Pith. sign in

REVIEW 3 major objections 6 minor 106 references

Prismata confines cross-site prompt injection in web agents by deriving least-privilege labels from structural page paths so untrusted content cannot raise what the agent may see or do.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-10 12:18 UTC pith:N3O7MFNU

load-bearing objection Solid systems paper: Biba-on-DOM critical paths plus action gating is a real, annotation-free answer to web-agent XSP, with strong ASR numbers and an honest residual-risk story that still leans hard on LLM-measured Case-3 rarity. the 3 major comments →

arxiv 2607.08147 v1 pith:N3O7MFNU submitted 2026-07-09 cs.CR cs.AI

Prismata: Confining Cross-Site Prompt Injection in Web Agents

classification cs.CR cs.AI
keywords web agentsprompt injectioncross-site promptingleast privilegeBiba integrityDOM confinementcontextual securitymechanical enforcement
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Autonomous web agents treat natural language on a page as instructions, so user reviews, ads, and other third-party text can hijack them the way scripts once hijacked browsers. The hard problem is that a task-specific security policy must be read from page structure that is mixed with the attacker’s own content. Prismata sits between agent and browser and solves this by labeling each interactive element from only its root-to-element path, then mechanically redacting and capability-restricting the observation. Structural cues and a Biba-style no-read-down, no-write-up rule bound labeling mistakes so privileges can only fall, never rise. Across published web-agent attacks, including adaptive ones, attack success falls from roughly 85% to under 1% while ordinary task success stays close to the undefended baseline, and the system needs no per-site developer annotations.

Core claim

A contextual least-privilege defense for web agents can be built without developer annotations by deriving permission labels from restricted structural views of the DOM and enforcing them deterministically. Structural confinement guarantees, inspired by classical integrity models, ensure that any labeling error can only decrease privilege and that mislabelings stay local to paths that actually contain the injection.

What carries the argument

Dynamic trust derivation plus mechanical confinement: each element is labeled from its critical path (action gate) and from recursive Biba-style path parsing that masks children until a trust boundary is locked; the effective capability is the min of both labels, then enforced by redaction and action rejection.

Load-bearing premise

The defense assumes that untrusted content almost never sits on the critical path to an actionable control without a preceding structural cue, so nearly all labeling decisions stay free of the attacker’s text.

What would settle it

Measure a large sample of live interactive pages for the fraction of actionable controls whose root-to-element path contains untrusted content with no earlier structural cue; if that residual rate is high, or if adaptive injections placed exactly on those uncued paths reliably elevate capabilities past the min-label enforcement, the central security claim fails.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Web agents can be given page-level least privilege on existing sites without waiting for developers to annotate untrusted regions.
  • Attack success that depends on out-of-scope actions (password reset, DMs, form exfiltration) becomes mechanically blocked even when the model itself is prompt-injectable.
  • Benign utility under attack rises because the agent is no longer free to follow derailing pop-ups and injected shortcuts.
  • The same path-based labeling and min-capability enforcement can be reapplied whenever the page state is re-captured, so dynamic pages stay under the same policy.
  • Sites that already follow accessibility and semantic-HTML conventions further shrink the residual uncued-path risk.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same critical-path and Biba-parsing idea could be ported to screenshot or multimodal agents by projecting the DOM-derived capability map onto visual regions rather than accessibility-tree nodes.
  • If browsers or frameworks shipped stable provenance or ownership attributes, Case-3 residual risk could be driven near zero without changing Prismata’s enforcement layer.
  • High-privilege tasks that legitimately need full read-write access to user content may still need a quarantined sub-agent pattern layered on top of Prismata.
  • The modular attack/defense harness suggests a practical path for continuous regression testing of new injection templates against confinement defenses.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 6 minor

Summary. Prismata proposes a system-level defense against Cross-Site Prompting (XSP) in autonomous web agents. It enforces contextual least privilege by (i) dynamic trust derivation—action gating over critical DOM paths plus Biba-style no-read-down/no-write-up parsing that labels content origin and capability from ancestry only—and (ii) mechanical confinement that redacts out-of-policy content and rejects over-privileged tool calls. The security argument is a three-case split on injection placement (Table 1, §2.3–2.4): labels are injection-free by construction in Cases 1–2; residual Case 3 is claimed to be empirically rare (~0.1% of paths, ~0.017% under web best practices) from a 90k-path Common Crawl + Mind2Web corpus (§3). End-to-end WebArena experiments with three pop-up attack templates, WASP, and adaptive WA20 stress tests report average ASR falling from 85.5% to 0.7% and task success under attack rising from 4.5% to 23.0%, with benign TSR only 29.9%→26.6%. A 20-observation human validation study supports allowed-element labeling precision, and a modular evaluation framework is released.

