Manipulating LLM Web Agents with Indirect Prompt Injection Attack via HTML Accessibility Tree
This work highlights critical security risks for users and developers of LLM-driven autonomous web agents, as it exposes a novel attack vector that could lead to malicious actions.
The paper demonstrates that LLM-based web navigation agents are vulnerable to Indirect Prompt Injection attacks, where adversaries embed adversarial triggers in webpage HTML to hijack agent behavior, achieving high success rates in attacks like credential exfiltration and forced ad clicks.
This work demonstrates that LLM-based web navigation agents offer powerful automation capabilities but are vulnerable to Indirect Prompt Injection (IPI) attacks. We show that adversaries can embed universal adversarial triggers in webpage HTML to hijack agent behavior that utilizes the accessibility tree to parse HTML, causing unintended or malicious actions. Using the Greedy Coordinate Gradient (GCG) algorithm and a Browser Gym agent powered by Llama-3.1, our system demonstrates high success rates across real websites in both targeted and general attacks, including login credential exfiltration and forced ad clicks. Our empirical results highlight critical security risks and the need for stronger defenses as LLM-driven autonomous web agents become more widely adopted. The system software (https://github.com/sej2020/manipulating-web-agents) is released under the MIT License, with an accompanying publicly available demo website (http://lethaiq.github.io/attack-web-llm-agent).