scan.json (37389B)
1 { 2 "paper": { 3 "title": "WASP: Benchmarking Web Agent Security Against Prompt Injection Attacks", 4 "authors": [ 5 "Ivan Evtimov", 6 "Arman Zharmagambetov", 7 "Aaron Grattafiori", 8 "Chuan Guo", 9 "Kamalika Chaudhuri" 10 ], 11 "year": 2025, 12 "venue": "arXiv.org", 13 "arxiv_id": "2504.18575", 14 "doi": "10.48550/arXiv.2504.18575" 15 }, 16 "scan_version": 3, 17 "active_modules": ["experimental_rigor", "data_leakage"], 18 "methodology_tags": ["benchmark-eval"], 19 "key_findings": "WASP introduces a realistic end-to-end benchmark for web agent security against prompt injection, built on VisualWebArena with 84 attack tasks across GitLab and Reddit environments. Even top-tier models (including o1 and Claude 3.7 with Extended Thinking) are readily hijacked (ASR-intermediate up to 86%), but agents rarely complete the full attacker goal (ASR-end-to-end at most 17%), revealing a pattern the authors term 'security by incompetence.' Instruction hierarchy defenses counterintuitively yielded some of the highest ASR-intermediate rates, while defensive system prompts offered more effective mitigation.", 20 "checklist": { 21 "artifacts": { 22 "code_released": { 23 "applies": true, 24 "answer": true, 25 "justification": "The paper states 'our code and benchmark are open-sourced and publicly available' and the NeurIPS checklist confirms the code is at https://github.com/facebookresearch/wasp." 26 }, 27 "data_released": { 28 "applies": true, 29 "answer": true, 30 "justification": "The benchmark is publicly released as part of the open-source repository. The benchmark builds on the publicly available VisualWebArena environments, and all test scenarios, attacker goals, and injection templates are documented in the paper and code." 31 }, 32 "environment_specified": { 33 "applies": true, 34 "answer": false, 35 "justification": "The paper mentions AWS EC2 instances for hosting VisualWebArena, Docker for Claude CURI, Azure OpenAI API, and AWS Bedrock, but does not provide detailed environment specifications (requirements.txt, library versions, Dockerfile details) in the paper itself. It references the VisualWebArena setup instructions from Koh et al. (2024) without specifying the precise versions of dependencies used." 36 }, 37 "reproduction_instructions": { 38 "applies": true, 39 "answer": true, 40 "justification": "The paper provides the benchmark at a public GitHub repository with documentation, describes the setup procedure ('We self-host both reddit and gitlab VisualWebArena web apps in AWS EC2 instances according to the instructions in Koh et al. (2024), and use additional scripts to set up each deployment'), and the NeurIPS checklist confirms sufficient instructions are provided." 41 } 42 }, 43 "statistical_methodology": { 44 "confidence_intervals_or_error_bars": { 45 "applies": true, 46 "answer": false, 47 "justification": "All results in Tables 2, 3, and 4 are reported as point estimates (e.g., 0.857, 0.167) with no confidence intervals or error bars. The NeurIPS checklist confirms: answer to 'error bars suitably reported' is [No]." 48 }, 49 "significance_tests": { 50 "applies": true, 51 "answer": false, 52 "justification": "The paper makes comparative claims (e.g., URL injections are more effective, defensive prompts reduce ASR) but provides no statistical significance tests. Comparisons are made by directly comparing percentages across Table 2, 3, and 4." 53 }, 54 "effect_sizes_reported": { 55 "applies": true, 56 "answer": false, 57 "justification": "The paper reports raw ASR percentages but no formal effect sizes (Cohen's d, odds ratios, etc.) for comparisons between conditions. When comparing methods (e.g., with/without defense), only the absolute rates are shown without quantifying the magnitude of differences." 58 }, 59 "sample_size_justified": { 60 "applies": true, 61 "answer": false, 62 "justification": "The benchmark has 84 attack tasks and 37 utility tasks. No justification is given for why these numbers are adequate, and no power analysis is discussed. The small sample size (84 tasks, with only 42 unique test scenarios) limits the reliability of the reported rates." 63 }, 64 "variance_reported": { 65 "applies": true, 66 "answer": false, 67 "justification": "Results appear to be single-run experiments with no variance, standard deviation, or spread measures reported. The NeurIPS checklist confirms no error bars are provided (item 7: [No])." 