Significance. If the structural confinement claims hold, this is a substantial contribution to agent security: it reframes prompt injection on the web as an integrity/confinement problem, applies classical Biba-style rules to DOM ancestry in a way that requires no site-developer annotations, and reports large ASR reductions with modest benign utility loss. Strengths that should be credited include the clean case taxonomy and informal composition argument (§2.3–2.4), the large-scale path corpus (§3), end-to-end results with means and standard deviations over three runs (Tables 2–3), the human labeling validation (§5.3), the deployment cost/caching analysis (§5.4), and the reusable attack/defense evaluation harness (§4). These go beyond typical model-only guardrails and address the web entanglement problem that blocks direct transfer of tool-API defenses such as CaMeL.

major comments (3)
  1. §3 and Table 1: The load-bearing claim that Case 3 is only ~0.10% (0.017% under best practices) of 90,408 untrusted paths rests on LLM provenance and structural-cue annotators, with no reported human audit of the residual 94 paths (or of a stratified sample of cue-positive paths). Because the informal security argument (§2.3–2.4) attributes injection-free labeling to Cases 1–2 and treats residual risk as “empirically rare,” the corpus measurement must be independently validated; otherwise the structural guarantee cannot be separated from annotator error. A human re-label of the residual set (and a sample of Case-2 cues) is needed before the rarity claim can support the security narrative.
  2. §5.2, Tables 2–3: The attack suite (pop-up Shortcut/Completion/Ignore, WASP, adaptive WA20) does not isolate true Case-3 placements—injections on a critical path to an actionable element with no preceding structural cue. Pop-ups are typically external/origin-prunable by the task-only policy model (§2.2), so large ASR reductions may be driven by origin pruning and LLM robustness rather than critical-path isolation and Biba no-read-down. Without a controlled Case-3 stress test (adaptive placement into cue-free paths to in-scope or near-scope actions), the paper cannot attribute the 85.5%→0.7% ASR drop primarily to the structural confinement guarantees advertised in the abstract and §2.3.
  3. §2.3–2.4 and §2.1 Limitations: The composition argument correctly notes that cap(e)=min(cap_gate, cap_biba) and that mechanical enforcement is deterministic, but residual Case-3 risk plus free parameters (choice of labeling/policy LLMs; task-origin policy decisions) are not quantified under adaptive attack on labeling itself. The threat model explicitly allows adaptive attackers against trust derivation “without assuming adversarial robustness of the labeling models,” yet the evaluation does not report ASR when the attacker optimizes for cue-free critical paths or for fooling the action gate/Biba labeler. Either add such an adaptive labeling attack or narrow the security claim to “Cases 1–2 plus origin pruning under the evaluated attack templates.”
minor comments (6)
  1. Fig. 5–6 and §3: Report inter-annotator or model–human agreement for provenance and cue detection on a held-out page sample so readers can calibrate the 1.2%/0.10% figures.
  2. §4.3 / §5.2: ASR and DSR are correctly noted as non-complements; add a short breakdown of “attack failed but defense did not neutralize” vs. “defense neutralized” per template to make Table 2 easier to interpret.
  3. §5.3, Fig. 8–9: The validation study (20 observations, ~20 hours) is useful but small; state confidence intervals or bootstrap variance for precision/recall, and clarify whether experts saw the same restricted critical-path view as the model.
  4. §6.3 / multimodal limitation: The text acknowledges non-textual attacks; a one-sentence statement in the abstract or intro that the evaluation is accessibility-tree/text-primary would set expectations earlier.
  5. Appendix action table and model snapshot tables: Ensure snapshot slugs and providers are consistent with the main-text model names (gpt-5.4-mini vs. nano for agent vs. labeler) so experiments are reproducible.
  6. Terminology: “Cross-Site Prompting (XSP)” is clear; on first use, briefly distinguish it from generic indirect prompt injection to help readers outside the web-agent subcommunity.

