This work addresses prompt injection attacks stemming from web content tampering by proposing a two-stage detection approach. The method first extracts potentially contaminated segments of interest from web pages and then evaluates their semantic consistency within the surrounding context to efficiently identify and precisely localize malicious injections. It overcomes the limitations of existing techniques, which rely on restrictive assumptions in web-based agent scenarios, and presents the first fine-grained solution for detecting prompt injection attacks. Evaluated on a newly curated dataset comprising multiple sets of both contaminated and clean web pages, the proposed method significantly outperforms current baselines, accurately identifying compromised pages while precisely pinpointing the injected malicious fragments.

Prompt injection attacks manipulate webpage content to cause web agents to execute attacker-specified tasks instead of the user's intended ones. Existing methods for detecting and localizing such attacks achieve limited effectiveness, as their underlying assumptions often do not hold in the web-agent setting. In this work, we propose WebSentinel, a two-step approach for detecting and localizing prompt injection attacks in webpages. Given a webpage, Step I extracts \emph{segments of interest} that may be contaminated, and Step II evaluates each segment by checking its consistency with the webpage content as context. We show that WebSentinel is highly effective, substantially outperforming baseline methods across multiple datasets of both contaminated and clean webpages that we collected. Our code is available at: https://github.com/wxl-lxw/WebSentinel.