English

WASP: Benchmarking Web Agent Security Against Prompt Injection Attacks

Cryptography and Security 2025-05-20 v3 Artificial Intelligence

Abstract

Autonomous UI agents powered by AI have tremendous potential to boost human productivity by automating routine tasks such as filing taxes and paying bills. However, a major challenge in unlocking their full potential is security, which is exacerbated by the agent's ability to take action on their user's behalf. Existing tests for prompt injections in web agents either over-simplify the threat by testing unrealistic scenarios or giving the attacker too much power, or look at single-step isolated tasks. To more accurately measure progress for secure web agents, we introduce WASP -- a new publicly available benchmark for end-to-end evaluation of Web Agent Security against Prompt injection attacks. Evaluating with WASP shows that even top-tier AI models, including those with advanced reasoning capabilities, can be deceived by simple, low-effort human-written injections in very realistic scenarios. Our end-to-end evaluation reveals a previously unobserved insight: while attacks partially succeed in up to 86% of the case, even state-of-the-art agents often struggle to fully complete the attacker goals -- highlighting the current state of security by incompetence.

Keywords

Cite

@article{arxiv.2504.18575,
  title  = {WASP: Benchmarking Web Agent Security Against Prompt Injection Attacks},
  author = {Ivan Evtimov and Arman Zharmagambetov and Aaron Grattafiori and Chuan Guo and Kamalika Chaudhuri},
  journal= {arXiv preprint arXiv:2504.18575},
  year   = {2025}
}

Comments

Code and data: https://github.com/facebookresearch/wasp

R2 v1 2026-06-28T23:11:46.082Z