68 } 69 }, 70 "evaluation_design": { 71 "baselines_included": { 72 "applies": true, 73 "answer": true, 74 "justification": "The paper compares multiple model-scaffolding-defense configurations (Table 2) and contrasts with prior benchmark designs (Table 1). Different defense mechanisms (none, system prompt, instruction hierarchy) serve as baselines against each other." 75 }, 76 "baselines_contemporary": { 77 "applies": true, 78 "answer": true, 79 "justification": "The evaluated models include GPT-4o, GPT-4o-mini, o1, Claude Sonnet 3.5 v2, and Claude Sonnet 3.7 with Extended Thinking — all contemporary and state-of-the-art at the time of writing. Prior benchmarks compared include InjecAgent (2024), AgentDojo (2024), and ASB (2024)." 80 }, 81 "ablation_study": { 82 "applies": true, 83 "answer": true, 84 "justification": "The paper ablates injection types (URL vs plain-text, Table 3), attacker knowledge (task-related vs task-agnostic, Table 4), scaffolding types (VisualWebArena vs CURI vs Tool Calling), input modalities (axtree vs axtree+SOM vs screenshot), and defense mechanisms (none vs system prompt vs instruction hierarchy)." 85 }, 86 "multiple_metrics": { 87 "applies": true, 88 "answer": true, 89 "justification": "Three evaluation metrics are defined and reported: ASR-intermediate (agent hijacked from user goal), ASR-end-to-end (attacker's ultimate goal achieved), and Utility (agent performance on benign tasks without attacks). Section 3.4 defines each." 90 }, 91 "human_evaluation": { 92 "applies": true, 93 "answer": true, 94 "justification": "The authors manually labeled agent actions for GPT-4o with VisualWebArena scaffolding, classifying actions as advancing attacker goal, user goal, or neither (Section 4.2, Fig 3). This manual analysis of agent outputs supplements the automated ASR metrics, though the main evaluation metrics themselves are automated." 95 }, 96 "held_out_test_set": { 97 "applies": true, 98 "answer": false, 99 "justification": "The paper does not describe any separation between development and test sets. All 84 tasks and 37 utility tasks appear to have been used for both benchmark development and final reporting, with no held-out split described." 100 }, 101 "per_category_breakdown": { 102 "applies": true, 103 "answer": true, 104 "justification": "Results are broken down by model, scaffolding, defense mechanism, input type (Table 2), injection template type (Table 3), attacker knowledge level (Table 4), and per-attacker-goal flow analysis (Fig 3, Table 5). Both GitLab and Reddit environments are described separately." 105 }, 106 "failure_cases_discussed": { 107 "applies": true, 108 "answer": true, 109 "justification": "Table 7 provides a detailed step-by-step example of an intermediate attack where the agent is initially hijacked but then recovers and attempts the original task (though fails). Fig 3 traces the lifecycle of all 21 attacks. The 'security by incompetence' analysis in Section 4.2 is fundamentally about failure modes." 110 }, 111 "negative_results_reported": { 112 "applies": true, 113 "answer": true, 114 "justification": "The paper reports that instruction hierarchy counterintuitively yielded the highest ASR-intermediate (85.7% for o1 with system role), that defensive system prompts reduce utility alongside ASR, and that more capable agents (o1) can have higher ASR-end-to-end when hijacked. The finding that attacks mostly fail end-to-end is itself a nuanced negative result." 115 } 116 }, 117 "claims_and_evidence": { 118 "abstract_claims_supported": { 119 "applies": true, 120 "answer": true, 121 "justification": "The abstract claims top-tier models are deceived by simple injections (supported by Table 2 showing 17-86% ASR-intermediate), attacks partially succeed in up to 86% of cases (o1 with system role in Table 2: 0.857), and full attack completion is rare (ASR-end-to-end up to 16.7%). All claims match the results." 122 }, 123 "causal_claims_justified": { 124 "applies": true, 125 "answer": true, 126 "justification": "The paper's comparative claims (e.g., defensive prompts reduce ASR, URL injections are more effective) are supported by controlled single-variable comparisons in Tables 2-4, where one factor is varied while others are held constant (e.g., same model with/without defensive prompt). The ablation design is adequate for the causal claims made." 127 }, 128 "generalization_bounded": { 129 "applies": true, 130 "answer": true, 131 "justification": "The limitations section explicitly states: 'it currently supports only two environments (reddit and gitlab)' and 'the benchmark currently lacks a diverse set of prompt injection attack prompts.' Claims are generally specific to the tested models and scenarios. The paper frames results as specific to WASP rather than claiming universal web agent vulnerability." 