604.12284(2026). doi:10.48550/arXiv.2604.12284
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2604.12284 2026
-
[12]
Sarthak Choudhary, Divyam Anshumaan, Nils Palumbo, and Somesh Jha
-
[13]
How Not to Detect Prompt Injections with an LLM.arXiv preprint arXiv:2507.05630(2025). doi:10.48550/arXiv.2507.05630
-
[14]
Common Crawl Foundation. 2026. Common Crawl. https: //registry.opendata.aws/commoncrawl. Accessed April 22, 2026. Crawl collection used: CC-MAIN-2026-12
work page 2026
-
[15]
Manuel Costa, Boris Köpf, Aashish Kolluri, Andrew Paverd, Mark Russinovich, Ahmed Salem, Shruti Tople, Lukas Wutschitz, and Santiago Zanella-Béguelin
-
[16]
Securing AI Agents with Information-Flow Control
Securing AI Agents with Information-Flow Control.arXiv preprint arXiv:2505.23643(2025). doi:10.48550/arXiv.2505.23643
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2505.23643 2025
-
[17]
Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, et al. 2025. Defeating Prompt Injections by Design.arXiv preprint arXiv:2503.18813(2025). doi:10 .48550/ arXiv.2503.18813
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[18]
Edoardo Debenedetti, Jie Zhang, Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. 2024. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. InThe 38th Conference on Neural Information Processing Systems Datasets and Benchmarks Track. https://openreview.net/forum?id=m1YYAQjO3w
work page 2024
-
[19]
Xiang Deng, Yu Gu, Boyuan Zheng, Shijie Chen, Samuel Stevens, Boshi Wang, Huan Sun, and Yu Su. 2023. Mind2Web: Towards a Generalist Agent for the Web.arXiv preprint arXiv:2306.06070(2023). doi:10.48550/arXiv.2306.06070
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2306.06070 2023
-
[20]
Laradji, Manuel Del Verme, Tom Marty, David Vazquez, Nicolas Chapados, and Alexandre Lacoste
Alexandre Drouin, Maxime Gasse, Massimo Caccia, Issam H. Laradji, Manuel Del Verme, Tom Marty, David Vazquez, Nicolas Chapados, and Alexandre Lacoste. 2024. WorkArena: How Capable are Web Agents at Solving Common Knowledge Work Tasks?. InProceedings of the 41st International Conference on Machine Learning, Ruslan Salakhutdinov, Zico Kolter, Katherine Hell...
work page 2024
-
[21]
Ivan Evtimov, Arman Zharmagambetov, Aaron Grattafiori, Chuan Guo, and Kamalika Chaudhuri. 2025. WASP: Benchmarking Web Agent Security Against Prompt Injection Attacks.arXiv preprint arXiv:2504.18575(2025). doi:10 .48550/ arXiv.2504.18575
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[22]
Hanna Foerster, Tom Blanchard, Kristina Nikolić, Ilia Shumailov, Cheng Zhang, Robert Mullins, Nicolas Papernot, Florian Tramèr, and Yiren Zhao. 2026. CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents.arXiv preprint arXiv:2601.09923(2026). doi:10.48550/arXiv.2601.09923
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2601.09923 2026
-
[23]
Jiahui Geng, Thy Thy Tran, Preslav Nakov, and Iryna Gurevych. 2025. Con Instruction: Universal Jailbreaking of Multimodal Large Language Models via Non-Textual Modalities. InProceedings of the 63rd Annual Meeting of the As- sociation for Computational Linguistics (Volume 1: Long Papers), Wanxiang Che, Joyce Nabende, Ekaterina Shutova, and Mohammad Taher P...