Circularity Check

0 steps flagged

No circularity: structural confinement and ASR/TSR results are independent measurements, not forced by construction or self-citation chains.

full rationale

Prismata's core claims rest on (1) a design that isolates labeling to critical paths with Biba-style no-read-down/no-write-up locking so that effective capability is the min of two independent assignments, and (2) end-to-end measurements of ASR/TSR on published attack templates plus a separate 90k-path corpus frequency count. Neither quantity is defined in terms of the other: the action-gate and Biba rules are fixed design choices whose success is then measured externally on WebArena/WASP trajectories; the Case-1/2 coverage percentages are empirical frequencies obtained by LLM annotation of Common Crawl + Mind2Web DOMs, not parameters fitted to the attack-success numbers. The informal composition argument (§2.4) simply enumerates the three placement cases and notes that only Case 3 can expose the labeler; it does not redefine ASR as a function of those cases. Self-citations (e.g., the rllm evaluation harness) are infrastructural and non-load-bearing for the security or utility claims. No uniqueness theorem, ansatz, or fitted scale is imported from prior author work and then re-presented as a prediction. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

2 free parameters · 4 axioms · 3 invented entities

The central security claim rests on classical integrity ideas, empirical web-structure regularities, and commodity LLM labeling accuracy under structural isolation—not on free parameters fitted to the attack success numbers. Residual risk is acknowledged as Case 3 plus model error.

free parameters (2)
  • choice of labeling / policy / agent LLMs (e.g. gpt-5.4-mini, gpt-5.4-nano)
    Model family and size are selected for cost/performance; reported precision/recall and end-to-end rates depend on these choices though multiple models are ablated in the validation study.
  • task-origin policy model decisions (which origins the task requires)
    A separate LLM, given only the task text, decides which provenance classes to prune; this is a free modeling choice that affects both utility and residual attack surface.
axioms (4)
  • domain assumption Sites implement standard XSS mitigations (sanitization, sandboxed ads, CSP); arbitrary same-origin JS is out of scope.
    Stated in §2.1 threat model; classical XSS is excluded so XSP is the residual channel.
  • ad hoc to paper Biba no-read-down / no-write-up applied to DOM ancestry yields injection-free labels whenever a structural cue precedes untrusted content (Case 2).
    Core design of Biba parsing (§2.2–2.3); correctness depends on cue presence measured in §3.
  • domain assumption Agent action space is closed (BrowserGym finite actions; no arbitrary JS execution), so capability-map checks mediate all page actions.
    Enforcement argument in §2.2–2.4; depends on the host agent framework.
  • domain assumption Untrusted content is rare on critical paths (~1.2%) and almost always preceded by structural cues when present.
    Empirical foundation §3 on Common Crawl + Mind2Web; load-bearing for claiming residual Case 3 is ~0.1%.
invented entities (3)
  • Cross-Site Prompting (XSP) independent evidence
    purpose: Name the agent-side analogue of XSS so defenses can target the class rather than individual payloads.
    Defined in the introduction as the attack class Prismata addresses; useful taxonomy but not independently measured outside this framing.
  • Biba parsing (DOM) no independent evidence
    purpose: Recursively label provenance and capability along critical paths with no-read-down / no-write-up so untrusted subtrees can be pruned or locked before exposure.
    Novel procedure introduced in §2; independent evidence is the empirical cue coverage and end-to-end ASR drop, not a separate formal verification.
  • Case 1 / 2 / 3 injection placement taxonomy independent evidence
    purpose: Bound when labeling is injection-free by construction versus residual risk.
    Organizes the security argument (§2.3); residual rate is measured, not postulated.

pith-pipeline@v1.1.0-grok45 · 29583 in / 3120 out tokens · 46751 ms · 2026-07-10T12:18:05.362526+00:00 · methodology

0 comments
read the original abstract

Autonomous web agents promise to automate everyday browsing tasks, but inherit one of the web's oldest attack surfaces. Cross-Site Scripting proved that mixing trusted and untrusted content is dangerous, even on benign pages. Agents resurface this risk by interpreting natural language as instructions, allowing third-party and user-generated content to hijack the agent via prompt injection. The core challenge is that deriving a task-specific security policy requires reasoning over page structure that is entangled with the attacker's content. We present Prismata, a defense enforcing contextual least privilege for web agents, constraining both what the agent sees and what it can do. Prismata's dynamic trust derivation produces permission labels for page content, with structural confinement guarantees, inspired by classical integrity models, that bound any labeling errors so that labels can only decrease in privilege and mislabelings are bounded. Prismata's mechanical confinement enforces these labels by redacting content and restricting agent capabilities. Importantly, these mechanisms require no developer annotations, so Prismata supports the long tail of websites. Across recent published web agent attacks, including adaptive variants, Prismata substantially reduces attack success while preserving benign task utility.