132 }, 133 "alternative_explanations_discussed": { 134 "applies": true, 135 "answer": false, 136 "justification": "While the paper analyzes why attacks succeed or fail mechanistically (Section 4.2, Fig 3), it does not consider confounding factors such as whether the injection templates were optimized through iterative development, whether the sandbox environment itself affects agent behavior differently from real websites, or whether the small task set biases the results." 137 }, 138 "proxy_outcome_distinction": { 139 "applies": true, 140 "answer": true, 141 "justification": "The paper explicitly distinguishes between ASR-intermediate (agent diverted from user goal — a proxy for security compromise) and ASR-end-to-end (attacker's goal actually achieved — the real outcome). Section 3.4 defines both metrics and Section 4.2 extensively discusses the gap between them, noting that intermediate hijacking does not imply full compromise." 142 } 143 }, 144 "setup_transparency": { 145 "model_versions_specified": { 146 "applies": true, 147 "answer": false, 148 "justification": "The paper uses marketing names: 'GPT-4o', 'GPT-4o-mini', 'o1', 'Claude Sonnet 3.5 v2', 'Claude Sonnet 3.7 with Extended Thinking.' No API snapshot dates or version strings (e.g., gpt-4o-2024-05-13) are provided. Model behavior can change across API versions, making these specifications insufficient for exact reproduction." 149 }, 150 "prompts_provided": { 151 "applies": true, 152 "answer": true, 153 "justification": "Full prompt text is provided for: plain-text injection template (Section 3.3), URL injection template (Section 3.3), task-agnostic variants (Appendix B), defensive system prompt (Appendix B), and the ASR-intermediate LLM judge prompt with CoT demonstrations (Appendix B). The actual user goal strings and instantiated URLs are described." 154 }, 155 "hyperparameters_reported": { 156 "applies": true, 157 "answer": false, 158 "justification": "No mention of temperature, top-p, max tokens, or other API parameters for any of the models tested. These significantly affect model behavior, especially for reasoning models like o1. The NeurIPS checklist (item 8) confirms compute resource details are not reported." 159 }, 160 "scaffolding_described": { 161 "applies": true, 162 "answer": true, 163 "justification": "Section 4.1 describes three scaffoldings in detail: VisualWebArena (axtree/SOM representations, action format, state storage), Claude CURI (full desktop environment, x/y coordinate actions, Firefox in Docker, last 10 screenshots stored), and Tool Calling Loop (browser action tools, accessibility tree, 3 past observations, instruction hierarchy privilege levels)." 164 }, 165 "data_preprocessing_documented": { 166 "applies": true, 167 "answer": true, 168 "justification": "Section 3.2-3.3 documents the full pipeline: attacker goals (Table 5) × user goals (2 per environment) = 42 test scenarios × 2 injection templates = 84 tasks. Utility test set construction is documented (Table 5 goals as legitimate tasks + Table 6 common activities = 37 tasks). The injection instantiation process is clearly described." 169 } 170 }, 171 "limitations_and_scope": { 172 "limitations_section_present": { 173 "applies": true, 174 "answer": true, 175 "justification": "A 'Limitations and future work' subsection appears at the end of Section 5 (Conclusion), discussing limited environment diversity (only 2 environments), need for more diverse websites and prompt injection templates, and the importance of extending to other agentic tasks." 176 }, 177 "threats_to_validity_specific": { 178 "applies": true, 179 "answer": true, 180 "justification": "The limitations are specific to this study: only 2 web environments (GitLab and Reddit), only manual prompt injections (no automated optimization), limited to web agents (not desktop or code agents), and a small set of injection templates. These are concrete, not boilerplate." 181 }, 182 "scope_boundaries_stated": { 183 "applies": true, 184 "answer": true, 185 "justification": "The paper explicitly states what was not tested: 'it currently supports only two environments... and would greatly benefit from a more diverse set of websites, such as knowledge bases (e.g., Wikipedia) and travel planning platforms (e.g., Kayak).' It also notes 'extending this framework to other agentic tasks, such as desktop and code agents, represents a significant milestone.'" 