Prompt injection is becoming the XSS of the web agent era

Autonomous web agents read whatever a page displays, and much of that content comes from strangers. Product reviews, seller listings, and advertisements sit beside trusted site menus on a single page. An agent that reads all of that text as instructions can be steered by any of it.

A group at UC Berkeley describe Cross-Site Prompting, or XSP, as the agent-era version of Cross-Site Scripting. Their system, Prismata, sits between a web agent and the browser. It filters the content an agent sees and limits the actions the agent can take.

An old attack surface in new clothes

The comparison to XSS runs through the whole design. Cross-Site Scripting lets an attacker plant a script on a trusted site so it runs in a visitor’s browser. XSP swaps executable code for plain language. An attacker writes a product review that tells the agent to send the user’s credit card details to a stranger, and the agent may comply. Older web defenses translate poorly to this setting. Input sanitizers screen for code, and prompt injections carry none.

web agent prompt injection

Prismata operates between the web agent and the browser, providing a system-level defense that filters and constrains web content before it reaches the web agent (Source: Research paper)

Reading page structure to make the call

Prismata works from the structure of the page. For any button, link, or form field, there is a path of ancestor elements running from the top of the page down to that element. The Berkeley team measured that these paths consist almost entirely of developer-written scaffolding such as layout containers and navigation. A reasoning model reads only that path and the user’s task, then decides whether the element belongs to the task. An injection sitting elsewhere on the page stays out of that decision.

The measurement came from a corpus of real pages. Across more than 90,000 samples of untrusted content drawn from Common Crawl and Mind2Web, about 1.2 percent sat on a path leading to something the agent could click or fill. The rest were dead ends for an attacker.

For the small share of cases where untrusted content does sit on such a path, Prismata borrows from a 1977 security design. The Biba integrity model enforces a no-read-down, no-write-up rule, and the team applies it to the page tree. The system reads each layer of the path before revealing its children, watching for signs that untrusted content is coming. Headings such as “Reviews,” accessibility labels, and developer class names like review-card mark the boundary. When a signal appears, everything below it inherits a lower trust label and gets pruned or set to read-only.

Results in a test environment

The tests ran in WebArena, which is about as close to the live web as a benchmark gets. It runs a real GitLab instance and a production-grade shopping platform, so the page structures resemble what an agent would meet in the wild. The attacks were pop-up style lures planted where a malicious user or ad network could plausibly put them.

Attack success dropped from 85.5 percent without the defense to 0.7 percent with it. An attack counted as a win for the attacker when the agent took the bait, clicking a planted link or filling an injected form.Blocking attacks is one thing. Getting the agent to finish its job under attack is another, and here the gains were also sizable: task completion under attack climbed from roughly one in twenty to nearly one in four. Agents that would have wandered off into a fake pop-up stayed on task.

With no attack present, task success slipped from 29.9 percent to 26.6 percent once the filtering kicked in. A few points of utility buys a lot of containment.

The labels driving all of this come from language models, and the choice of model matters. Six labelers went head to head against human security experts on a set of WebArena pages, and each one admitted elements that lined up with the experts more than nine times out of ten. GPT-5.4-nano was the most cautious of the group, hitting 98.69 percent precision at the cost of the lowest recall. Gemini 3 Flash scored the highest F1.

The limits

When an injection sits on the path to an action with no signal ahead of it, the attacker’s text reaches the deciding step, and neither mechanism keeps it out. The team found this in roughly one in a thousand paths, dropping to about 0.017 percent on sites that follow web best practices. Well-built sites shrink the gap. Messy ones widen it.

Language models sit at every stage of the pipeline, which sets a ceiling on the guarantee. 95 percent F1 score still leaves room for a single mislabel on a critical element to let an attack-relevant element through. Averages hide worst cases.

Then there is the question of what happens when a determined attacker goes looking for that seam. The paper reports that Prismata held up against adaptive attackers who ran iterative attempts to fool its labeling, driving those attacks to zero. That is encouraging. It is also a small sample against a threat class.

The bigger picture is an old idea carried into new territory. Classical confinement principles meet probabilistic model outputs, and the whole thing rests on two bets: that the models label pages well, and that sites keep structuring their HTML the way convention says they should.

Anyone running agents that hold a user’s credentials and payment details has reason to watch where this goes.

Guide: What automated pentesting alone cannot see

Don't miss