Figures

Figures reproduced from arXiv: 2607.08147 by Alp Eren Ozdarendeli, Corban Villa, Raluca Ada Popa, Sijun Tan.

Figure 1
Figure 1. Figure 1: Cross-Site Prompting (XSP): Eve embeds a prompt [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Web Entanglement Problem: Tool-agent defenses [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Prismata’s Interface: Prismata operates between the web agent and the browser, providing a system-level defense that [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: DOM placements for the three cases. Red marks [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: Per-site cache coverage across Mind2Web and Com [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Attacks Overview: We evaluate Prismata under three pop-up attack templates adapted from Pop-up [ [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Allowed-element precision, recall, and F1 for the [PITH_FULL_IMAGE:figures/full_fig_p009_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Per-site allowed-element precision, recall, and F1 [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Deployment cost and caching. Panels A and B com [PITH_FULL_IMAGE:figures/full_fig_p010_10.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

106 extracted references · 106 canonical work pages · 32 internal anchors

  1. [1]

    Sahar Abdelnabi, Aideen Fay, Ahmed Salem, et al . 2025. LLMail-Inject: A Dataset from a Realistic Adaptive Prompt Injection Challenge. InThe Thirty- ninth Annual Conference on Neural Information Processing Systems Datasets and Benchmarks Track. https://openreview.net/forum?id=FhXoETzdfs

  2. [2]

    2024.Developing a computer use model

    Anthropic. 2024.Developing a computer use model. Technical Report. Anthropic

  3. [3]

    Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Martin Vechev. 2024. AI Agents with Formal Security Guarantees. InICML 2024 Next Generation of AI Safety Workshop. https://openreview.net/forum?id=c6jNHPksiZ

  4. [4]

    Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. InProceedings of the 29th IEEE Symposium on Security and Privacy

  5. [5]

    Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wil- son. 2016. Tracing Information Flows Between Ad Exchanges Using Retargeted Ads. In25th USENIX Security Symposium. 481–496

  6. [6]

    BerriAI. [n. d.]. LiteLLM. https://github .com/BerriAI/litellm. Accessed August 2025

  7. [7]

    Luca Beurer-Kellner, Beat Buesser, Ana-Maria Creţu, et al. 2025. Design Pat- terns for Securing LLM Agents against Prompt Injections.arXiv preprint arXiv:2506.08837(2025). doi:10.48550/arXiv.2506.08837

  8. [8]

    K. J. Biba. 1977.Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153 (ESD-TR-76-372). The MITRE Corporation

  9. [9]

    Hwan Chang, Yonghyun Jun, and Hwanhee Lee. 2026. ChatInject: Abusing Chat Templates for Prompt Injection in LLM Agents. InThe Fourteenth International Conference on Learning Representations. https://openreview .net/forum?id= WVhgFSKniL

  10. [10]

    Sizhe Chen, Julien Piet, Chawin Sitawarin, and David Wagner. 2024. StruQ: Defending Against Prompt Injection with Structured Queries.arXiv preprint arXiv:2402.06363(2024). doi:10.48550/arXiv.2402.06363

  11. [11]

    Yulin Chen, Tri Cao, Haoran Li, et al . 2026. WebAgentGuard: A Reasoning- Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents. arXiv preprint arXiv:2604.12284(2026). doi:10.48550/arXiv.2604.12284

  12. [12]

    Sarthak Choudhary, Divyam Anshumaan, Nils Palumbo, and Somesh Jha

  13. [13]

    doi:10.48550/arXiv.2507.05630

    How Not to Detect Prompt Injections with an LLM.arXiv preprint arXiv:2507.05630(2025). doi:10.48550/arXiv.2507.05630

  14. [14]

    Common Crawl Foundation. 2026. Common Crawl. https: //registry.opendata.aws/commoncrawl. Accessed April 22, 2026. Crawl collection used: CC-MAIN-2026-12

  15. [15]

    Manuel Costa, Boris Köpf, Aashish Kolluri, Andrew Paverd, Mark Russinovich, Ahmed Salem, Shruti Tople, Lukas Wutschitz, and Santiago Zanella-Béguelin

  16. [16]

