🤖 AI Summary
This work addresses the vulnerability of autonomous web agents to cross-site prompt injection attacks, wherein adversaries exploit third-party or user-generated content to hijack agent behavior. The paper introduces, for the first time, classical integrity models into web agent security and proposes a defense mechanism grounded in the principle of context-aware least privilege. By dynamically inferring trust and applying mechanical isolation, the approach automatically assigns permission labels to web content, then enforces structured isolation through content sanitization and capability restriction. Crucially, it generalizes across diverse websites without requiring developer annotations, ensures that mislabeling can only reduce—not elevate—privileges, and confines the impact of errors to bounded scopes. Empirical evaluation demonstrates a significant reduction in attack success rates under both known and adaptive threat scenarios, while preserving high availability for legitimate tasks.
📝 Abstract
Autonomous web agents promise to automate everyday browsing tasks, but inherit one of the web's oldest attack surfaces. Cross-Site Scripting proved that mixing trusted and untrusted content is dangerous, even on benign pages. Agents resurface this risk by interpreting natural language as instructions, allowing third-party and user-generated content to hijack the agent via prompt injection. The core challenge is that deriving a task-specific security policy requires reasoning over page structure that is entangled with the attacker's content.
We present Prismata, a defense enforcing contextual least privilege for web agents, constraining both what the agent sees and what it can do. Prismata's dynamic trust derivation produces permission labels for page content, with structural confinement guarantees, inspired by classical integrity models, that bound any labeling errors so that labels can only decrease in privilege and mislabelings are bounded. Prismata's mechanical confinement enforces these labels by redacting content and restricting agent capabilities. Importantly, these mechanisms require no developer annotations, so Prismata supports the long tail of websites. Across recent published web agent attacks, including adaptive variants, Prismata substantially reduces attack success while preserving benign task utility.