186 } 187 }, 188 "data_integrity": { 189 "raw_data_available": { 190 "applies": true, 191 "answer": false, 192 "justification": "While the benchmark code is released, the paper does not mention releasing the raw experimental data: agent reasoning traces, action logs, or individual task outcomes. Only aggregate results (ASR rates) are reported in tables." 193 }, 194 "data_collection_described": { 195 "applies": true, 196 "answer": true, 197 "justification": "The benchmark construction process is well-documented: attacker goals were manually designed targeting concrete security violations (Table 5), user goals were selected to be achievable by current agents (Appendix B), and prompt injection templates were crafted with specific instantiation procedures (Section 3.3)." 198 }, 199 "recruitment_methods_described": { 200 "applies": false, 201 "answer": false, 202 "justification": "No human participants were involved. The benchmark data consists of programmatically constructed test scenarios within sandbox web environments. Standard benchmark (VisualWebArena) data was used for the environments." 203 }, 204 "data_pipeline_documented": { 205 "applies": true, 206 "answer": true, 207 "justification": "The full pipeline is documented: (1) define attacker goals per environment (Table 5), (2) define user goals (Appendix B), (3) combine into test scenarios (21 attacker × 2 user = 42 per environment), (4) instantiate injection templates (2 types per scenario = 84 total tasks), (5) run agents and evaluate with rule-based (ASR-end-to-end) and LLM-judge (ASR-intermediate) evaluators." 208 } 209 }, 210 "conflicts_of_interest": { 211 "funding_disclosed": { 212 "applies": true, 213 "answer": true, 214 "justification": "Author affiliations ('FAIR at Meta') clearly indicate Meta as the funding source. While there is no explicit funding statement or acknowledgments section, the corporate affiliation makes the funding source unambiguous." 215 }, 216 "affiliations_disclosed": { 217 "applies": true, 218 "answer": true, 219 "justification": "All author affiliations are disclosed: four authors are from FAIR at Meta, and Aaron Grattafiori is listed as Independent Researcher with a note 'Work done while at Meta.' The paper tests third-party models (GPT-4o, Claude), not Meta's own products." 220 }, 221 "funder_independent_of_outcome": { 222 "applies": true, 223 "answer": false, 224 "justification": "Meta is a major AI company that develops AI agents and products (e.g., Llama models). The benchmark evaluates competitor models (GPT-4o, Claude) but not Meta's own models. Meta has a financial interest in AI safety outcomes as they influence regulation and competitive positioning." 225 }, 226 "financial_interests_declared": { 227 "applies": true, 228 "answer": false, 229 "justification": "No competing interests statement is included in the paper. Given that authors work for a major AI company whose products compete with the models evaluated, a competing interests declaration would be appropriate." 230 } 231 }, 232 "contamination": { 233 "training_cutoff_stated": { 234 "applies": false, 235 "answer": false, 236 "justification": "This paper tests agent security against prompt injection attacks, not model knowledge on a benchmark. Contamination of training data with benchmark answers is not the relevant threat — the benchmark tests adversarial robustness behavior, not factual recall." 237 }, 238 "train_test_overlap_discussed": { 239 "applies": false, 240 "answer": false, 241 "justification": "This is a security/defense evaluation benchmark, not a model capability benchmark. Train/test overlap of the prompt injection tasks with training data is not a meaningful contamination concern." 242 }, 243 "benchmark_contamination_addressed": { 244 "applies": false, 245 "answer": false, 246 "justification": "The benchmark tests agent behavior under adversarial prompt injection, not learned knowledge. Contamination in the traditional sense (model memorizing correct answers) does not apply to this evaluation paradigm." 247 } 248 }, 249 "human_studies": { 250 "pre_registered": { 251 "applies": false, 252 "answer": false, 253 "justification": "No human participants were involved. The paper evaluates AI agents on automated benchmark tasks in sandbox web environments." 