    Securing AI Agents with Information-Flow Control

    Securing AI Agents with Information-Flow Control.arXiv preprint arXiv:2505.23643(2025). doi:10.48550/arXiv.2505.23643

  17. [17]

    Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, et al. 2025. Defeating Prompt Injections by Design.arXiv preprint arXiv:2503.18813(2025). doi:10 .48550/ arXiv.2503.18813

  18. [18]

    Edoardo Debenedetti, Jie Zhang, Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. 2024. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. InThe 38th Conference on Neural Information Processing Systems Datasets and Benchmarks Track. https://openreview.net/forum?id=m1YYAQjO3w

  19. [19]

    Xiang Deng, Yu Gu, Boyuan Zheng, Shijie Chen, Samuel Stevens, Boshi Wang, Huan Sun, and Yu Su. 2023. Mind2Web: Towards a Generalist Agent for the Web.arXiv preprint arXiv:2306.06070(2023). doi:10.48550/arXiv.2306.06070

  20. [20]

    Laradji, Manuel Del Verme, Tom Marty, David Vazquez, Nicolas Chapados, and Alexandre Lacoste

    Alexandre Drouin, Maxime Gasse, Massimo Caccia, Issam H. Laradji, Manuel Del Verme, Tom Marty, David Vazquez, Nicolas Chapados, and Alexandre Lacoste. 2024. WorkArena: How Capable are Web Agents at Solving Common Knowledge Work Tasks?. InProceedings of the 41st International Conference on Machine Learning, Ruslan Salakhutdinov, Zico Kolter, Katherine Hell...

  21. [21]

    Ivan Evtimov, Arman Zharmagambetov, Aaron Grattafiori, Chuan Guo, and Kamalika Chaudhuri. 2025. WASP: Benchmarking Web Agent Security Against Prompt Injection Attacks.arXiv preprint arXiv:2504.18575(2025). doi:10 .48550/ arXiv.2504.18575

  22. [22]

    Hanna Foerster, Tom Blanchard, Kristina Nikolić, Ilia Shumailov, Cheng Zhang, Robert Mullins, Nicolas Papernot, Florian Tramèr, and Yiren Zhao. 2026. CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents.arXiv preprint arXiv:2601.09923(2026). doi:10.48550/arXiv.2601.09923

  23. [23]

    Jiahui Geng, Thy Thy Tran, Preslav Nakov, and Iryna Gurevych. 2025. Con Instruction: Universal Jailbreaking of Multimodal Large Language Models via Non-Textual Modalities. InProceedings of the 63rd Annual Meeting of the As- sociation for Computational Linguistics (Volume 1: Long Papers), Wanxiang Che, Joyce Nabende, Ekaterina Shutova, and Mohammad Taher P...

  24. [24]

    Yichen Gong, Delong Ran, Jinyuan Liu, Conglei Wang, Tianshuo Cong, Anyu Wang, Sisi Duan, and Xiaoyun Wang. 2025. FigStep: Jailbreaking Large Vision- Language Models via Typographic Visual Prompts. InProceedings of the Thirty- Ninth AAAI Conference on Artificial Intelligence. AAAI Press, 23951–23959. doi:10.1609/aaai.v39i22.34568

  25. [25]

    Google. 2022. Render creatives using SafeFrame. https://support .google.com/ admanager/answer/6023110?hl=en. Accessed July 2025

  26. [26]

    Google. 2024. Gemini Deep Research. https://gemini .google/overview/deep- research/. Announced December 11, 2024; Accessed August 2025

  27. [27]

    Google. 2025. Architecting Security for Agentic AI. https: //security.googleblog.com/2025/12/architecting-security-for-agentic .html. Accessed April 2026

  28. [28]

    Google. 2025. Use Tag Manager with a Content Security Policy (CSP). https: //developers.google.com/tag-platform/security/guides/csp. Accessed July 2025

  29. [29]

    2024.Buying Spying: Insights into Commercial Surveillance Vendors

    Google Threat Analysis Group. 2024.Buying Spying: Insights into Commercial Surveillance Vendors. Technical Report. Google

  30. [30]

    Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not What You’ve Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. In Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security. 79–90. doi:10.1145/3605764.3623985

  31. [31]

    2007.XSS Attacks: Cross-Site Scripting Exploits and Defense

    Jeremiah Grossman, Seth Fogie, Robert Hansen, and Anton Rager. 2007.XSS Attacks: Cross-Site Scripting Exploits and Defense. Syngress