-
[24]
Yichen Gong, Delong Ran, Jinyuan Liu, Conglei Wang, Tianshuo Cong, Anyu Wang, Sisi Duan, and Xiaoyun Wang. 2025. FigStep: Jailbreaking Large Vision- Language Models via Typographic Visual Prompts. InProceedings of the Thirty- Ninth AAAI Conference on Artificial Intelligence. AAAI Press, 23951–23959. doi:10.1609/aaai.v39i22.34568
- [25]
-
[26]
Google. 2024. Gemini Deep Research. https://gemini .google/overview/deep- research/. Announced December 11, 2024; Accessed August 2025
work page 2024
-
[27]
Google. 2025. Architecting Security for Agentic AI. https: //security.googleblog.com/2025/12/architecting-security-for-agentic .html. Accessed April 2026
work page 2025
-
[28]
Google. 2025. Use Tag Manager with a Content Security Policy (CSP). https: //developers.google.com/tag-platform/security/guides/csp. Accessed July 2025
work page 2025
-
[29]
2024.Buying Spying: Insights into Commercial Surveillance Vendors
Google Threat Analysis Group. 2024.Buying Spying: Insights into Commercial Surveillance Vendors. Technical Report. Google
work page 2024
-
[30]
Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not What You’ve Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. In Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security. 79–90. doi:10.1145/3605764.3623985
-
[31]
2007.XSS Attacks: Cross-Site Scripting Exploits and Defense
Jeremiah Grossman, Seth Fogie, Robert Hansen, and Anton Rager. 2007.XSS Attacks: Cross-Site Scripting Exploits and Defense. Syngress
work page 2007
-
[32]
Sherry He, Brett Hollenbeck, and Davide Proserpio. 2021. The Market for Fake Reviews. InProceedings of the 22nd ACM Conference on Economics and Computation. doi:10.1145/3465456.3467589
-
[33]
Pieter Hooimeijer, Benjamin Livshits, David Molnar, Prateek Saxena, and Mar- gus Veanes. 2011. Fast and Precise Sanitizer Analysis with BEK. In20th USENIX Security Symposium (USENIX Security 11). https://www .usenix.org/conference/ usenix-security-11/presentation/fast-and-precise-sanitizer-analysis-bek
work page 2011
-
[34]
Haitao Hu, Peng Chen, Yanpeng Zhao, and Yuqi Chen. 2025. AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents.arXiv preprint arXiv:2509.07764(2025). doi:10 .48550/arXiv.2509.07764
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[35]
Yue Huang, Lichao Sun, Haoran Wang, et al. 2024. Position: TrustLLM: Trustwor- thiness in Large Language Models. InProceedings of the 41st International Con- ference on Machine Learning (Proceedings of Machine Learning Research, Vol. 235). PMLR, 20166–20270. https://proceedings.mlr.press/v235/huang24x.html
work page 2024
-
[36]
2014.SafeFrames v1.1 Specification
Interactive Advertising Bureau. 2014.SafeFrames v1.1 Specification. Technical Report. Interactive Advertising Bureau. https://www .iab.com/wp-content/ uploads/2014/08/SafeFrames_v1.1_final.pdf#page=26.73 Accessed July 2025
work page 2014
-
[37]
Yuqi Jia, Zedian Shao, Yupei Liu, Jinyuan Jia, Dawn Song, and Neil Zhenqiang Gong. 2025. A Critical Evaluation of Defenses against Prompt Injection Attacks. arXiv preprint arXiv:2505.18333(2025). doi:10.48550/arXiv.2505.18333
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2505.18333 2025
-
[38]
Yigitcan Kaya, Anton Landerer, Stijn Pletinckx, Michelle Zimmermann, Christo- pher Kruegel, and Giovanni Vigna. 2026. When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins. InProceedings of the IEEE Symposium on Security and Privacy (S&P). doi:10.48550/arXiv.2511.05797
-
[39]
Hanna Kim, Minkyoo Song, Seung Ho Na, Seungwon Shin, and Kimin Lee. 2025. When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs. In34th USENIX Security Symposium
work page 2025
-
[40]
Jing Yu Koh, Robert Lo, Lawrence Jang, et al . 2024. VisualWebArena: Eval- uating Multimodal Agents on Realistic Visual Web Tasks.arXiv preprint arXiv:2401.13649(2024). doi:10.48550/arXiv.2401.13649
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2401.13649 2024
-
[41]
Butler W. Lampson. 1973. A Note on the Confinement Problem.Commun. ACM 16, 10 (1973). doi:10.1145/362375.362389
- [42]
-
[43]
Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Ko- rczyński, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. InProceedings 2019 Network and Distributed System Security Symposium. doi:10.14722/ndss.2019.23386
