The authors introduce WebTrap, a mid-task hijacking attack on browser agents that injects malicious instructions during long-horizon tasks. Unlike prior prompt injections that fight the user goal (causing a usability drop), WebTrap fuses the attack goal with the user goal using multi-step instruction steering and context-grounded generation, so the agent completes the malicious task and then resumes the original task. Experiments on extended WASP and InjecAgent environments show high attack success rates while preserving system usability, and standard defenses fail to restore normal operation because the two goals are tightly bound.
Main takeaways:
- WebTrap hijacks browser agents mid-task by fusing malicious instructions with the user's original goal, so the agent completes both without a usability drop
- Uses multi-step instruction fusion and context-grounded generation to align injected content with the task environment and system instructions
- Achieves high attack success rates on two browser agent tasks (extended WASP and InjecAgent) while preserving original task completion
- Standard defenses can't restore normal operation because the attack and user goals are seamlessly combined
- Reveals a critical vulnerability in long-horizon agent tasks: extended execution chains provide more injection opportunities