  32. [32]

    Sherry He, Brett Hollenbeck, and Davide Proserpio. 2021. The Market for Fake Reviews. InProceedings of the 22nd ACM Conference on Economics and Computation. doi:10.1145/3465456.3467589

  33. [33]

    Pieter Hooimeijer, Benjamin Livshits, David Molnar, Prateek Saxena, and Mar- gus Veanes. 2011. Fast and Precise Sanitizer Analysis with BEK. In20th USENIX Security Symposium (USENIX Security 11). https://www .usenix.org/conference/ usenix-security-11/presentation/fast-and-precise-sanitizer-analysis-bek

  34. [34]

    Haitao Hu, Peng Chen, Yanpeng Zhao, and Yuqi Chen. 2025. AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents.arXiv preprint arXiv:2509.07764(2025). doi:10 .48550/arXiv.2509.07764

  35. [35]

    Yue Huang, Lichao Sun, Haoran Wang, et al. 2024. Position: TrustLLM: Trustwor- thiness in Large Language Models. InProceedings of the 41st International Con- ference on Machine Learning (Proceedings of Machine Learning Research, Vol. 235). PMLR, 20166–20270. https://proceedings.mlr.press/v235/huang24x.html

  36. [36]

    2014.SafeFrames v1.1 Specification

    Interactive Advertising Bureau. 2014.SafeFrames v1.1 Specification. Technical Report. Interactive Advertising Bureau. https://www .iab.com/wp-content/ uploads/2014/08/SafeFrames_v1.1_final.pdf#page=26.73 Accessed July 2025

  37. [37]

    Yuqi Jia, Zedian Shao, Yupei Liu, Jinyuan Jia, Dawn Song, and Neil Zhenqiang Gong. 2025. A Critical Evaluation of Defenses against Prompt Injection Attacks. arXiv preprint arXiv:2505.18333(2025). doi:10.48550/arXiv.2505.18333

  38. [38]

    Yigitcan Kaya, Anton Landerer, Stijn Pletinckx, Michelle Zimmermann, Christo- pher Kruegel, and Giovanni Vigna. 2026. When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins. InProceedings of the IEEE Symposium on Security and Privacy (S&P). doi:10.48550/arXiv.2511.05797

  39. [39]

    Hanna Kim, Minkyoo Song, Seung Ho Na, Seungwon Shin, and Kimin Lee. 2025. When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs. In34th USENIX Security Symposium

  40. [40]

    Jing Yu Koh, Robert Lo, Lawrence Jang, et al . 2024. VisualWebArena: Eval- uating Multimodal Agents on Realistic Visual Web Tasks.arXiv preprint arXiv:2401.13649(2024). doi:10.48550/arXiv.2401.13649

  41. [41]

    Butler W. Lampson. 1973. A Note on the Confinement Problem.Commun. ACM 16, 10 (1973). doi:10.1145/362375.362389

  42. [42]

    Qianlong Lan and Anuj Kaul. 2026. The Cognitive Firewall:Securing Browser Based AI Agents Against Indirect Prompt Injection Via Hybrid Edge Cloud Defense.arXiv preprint arXiv:2603.23791(2026). doi:10 .48550/arXiv.2603.23791

  43. [43]

    Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Ko- rczyński, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. InProceedings 2019 Network and Distributed System Security Symposium. doi:10.14722/ndss.2019.23386

  44. [44]

    Ada Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner

  45. [45]

    In25th USENIX Security Symposium

    Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In25th USENIX Security Symposium

  46. [46]

    Yifan Li, Hangyu Guo, Kun Zhou, Wayne Xin Zhao, and Ji-Rong Wen. 2024. Im- ages Are Achilles’ Heel of Alignment: Exploiting Visual Vulnerabilities for Jail- breaking Multimodal Large Language Models. InComputer Vision - ECCV 2024, Aleš Leonardis, Elisa Ricci, Stefan Roth, Olga Russakovsky, Torsten Sattler, and Gül Varol (Eds.). doi:10.1007/978-3-031-73464-9_11

  47. [47]

    Zeyi Liao, Lingbo Mo, Chejian Xu, Mintong Kang, Jiawei Zhang, Chaowei Xiao, Yuan Tian, Bo Li, and Huan Sun. 2025. EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage.arXiv preprint arXiv:2409.11295 (2025). doi:10.48550/arXiv.2409.11295