254 }, 255 "irb_or_ethics_approval": { 256 "applies": false, 257 "answer": false, 258 "justification": "No human participants. The NeurIPS checklist confirms: 'No human subjects were involved' (items 14-15)." 259 }, 260 "demographics_reported": { 261 "applies": false, 262 "answer": false, 263 "justification": "No human participants. All experiments involve automated AI agents interacting with sandbox web environments." 264 }, 265 "inclusion_exclusion_criteria": { 266 "applies": false, 267 "answer": false, 268 "justification": "No human participants in the study." 269 }, 270 "randomization_described": { 271 "applies": false, 272 "answer": false, 273 "justification": "No human participants. This is not an experimental study with human subjects." 274 }, 275 "blinding_described": { 276 "applies": false, 277 "answer": false, 278 "justification": "No human participants or evaluators requiring blinding." 279 }, 280 "attrition_reported": { 281 "applies": false, 282 "answer": false, 283 "justification": "No human participants." 284 } 285 }, 286 "cost_and_practicality": { 287 "inference_cost_reported": { 288 "applies": true, 289 "answer": false, 290 "justification": "No mention of API costs, token consumption, or wall-clock time for the experiments. The paper evaluates multiple models across 84+ tasks per configuration through commercial APIs but does not report any cost information." 291 }, 292 "compute_budget_stated": { 293 "applies": true, 294 "answer": false, 295 "justification": "The NeurIPS checklist (item 8) confirms that compute resource information is not provided: 'We test cloud-hosted models (GPT-4o, o1, Claude) and their providers do not share these kinds of details.' No total API spend or hosting costs are reported." 296 } 297 }, 298 "experimental_rigor": { 299 "seed_sensitivity_reported": { 300 "applies": true, 301 "answer": false, 302 "justification": "Results appear to be from single runs with no mention of random seeds, sensitivity analysis, or variance across repeated executions. Given that LLM outputs are stochastic, seed sensitivity is relevant but unaddressed." 303 }, 304 "number_of_runs_stated": { 305 "applies": true, 306 "answer": false, 307 "justification": "The paper does not state how many times each experiment was run. Results are presented as single values with no indication of averaging or repeated trials." 308 }, 309 "hyperparameter_search_budget": { 310 "applies": true, 311 "answer": false, 312 "justification": "No hyperparameter search budget is reported. The injection templates were manually designed, and API parameters (temperature, etc.) are not even reported, let alone tuned." 313 }, 314 "best_config_selection_justified": { 315 "applies": true, 316 "answer": true, 317 "justification": "The paper reports results for all tested configurations in Table 2 (13 configurations) rather than cherry-picking the best or worst results. All injection types and defense variants are reported in Tables 3-4." 318 }, 319 "multiple_comparison_correction": { 320 "applies": true, 321 "answer": false, 322 "justification": "No statistical tests are performed at all, so no multiple comparison corrections are applied. The paper makes many pairwise comparisons across Table 2 (13 configurations × 3 metrics) without any correction." 323 }, 324 "self_comparison_bias_addressed": { 325 "applies": true, 326 "answer": false, 327 "justification": "The authors created the benchmark (attack templates, scenarios, environments) and then evaluated models on it. There is no discussion of potential bias from the benchmark creators also being the evaluators, or whether the attack templates were iteratively refined until they worked." 328 }, 329 "compute_budget_vs_performance": { 330 "applies": true, 331 "answer": false, 332 "justification": "Models with vastly different compute requirements (GPT-4o-mini vs o1 reasoning model) are compared without any discussion of compute budget differences. The o1 model's higher ASR-intermediate could partly reflect its greater compute budget enabling more sophisticated reasoning." 333 }, 334 "benchmark_construct_validity": { 335 "applies": true, 336 "answer": true, 337 "justification": "The paper extensively discusses what WASP measures vs prior benchmarks (Table 1), introduces the critical distinction between ASR-intermediate and ASR-end-to-end to capture different aspects of security, and argues for the realism of their threat model (Section 2, Section 3.1). The 'security by incompetence' finding itself is a construct validity insight." 