ML Security PapersHidden-in-Plain-Text: A Benchmark for Social-Web Indirect Prompt Injection in RAG
Published on arXiv
2601.10923
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Provides standardized end-to-end measurement of indirect prompt injection success rate, retrieval rank shifts across sparse and dense retrievers, and mitigation overhead for web-native RAG deployments.
OpenRAG-Soc
Novel technique introduced
Retrieval-augmented generation (RAG) systems put more and more emphasis on grounding their responses in user-generated content found on the Web, amplifying both their usefulness and their attack surface. Most notably, indirect prompt injection and retrieval poisoning attack the web-native carriers that survive ingestion pipelines and are very concerning. We provide OpenRAG-Soc, a compact, reproducible benchmark-and-harness for web-facing RAG evaluation under these threats, in a discrete data package. The suite combines a social corpus with interchangeable sparse and dense retrievers and deployable mitigations - HTML/Markdown sanitization, Unicode normalization, and attribution-gated answered. It standardizes end-to-end evaluation from ingestion to generation and reports attacks time of one of the responses at answer time, rank shifts in both sparse and dense retrievers, utility and latency, allowing for apples-to-apples comparisons across carriers and defenses. OpenRAG-Soc targets practitioners who need fast, and realistic tests to track risk and harden deployments.
Key Contributions
- OpenRAG-Soc: a compact, reproducible benchmark-and-harness covering end-to-end RAG evaluation under indirect prompt injection and retrieval poisoning threats
- A social web corpus with interchangeable sparse and dense retrievers and standardized metrics (attack success rate, rank shift, utility, latency) enabling apples-to-apples comparisons
- Deployable mitigations including HTML/Markdown sanitization, Unicode normalization, and attribution-gated answering evaluated within the same framework