  48. [48]

    Yi Liu, Gelei Deng, Yuekang Li, et al. 2023. Prompt Injection Attack against LLM- integrated Applications.arXiv preprint arXiv:2306.05499(2023). doi:10 .48550/ arXiv.2306.05499

  49. [49]

    Yupei Liu, Yuqi Jia, Runpeng Geng, Jinyuan Jia, and Neil Zhenqiang Gong. 2024. Formalizing and Benchmarking Prompt Injection Attacks and Defenses. In33rd USENIX Security Symposium

  50. [50]

    Yupei Liu, Yuqi Jia, Jinyuan Jia, Dawn Song, and Neil Zhenqiang Gong. 2025. DataSentinel: A Game-Theoretic Detection of Prompt Injection Attacks. In2025 IEEE Symposium on Security and Privacy. doi:10.1109/SP61157.2025.00250

  51. [51]

    Haochen Luo, Jindong Gu, Fengyuan Liu, and Philip Torr. 2024. An Image Is Worth 1000 Lies: Transferability of Adversarial Images across Prompts on Vision-Language Models. InThe Twelfth International Conference on Learning Representations. https://openreview.net/forum?id=nc5GgFAvtk

  52. [52]

    Xinbei Ma, Yiting Wang, Yao Yao, Tongxin Yuan, Aston Zhang, Zhuosheng Zhang, and Hai Zhao. 2024. Caution for the Environment: Multimodal Agents Are Susceptible to Environmental Distractions.arXiv preprint arXiv:2408.02544 (2024). doi:10.48550/arXiv.2408.02544

  53. [53]

    Bill Marczak and Donncha Ó Cearbhaill. 2022. Exploit archaeol- ogy: a forensic history of in-the-wild NSO Group exploits. https: //www.virusbulletin.com/conference/vb2022/abstracts/exploit-archaeology- forensic-history-wild-nso-group-exploits. InProceedings of the Virus Bulletin Conference. Virus Bulletin

  54. [54]

    Sami Marreed, Alon Oved, Avi Yaeli, Segev Shlomov, Ido Levy, Offer Akrabi, Aviad Sela, Asaf Adi, and Nir Mashkif. 2025. Towards Enterprise-Ready Computer Using Generalist Agent.arXiv preprint arXiv:2503.01861(2025). doi:10.48550/arXiv.2503.01861

  55. [55]

    MDN contributors. 2025. Content-Security-Policy: sandbox directive. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/ Content-Security-Policy/sandbox. Accessed July 2025

  56. [56]

    MDN contributors. 2025. <iframe>: The Inline Frame element. https: //developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe. Accessed July 2025

  57. [57]

    Luoxi Meng, Henry Feng, Ilia Shumailov, and Earlence Fernandes. 2025. ceLL- Mate: Sandboxing Browser AI Agents.arXiv preprint arXiv:2512.12594(2025). doi:10.48550/arXiv.2512.12594

  58. [58]

    Milad Nasr, Nicholas Carlini, Chawin Sitawarin, et al. 2025. The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections. https://arxiv.org/abs/2510.09023v1

  59. [59]

    ChangSeok Oh, Chris Kanich, Damon McCoy, and Paul Pearce. 2022. Cart-Ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communica- tions Security. 2401–2414. doi:10.1145/3548606.3560641

  60. [60]

    OpenAI. 2025. OpenAI Deep Research. https://openai .com/index/introducing- deep-research/. Announced February 2, 2025; Accessed August 2025

  61. [61]

    OpenAI. 2025. OpenAI Operator. https://openai .com/index/introducing- operator/. Announced January 23, 2025; Accessed August 2025

  62. [62]

    OWASP. [n. d.]. Cross-Site Scripting (XSS). https://owasp .org/www- community/attacks/xss/. Accessed August 2025

  63. [63]

    Fábio Perez and Ian Ribeiro. 2022. Ignore Previous Prompt: Attack Techniques For Language Models. InNeurIPS ML Safety Workshop

  64. [64]

    Perplexity. 2025. Perplexity Deep Research. https://www .perplexity.ai/hub/ blog/introducing-perplexity-deep-research. Announced 2025; Accessed August 2025

  65. [65]

    Saltzer and M.D

    J.H. Saltzer and M.D. Schroeder. 1975. The Protection of Information in Com- puter Systems.Proc. IEEE63, 9 (1975). doi:10.1109/PROC.1975.9939