-
[44]
Ada Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner
-
[45]
In25th USENIX Security Symposium
Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In25th USENIX Security Symposium
work page 1996
-
[46]
Yifan Li, Hangyu Guo, Kun Zhou, Wayne Xin Zhao, and Ji-Rong Wen. 2024. Im- ages Are Achilles’ Heel of Alignment: Exploiting Visual Vulnerabilities for Jail- breaking Multimodal Large Language Models. InComputer Vision - ECCV 2024, Aleš Leonardis, Elisa Ricci, Stefan Roth, Olga Russakovsky, Torsten Sattler, and Gül Varol (Eds.). doi:10.1007/978-3-031-73464-9_11
-
[47]
Zeyi Liao, Lingbo Mo, Chejian Xu, Mintong Kang, Jiawei Zhang, Chaowei Xiao, Yuan Tian, Bo Li, and Huan Sun. 2025. EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage.arXiv preprint arXiv:2409.11295 (2025). doi:10.48550/arXiv.2409.11295
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2409.11295 2025
-
[48]
Yi Liu, Gelei Deng, Yuekang Li, et al. 2023. Prompt Injection Attack against LLM- integrated Applications.arXiv preprint arXiv:2306.05499(2023). doi:10 .48550/ arXiv.2306.05499
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[49]
Yupei Liu, Yuqi Jia, Runpeng Geng, Jinyuan Jia, and Neil Zhenqiang Gong. 2024. Formalizing and Benchmarking Prompt Injection Attacks and Defenses. In33rd USENIX Security Symposium
work page 2024
-
[50]
Yupei Liu, Yuqi Jia, Jinyuan Jia, Dawn Song, and Neil Zhenqiang Gong. 2025. DataSentinel: A Game-Theoretic Detection of Prompt Injection Attacks. In2025 IEEE Symposium on Security and Privacy. doi:10.1109/SP61157.2025.00250
-
[51]
Haochen Luo, Jindong Gu, Fengyuan Liu, and Philip Torr. 2024. An Image Is Worth 1000 Lies: Transferability of Adversarial Images across Prompts on Vision-Language Models. InThe Twelfth International Conference on Learning Representations. https://openreview.net/forum?id=nc5GgFAvtk
work page 2024
-
[52]
Xinbei Ma, Yiting Wang, Yao Yao, Tongxin Yuan, Aston Zhang, Zhuosheng Zhang, and Hai Zhao. 2024. Caution for the Environment: Multimodal Agents Are Susceptible to Environmental Distractions.arXiv preprint arXiv:2408.02544 (2024). doi:10.48550/arXiv.2408.02544
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2408.02544 2024
-
[53]
Bill Marczak and Donncha Ó Cearbhaill. 2022. Exploit archaeol- ogy: a forensic history of in-the-wild NSO Group exploits. https: //www.virusbulletin.com/conference/vb2022/abstracts/exploit-archaeology- forensic-history-wild-nso-group-exploits. InProceedings of the Virus Bulletin Conference. Virus Bulletin
work page 2022
-
[54]
Sami Marreed, Alon Oved, Avi Yaeli, Segev Shlomov, Ido Levy, Offer Akrabi, Aviad Sela, Asaf Adi, and Nir Mashkif. 2025. Towards Enterprise-Ready Computer Using Generalist Agent.arXiv preprint arXiv:2503.01861(2025). doi:10.48550/arXiv.2503.01861
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2503.01861 2025
-
[55]
MDN contributors. 2025. Content-Security-Policy: sandbox directive. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/ Content-Security-Policy/sandbox. Accessed July 2025
work page 2025
-
[56]
MDN contributors. 2025. <iframe>: The Inline Frame element. https: //developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe. Accessed July 2025
work page 2025
-
[57]
Luoxi Meng, Henry Feng, Ilia Shumailov, and Earlence Fernandes. 2025. ceLL- Mate: Sandboxing Browser AI Agents.arXiv preprint arXiv:2512.12594(2025). doi:10.48550/arXiv.2512.12594
-
[58]
Milad Nasr, Nicholas Carlini, Chawin Sitawarin, et al. 2025. The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections. https://arxiv.org/abs/2510.09023v1
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[59]
ChangSeok Oh, Chris Kanich, Damon McCoy, and Paul Pearce. 2022. Cart-Ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communica- tions Security. 2401–2414. doi:10.1145/3548606.3560641
-
[60]
OpenAI. 2025. OpenAI Deep Research. https://openai .com/index/introducing- deep-research/. Announced February 2, 2025; Accessed August 2025
work page 2025
-
[61]
OpenAI. 2025. OpenAI Operator. https://openai .com/index/introducing- operator/. Announced January 23, 2025; Accessed August 2025
work page 2025
-
[62]
OWASP. [n. d.]. Cross-Site Scripting (XSS). https://owasp .org/www- community/attacks/xss/. Accessed August 2025
