WAInjectBench: Benchmarking Prompt Injection Detections for Web Agents

Multiple prompt injection attacks have been proposed against web agents. At the same time, various methods have been developed to detect general prompt injection attacks, but none have been systematically evaluated for web agents. In this work, we bridge this gap by presenting the first comprehensive benchmark study on detecting prompt injection attacks targeting web agents. We begin by introducing a fine-grained categorization of such attacks based on the threat model. We then construct datasets containing both malicious and benign samples: malicious text segments generated by different attacks, benign text segments from four categories, malicious images produced by attacks, and benign images from two categories. Next, we systematize both text-based and image-based detection methods. Finally, we evaluate their performance across multiple scenarios. Our key findings show that while some detectors can identify attacks that rely on explicit textual instructions or visible image perturbations with moderate to high accuracy, they largely fail against attacks that omit explicit instructions or employ imperceptible perturbations. Our datasets and code are released at: https://github.com/Norrrrrrr-lyn/WAInjectBench.

Key Contributions

• First comprehensive benchmark for evaluating prompt injection detection methods specifically targeting web agents, with a fine-grained threat-model-based attack categorization
• Curated datasets of malicious/benign text and image samples spanning multiple attack strategies and benign categories for rigorous evaluation
• Systematic evaluation revealing that current detectors fail against prompt injection attacks that omit explicit instructions or use imperceptible image perturbations

🛡️ Threat Analysis

Details

Similar Papers