338 }, 339 "scaffold_confound_addressed": { 340 "applies": true, 341 "answer": true, 342 "justification": "The paper explicitly tests the same models with different scaffoldings (e.g., GPT-4o-mini with VisualWebArena vs Tool Calling Loop) and notes that 'agentic scaffolding...can greatly influence the agent's utility and security against prompt injection' (Section 4.1). Table 2 shows scaffold as an explicit variable." 343 } 344 }, 345 "data_leakage": { 346 "temporal_leakage_addressed": { 347 "applies": true, 348 "answer": false, 349 "justification": "The paper does not discuss whether the models may have been exposed to VisualWebArena tasks during training, or whether the GitLab/Reddit environments contain content that appeared in model training data." 350 }, 351 "feature_leakage_addressed": { 352 "applies": true, 353 "answer": false, 354 "justification": "No discussion of whether the evaluation setup leaks information. For example, the URL injection template encodes the attacker's goal in the URL itself, which is always visible to the agent — whether this constitutes 'leakage' in the evaluation design is not discussed." 355 }, 356 "non_independence_addressed": { 357 "applies": true, 358 "answer": false, 359 "justification": "The 84 tasks are constructed from 42 scenarios × 2 injection templates, with scenarios from 21 attacker goals × 2 user goals. These tasks share considerable structure (same attacker goals across user goals, same user goals across attackers) but non-independence is not discussed." 360 }, 361 "leakage_detection_method": { 362 "applies": true, 363 "answer": false, 364 "justification": "No leakage detection or prevention methods are described. The paper does not check for model familiarity with VisualWebArena or the specific web environments used." 365 } 366 } 367 }, 368 "claims": [ 369 { 370 "claim": "Even top-tier AI models, including those with advanced reasoning capabilities, can be deceived by simple, low-effort human-written prompt injections in realistic web agent scenarios.", 371 "evidence": "Table 2 shows ASR-intermediate ranging from 16.7% to 85.7% across all model-scaffolding configurations, including o1 (85.7%) and Claude 3.7 with Extended Thinking (53.6%). Section 4.2 discusses these results.", 372 "supported": "strong" 373 }, 374 { 375 "claim": "While attacks partially succeed (hijack agents) in up to 86% of cases, agents struggle to fully complete attacker goals, with ASR-end-to-end at most 16.7%.", 376 "evidence": "Table 2 shows the gap: o1 achieves 85.7% ASR-intermediate but only 16.7% ASR-end-to-end. Most configurations show ASR-end-to-end below 4%. Fig 3 traces the lifecycle of attacks showing how agents lose track of malicious instructions.", 377 "supported": "strong" 378 }, 379 { 380 "claim": "Current web agents exhibit 'security by incompetence' — the main bottleneck for attack success is agent capability, not defense mechanisms.", 381 "evidence": "Section 4.2 and Fig 3 show agents frequently become confused after initial hijacking, executing irrelevant actions. The o1 model, being more capable, achieves higher ASR-end-to-end (16.7%) compared to less capable models, supporting the hypothesis. Manual labeling of GPT-4o actions in Fig 3 shows agents reverting to user goals or becoming confused.", 382 "supported": "moderate" 383 }, 384 { 385 "claim": "Instruction hierarchy defense does not reliably prevent prompt injection attacks in web agents, and can counterintuitively increase ASR-intermediate.", 386 "evidence": "Table 2 shows o1 with Tool Calling Loop (instruction hierarchy) achieves 85.7% ASR-intermediate with system role placement — the highest across all configurations. GPT-4o-mini with Tool Calling also shows 53.6% ASR-intermediate, higher than its VisualWebArena baseline (34.5%).", 387 "supported": "moderate" 388 }, 389 { 390 "claim": "URL injections are generally more effective than plain-text injections for ASR-intermediate.", 391 "evidence": "Table 3 shows higher ASR-intermediate for URL injections across most models: GPT-4o 61.9% vs 23.8%, o1 (system) 97.6% vs 73.8%, Claude 3.5 85.7% vs 31.0%. However, the pattern is reversed for ASR-end-to-end in some cases (Claude models show higher end-to-end ASR for plain-text).", 392 "supported": "moderate" 393 }, 394 { 395 "claim": "Defensive system prompts reduce ASR-intermediate and ASR-end-to-end but at the cost of reduced utility.", 396 "evidence": "Table 2 shows