WAInjectBench: Benchmarking Prompt Injection Detections for Web Agents
This work addresses a critical security gap for web agents by providing a systematic evaluation framework, though it is incremental as it benchmarks existing methods rather than proposing new ones.
The authors tackled the problem of detecting prompt injection attacks against web agents by creating the first comprehensive benchmark, WAInjectBench, which includes datasets and evaluations of text- and image-based detection methods. They found that while some detectors achieve moderate to high accuracy for explicit attacks, they largely fail against attacks without explicit instructions or with imperceptible perturbations.
Multiple prompt injection attacks have been proposed against web agents. At the same time, various methods have been developed to detect general prompt injection attacks, but none have been systematically evaluated for web agents. In this work, we bridge this gap by presenting the first comprehensive benchmark study on detecting prompt injection attacks targeting web agents. We begin by introducing a fine-grained categorization of such attacks based on the threat model. We then construct datasets containing both malicious and benign samples: malicious text segments generated by different attacks, benign text segments from four categories, malicious images produced by attacks, and benign images from two categories. Next, we systematize both text-based and image-based detection methods. Finally, we evaluate their performance across multiple scenarios. Our key findings show that while some detectors can identify attacks that rely on explicit textual instructions or visible image perturbations with moderate to high accuracy, they largely fail against attacks that omit explicit instructions or employ imperceptible perturbations. Our datasets and code are released at: https://github.com/Norrrrrrr-lyn/WAInjectBench.