ML Security PapersIn-Browser LLM-Guided Fuzzing for Real-Time Prompt Injection Testing in Agentic AI Browsers
Published on arXiv
2510.13543
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
LLM-guided mutation causes even the best-performing agentic AI browsers to fail 58–74% of injection attempts by the 10th iteration, with powerful generator models achieving 3.3× faster time-to-first-success than smaller models.
BrowserTotal (In-Browser LLM-Guided Fuzzing)
Novel technique introduced
Large Language Model (LLM) based agents integrated into web browsers (often called agentic AI browsers) offer powerful automation of web tasks. However, they are vulnerable to indirect prompt injection attacks, where malicious instructions hidden in a webpage deceive the agent into unwanted actions. These attacks can bypass traditional web security boundaries, as the AI agent operates with the user privileges across sites. In this paper, we present a novel fuzzing framework that runs entirely in the browser and is guided by an LLM to automatically discover such prompt injection vulnerabilities in real time.
Key Contributions
- In-browser LLM-guided fuzzing platform (BrowserTotal) that generates and evolves indirect prompt injection payloads against real agentic AI browsers in a live DOM environment
- Demonstrates 'progressive evasion failure': all tested AI browser tools eventually fail at 58–74% of cases by the 10th fuzzing iteration despite blocking simple attacks
- Identifies page summarization (73% ASR) and question answering (71% ASR) as the highest-risk AI browser features due to full content ingestion and high user trust