GPT-4o (axtree) drops from 32.1% to 16.7% ASR-intermediate with defensive prompt, but utility drops from 59.5% to 45.9%. Similar patterns for GPT-4o (axtree+SOM) and Claude models.", 397 "supported": "strong" 398 }, 399 { 400 "claim": "Task-agnostic injections (without knowledge of user's objective) are less effective but still achieve non-zero attack success rates.", 401 "evidence": "Table 4 shows task-agnostic injections reduce ASR-intermediate from 22.6% to 7.1% for GPT-4o and from 50.0% to 32.1% for Claude 3.7, but rates remain non-trivially above zero.", 402 "supported": "strong" 403 } 404 ], 405 "red_flags": [ 406 { 407 "flag": "Very small benchmark size", 408 "detail": "The benchmark has only 84 attack tasks (42 unique scenarios × 2 injection types) and 37 utility tasks. With only 2 user goals per environment and 21 attacker goals, the rates reported have wide implicit confidence intervals. For example, a single task outcome change in ASR-end-to-end could shift the rate by ~1.2 percentage points." 409 }, 410 { 411 "flag": "No error bars or multiple runs", 412 "detail": "All results appear to be from single experimental runs with no variance estimates, despite LLM outputs being stochastic. The NeurIPS checklist explicitly confirms no error bars are reported. This means observed differences between configurations may not be robust." 413 }, 414 { 415 "flag": "Potential self-evaluation bias", 416 "detail": "The authors designed the injection templates, attacker goals, and evaluation criteria, then reported success rates. There is no discussion of whether templates were iteratively refined (which would overfit the benchmark to the attack approach) or whether independent researchers validated the evaluation criteria." 417 }, 418 { 419 "flag": "Meta researchers not evaluating Meta models", 420 "detail": "All five models tested (GPT-4o, GPT-4o-mini, o1, Claude 3.5, Claude 3.7) are from competitors (OpenAI and Anthropic). No Meta/Llama models are evaluated. While not necessarily biased, this omission is notable for a Meta-affiliated research paper introducing a web agent security benchmark." 421 }, 422 { 423 "flag": "Limited environment diversity", 424 "detail": "Only 2 web environments (GitLab and Reddit clone) are tested, both are developer/forum-oriented platforms. Claims about 'web agent security' may not generalize to e-commerce, banking, healthcare, or other high-stakes web environments where prompt injection risks are arguably more consequential." 425 } 426 ], 427 "cited_papers": [ 428 { 429 "title": "Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection", 430 "authors": ["Kai Greshake", "Sahar Abdelnabi", "Shailesh Mishra", "Christoph Endres", "Thorsten Holz", "Mario Fritz"], 431 "year": 2023, 432 "relevance": "Foundational work demonstrating indirect prompt injection attacks against LLM-integrated applications, which WASP extends to web navigation agents." 433 }, 434 { 435 "title": "VisualWebArena: Evaluating multimodal agents on realistic visual web tasks", 436 "authors": ["Jing Yu Koh", "Robert Lo", "Lawrence Jang"], 437 "year": 2024, 438 "arxiv_id": "2401.13649", 439 "relevance": "The sandbox web environment WASP is built upon, providing the GitLab and Reddit self-hosted environments for end-to-end agent evaluation." 440 }, 441 { 442 "title": "WebArena: A realistic web environment for building autonomous agents", 443 "authors": ["Shuyan Zhou", "Frank F Xu", "Hao Zhu"], 444 "year": 2023, 445 "arxiv_id": "2307.13854", 446 "relevance": "Foundational web agent benchmark providing realistic multi-step web navigation tasks that WASP extends with security evaluation." 447 }, 448 { 449 "title": "InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents", 450 "authors": ["Qiusi Zhan", "Zhixiang Liang", "Zifan Ying", "Daniel Kang"], 451 "year": 2024, 452 "arxiv_id": "2403.02691", 453 "relevance": "Prior benchmark for prompt injection in tool-use agents, compared with WASP in Table 1; lacks end-to-end evaluation and full-stack environments." 454 }, 455 { 456 "title": "AgentDojo: A dynamic environment to evaluate attacks and defenses for LLM agents", 457 "authors": ["Edoardo Debenedetti", "Jie Zhang", "Mislav Balunović"], 458 "year": 2024, 459 "arxiv_id": "2406.13352", 460 "relevance": "Dynamic benchmark for LLM agent security with tool-calling agents, compared with WASP as lacking full-stack web environment and realistic threat model." 