  66. [66]

    Jiawen Shi, Zenghui Yuan, Guiyao Tie, Pan Zhou, Neil Zhenqiang Gong, and Lichao Sun. 2026. Prompt Injection Attack to Tool Selection in LLM Agents. In Proceedings of the Network and Distributed System Security Symposium (NDSS). doi:10.48550/arXiv.2504.19793

  67. [67]

    Tianneng Shi, Jingxuan He, Zhun Wang, Linyu Wu, Hongwei Li, Wenbo Guo, and Dawn Song. 2025. Progent: Programmable Privilege Control for LLM Agents.arXiv preprint arXiv:2504.11703(2025). doi:10 .48550/arXiv.2504.11703

  68. [68]

    Shoaib Ahmed Siddiqui, Radhika Gaonkar, Boris Köpf, et al . 2024. Permis- sive Information-Flow Analysis for Large Language Models.arXiv preprint arXiv:2410.03055(2024). doi:10.48550/arXiv.2410.03055

  69. [69]

    Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns

  70. [70]

    In23rd USENIX Security Symposium

    Precise Client-side Protection against DOM-based Cross-Site Scripting. In23rd USENIX Security Symposium

  71. [71]

    Georgios Syros, Evan Rose, Brian Grinstead, Christoph Kerschbaumer, William Robertson, Cristina Nita-Rotaru, and Alina Oprea. 2026. MUZZLE: Adaptive Agentic Red-Teaming of Web Agents Against Indirect Prompt Injection Attacks. arXiv preprint arXiv:2602.09222(2026). doi:10.48550/arXiv.2602.09222

  72. [72]

    Sijun Tan, Michael Luo, Colin Cai, et al . 2025. rLLM: A Frame- work for Post-Training Language Agents. https://pretty-radio- b75.notion.site/rLLM-A-Framework-for-Post-Training-Language-Agents- 21b81902c146819db63cd98a54ba5f31

  73. [73]

    Lillian Tsai and Eugene Bagdasarian. 2025. Contextual Agent Security: A Policy for Every Purpose. InProceedings of the Workshop on Hot Topics in Operating Systems. doi:10.1145/3713082.3730378

  74. [74]

    Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christo- pher Krügel, and Giovanni Vigna. 2007. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. InProceedings of the Net- work and Distributed System Security Symposium, NDSS 2007. The Internet Society. https://www .ndss-symposium.org/ndss2007/cross-site-scriptin...

  75. [75]

    Eric Wallace, Kai Xiao, Reimar Leike, Lilian Weng, Johannes Heidecke, and Alex Beutel. 2024. The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions.arXiv preprint arXiv:2404.13208(2024). doi:10 .48550/ arXiv.2404.13208

  76. [76]

    Haowei Wang, Junjie Wang, Xiaojun Jia, Rupeng Zhang, Mingyang Li, Zhe Liu, Yang Liu, and Qing Wang. 2025. AdInject: Real-World Black-Box Attacks on Web Agents via Advertising Delivery.arXiv preprint arXiv:2505.21499(2025). doi:10.48550/arXiv.2505.21499

  77. [77]

    Reachal Wang, Yuqi Jia, and Neil Zhenqiang Gong. 2026. ObliInjection: Order- Oblivious Prompt Injection Attack to LLM Agents with Multi-source Data. In Proceedings of the Network and Distributed System Security Symposium (NDSS)

  78. [78]

    Ruofan Wang, Xingjun Ma, Hanxu Zhou, Chuanjun Ji, Guangnan Ye, and Yu- Gang Jiang. 2024. White-Box Multimodal Jailbreaks Against Large Vision- Language Models. InProceedings of the 32nd ACM International Conference on Multimedia. doi:10.1145/3664647.3681092

  79. [79]

    Xilong Wang, John Bloch, Zedian Shao, Yuepeng Hu, Shuyan Zhou, and Neil Zhenqiang Gong. 2025. EnvInjection: Environmental Prompt Injection Attack to Multi-modal Web Agents.arXiv preprint arXiv:2505.11717(2025). doi:10.48550/arXiv.2505.11717

  80. [80]

    Xilong Wang, Yinuo Liu, Zhun Wang, Dawn Song, and Neil Gong. 2026. Web- Sentinel: Detecting and Localizing Prompt Injection Attacks for Web Agents. (2026). doi:10.48550/ARXIV.2602.03792

Showing first 80 references.