work page 2025
-
[63]
Fábio Perez and Ian Ribeiro. 2022. Ignore Previous Prompt: Attack Techniques For Language Models. InNeurIPS ML Safety Workshop
work page 2022
-
[64]
Perplexity. 2025. Perplexity Deep Research. https://www .perplexity.ai/hub/ blog/introducing-perplexity-deep-research. Announced 2025; Accessed August 2025
work page 2025
-
[65]
J.H. Saltzer and M.D. Schroeder. 1975. The Protection of Information in Com- puter Systems.Proc. IEEE63, 9 (1975). doi:10.1109/PROC.1975.9939
-
[66]
Jiawen Shi, Zenghui Yuan, Guiyao Tie, Pan Zhou, Neil Zhenqiang Gong, and Lichao Sun. 2026. Prompt Injection Attack to Tool Selection in LLM Agents. In Proceedings of the Network and Distributed System Security Symposium (NDSS). doi:10.48550/arXiv.2504.19793
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2504.19793 2026
-
[67]
Tianneng Shi, Jingxuan He, Zhun Wang, Linyu Wu, Hongwei Li, Wenbo Guo, and Dawn Song. 2025. Progent: Programmable Privilege Control for LLM Agents.arXiv preprint arXiv:2504.11703(2025). doi:10 .48550/arXiv.2504.11703
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[68]
Shoaib Ahmed Siddiqui, Radhika Gaonkar, Boris Köpf, et al . 2024. Permis- sive Information-Flow Analysis for Large Language Models.arXiv preprint arXiv:2410.03055(2024). doi:10.48550/arXiv.2410.03055
-
[69]
Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns
-
[70]
In23rd USENIX Security Symposium
Precise Client-side Protection against DOM-based Cross-Site Scripting. In23rd USENIX Security Symposium
-
[71]
Georgios Syros, Evan Rose, Brian Grinstead, Christoph Kerschbaumer, William Robertson, Cristina Nita-Rotaru, and Alina Oprea. 2026. MUZZLE: Adaptive Agentic Red-Teaming of Web Agents Against Indirect Prompt Injection Attacks. arXiv preprint arXiv:2602.09222(2026). doi:10.48550/arXiv.2602.09222
-
[72]
Sijun Tan, Michael Luo, Colin Cai, et al . 2025. rLLM: A Frame- work for Post-Training Language Agents. https://pretty-radio- b75.notion.site/rLLM-A-Framework-for-Post-Training-Language-Agents- 21b81902c146819db63cd98a54ba5f31
work page 2025
-
[73]
Lillian Tsai and Eugene Bagdasarian. 2025. Contextual Agent Security: A Policy for Every Purpose. InProceedings of the Workshop on Hot Topics in Operating Systems. doi:10.1145/3713082.3730378
-
[74]
Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christo- pher Krügel, and Giovanni Vigna. 2007. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. InProceedings of the Net- work and Distributed System Security Symposium, NDSS 2007. The Internet Society. https://www .ndss-symposium.org/ndss2007/cross-site-scriptin...
work page 2007
-
[75]
Eric Wallace, Kai Xiao, Reimar Leike, Lilian Weng, Johannes Heidecke, and Alex Beutel. 2024. The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions.arXiv preprint arXiv:2404.13208(2024). doi:10 .48550/ arXiv.2404.13208
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[76]
Haowei Wang, Junjie Wang, Xiaojun Jia, Rupeng Zhang, Mingyang Li, Zhe Liu, Yang Liu, and Qing Wang. 2025. AdInject: Real-World Black-Box Attacks on Web Agents via Advertising Delivery.arXiv preprint arXiv:2505.21499(2025). doi:10.48550/arXiv.2505.21499
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2505.21499 2025
-
[77]
Reachal Wang, Yuqi Jia, and Neil Zhenqiang Gong. 2026. ObliInjection: Order- Oblivious Prompt Injection Attack to LLM Agents with Multi-source Data. In Proceedings of the Network and Distributed System Security Symposium (NDSS)
work page 2026
-
[78]
Ruofan Wang, Xingjun Ma, Hanxu Zhou, Chuanjun Ji, Guangnan Ye, and Yu- Gang Jiang. 2024. White-Box Multimodal Jailbreaks Against Large Vision- Language Models. InProceedings of the 32nd ACM International Conference on Multimedia. doi:10.1145/3664647.3681092
-
[79]
Xilong Wang, John Bloch, Zedian Shao, Yuepeng Hu, Shuyan Zhou, and Neil Zhenqiang Gong. 2025. EnvInjection: Environmental Prompt Injection Attack to Multi-modal Web Agents.arXiv preprint arXiv:2505.11717(2025). doi:10.48550/arXiv.2505.11717
-
[80]
Xilong Wang, Yinuo Liu, Zhun Wang, Dawn Song, and Neil Gong. 2026. Web- Sentinel: Detecting and Localizing Prompt Injection Attacks for Web Agents. (2026). doi:10.48550/ARXIV.2602.03792
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.