461 }, 462 { 463 "title": "The instruction hierarchy: Training LLMs to prioritize privileged instructions", 464 "authors": ["Eric Wallace", "Kai Yuanqing Xiao", "Reimar Heinrich Leike"], 465 "year": 2024, 466 "relevance": "Key defense mechanism tested in WASP that assigns privilege levels to different input sources; counterintuitively showed high ASR-intermediate." 467 }, 468 { 469 "title": "Adversarial attacks on multimodal agents", 470 "authors": ["Chen Henry Wu", "Jing Yu Koh", "Ruslan Salakhutdinov", "Daniel Fried", "Aditi Raghunathan"], 471 "year": 2024, 472 "arxiv_id": "2406.12814", 473 "relevance": "Demonstrates adversarial attacks on multimodal agents including imperceptible adversarial examples in product images that manipulate agent behavior." 474 }, 475 { 476 "title": "EIA: Environmental injection attack on generalist web agents for privacy leakage", 477 "authors": ["Zeyi Liao", "Lingbo Mo", "Chejian Xu"], 478 "year": 2024, 479 "arxiv_id": "2409.11295", 480 "relevance": "Demonstrates environmental injection attacks for data exfiltration from web agents, using a stronger threat model (full environment control) than WASP." 481 }, 482 { 483 "title": "Imprompter: Tricking LLM agents into improper tool use", 484 "authors": ["Xiaohan Fu", "Shuheng Li", "Zihan Wang"], 485 "year": 2024, 486 "arxiv_id": "2410.14923", 487 "relevance": "Demonstrates how LLM agents can be tricked into improper tool use through prompt manipulation, related to WASP's focus on agent hijacking." 488 }, 489 { 490 "title": "Commercial LLM agents are already vulnerable to simple yet dangerous attacks", 491 "authors": ["Ang Li", "Yin Zhou", "Vethavikashini Chithrra Raghuram", "Tom Goldstein", "Micah Goldblum"], 492 "year": 2025, 493 "arxiv_id": "2502.08586", 494 "relevance": "Demonstrates vulnerabilities in commercial LLM agents to simple attacks, corroborating WASP's findings that even simple injections can hijack agents." 495 }, 496 { 497 "title": "Defeating prompt injections by design", 498 "authors": ["Edoardo Debenedetti", "Ilia Shumailov", "Tianqi Fan"], 499 "year": 2025, 500 "relevance": "Proposes system-level defense architectures that control data-flow between LLM and applications, a defensive approach complementary to those evaluated in WASP." 501 }, 502 { 503 "title": "Agent Security Bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents", 504 "authors": ["Hanrong Zhang", "Jingyuan Huang", "Kai Mei"], 505 "year": 2024, 506 "arxiv_id": "2410.02644", 507 "relevance": "Security benchmark for LLM agents compared with WASP in Table 1; uses a stronger adversary model with access to user information and prompts." 508 }, 509 { 510 "title": "Aligning LLMs to be robust against prompt injection", 511 "authors": ["Sizhe Chen", "Arman Zharmagambetov", "Saeed Mahloujifar", "Kamalika Chaudhuri", "Chuan Guo"], 512 "year": 2024, 513 "arxiv_id": "2410.05451", 514 "relevance": "Uses preference optimization to align models against prompt injection, a training-time defense approach; co-authored by WASP authors." 515 } 516 ], 517 "engagement_factors": { 518 "practical_relevance": { 519 "score": 2, 520 "justification": "Security researchers and agent developers can use WASP to benchmark their systems, but it requires self-hosting VisualWebArena infrastructure rather than being plug-and-play." 521 }, 522 "surprise_contrarian": { 523 "score": 2, 524 "justification": "The 'security by incompetence' finding — that agents are too incompetent to be dangerous even when hijacked — is counterintuitive and challenges the narrative that AI agents pose immediate security threats." 525 }, 526 "fear_safety": { 527 "score": 3, 528 "justification": "Directly demonstrates that even state-of-the-art models with reasoning capabilities and instruction hierarchy defenses are highly susceptible to simple prompt injection attacks on web agents." 529 }, 530 "drama_conflict": { 531 "score": 1, 532 "justification": "Presented as a rigorous benchmark paper without targeting specific companies or making inflammatory claims, though the instruction hierarchy counterresult is somewhat provocative." 533 }, 534 "demo_ability": { 535 "score": 2, 536 "justification": "Code and benchmark are open-sourced on GitHub, but running it requires setting up self-hosted VisualWebArena environments on AWS EC2, which is nontrivial." 537 }, 538 "brand_recognition": { 539 "score": 2, 540 "justification": "From Meta FAIR and evaluates well-known models (GPT-4o, o1, Claude), but WASP itself is a new benchmark without established recognition." 541 } 542 } 543 }