benchmark 2025

Decoding Latent Attack Surfaces in LLMs: Prompt Injection via HTML in Web Summarization

Ishaan Verma , Arsheya Yadav

Manipal University Jaipur

0 citations
α

Published on arXiv

2509.05831

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Over 29% of adversarially injected HTML pages caused noticeable manipulation in Llama 4 Scout summaries; Gemma 9B IT showed a 15% success rate, exposing a broadly overlooked attack surface in LLM web pipelines.

HTML-based covert prompt injection

Novel technique introduced

Large Language Models (LLMs) are increasingly integrated into web-based systems for content summarization, yet their susceptibility to prompt injection attacks remains a pressing concern. In this study, we explore how non-visible HTML elements such as <meta>, aria-label, and alt attributes can be exploited to embed adversarial instructions without altering the visible content of a webpage. We introduce a novel dataset comprising 280 static web pages, evenly divided between clean and adversarial injected versions, crafted using diverse HTML-based strategies. These pages are processed through a browser automation pipeline to extract both raw HTML and rendered text, closely mimicking real-world LLM deployment scenarios. We evaluate two state-of-the-art open-source models, Llama 4 Scout (Meta) and Gemma 9B IT (Google), on their ability to summarize this content. Using both lexical (ROUGE-L) and semantic (SBERT cosine similarity) metrics, along with manual annotations, we assess the impact of these covert injections. Our findings reveal that over 29% of injected samples led to noticeable changes in the Llama 4 Scout summaries, while Gemma 9B IT showed a lower, yet non-trivial, success rate of 15%. These results highlight a critical and largely overlooked vulnerability in LLM driven web pipelines, where hidden adversarial content can subtly manipulate model outputs. Our work offers a reproducible framework and benchmark for evaluating HTML-based prompt injection and underscores the urgent need for robust mitigation strategies in LLM applications involving web content.

Key Contributions

  • Novel dataset of 280 static web pages (clean vs. adversarial) with covert HTML-based prompt injections using meta tags, aria-labels, and alt attributes
  • Browser automation pipeline that extracts both raw HTML and rendered text to simulate real-world LLM deployment for summarization
  • Reproducible evaluation framework using ROUGE-L and SBERT cosine similarity metrics to quantify injection impact, revealing 29% success rate on Llama 4 Scout and 15% on Gemma 9B IT

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_timetargeteddigital
Datasets
Custom dataset of 280 static web pages
Applications
web content summarizationllm-integrated web pipelines
Read PDF arXiv

Similar Papers

benchmark

Reverse CAPTCHA: Evaluating LLM Susceptibility to Invisible Unicode Instruction Injection

2026 0 cit.
100%
benchmark

Safe in the Future, Dangerous in the Past: Dissecting Temporal and Linguistic Vulnerabilities in LLMs

2025 0 cit.
91%
benchmark

When Personalization Legitimizes Risks: Uncovering Safety Vulnerabilities in Personalized Dialogue Agents

2026 0 cit.
91%
benchmark

Language Model Agents Under Attack: A Cross Model-Benchmark of Profit-Seeking Behaviors in Customer Service

2025 0 cit.
91%
benchmark

TeleAI-Safety: A comprehensive LLM jailbreaking benchmark towards attacks, defenses, and evaluations

2025 2 cit.
91%
benchmark

Prompt Injection Attacks on LLM Generated Reviews of Scientific Publications

2025 0 cit.
91%
benchmark

Confusion is the Final Barrier: Rethinking Jailbreak Evaluation and Investigating the Real Misuse Threat of LLMs

2025 0 cit.
91%
benchmark

Securing Large Language Models (LLMs) from Prompt Injection Attacks

2025 0 cit.
83%