EPS
← All batches·2605.08310

WebTrap: Stealthy Mid-Task Hijacking of Browser Agents During Navigation

topic: general_safetytop score: 100released: 2026-05-12first surfaced: 2026-05-12arXivPDFlinked_to_results2026-05-12

Authors: Zhichao Liu, Wenbo Pan, Haining Yu et al.

arXiv · PDF

Summary

The authors introduce WebTrap, a mid-task hijacking attack on browser agents that injects malicious instructions during long-horizon tasks. Unlike prior prompt injections that fight the user goal (causing a usability drop), WebTrap fuses the attack goal with the user goal using multi-step instruction steering and context-grounded generation, so the agent completes the malicious task and then resumes the original task. Experiments on extended WASP and InjecAgent environments show high attack success rates while preserving system usability, and standard defenses fail to restore normal operation because the two goals are tightly bound.

Main takeaways:

  • WebTrap hijacks browser agents mid-task by fusing malicious instructions with the user's original goal, so the agent completes both without a usability drop
  • Uses multi-step instruction fusion and context-grounded generation to align injected content with the task environment and system instructions
  • Achieves high attack success rates on two browser agent tasks (extended WASP and InjecAgent) while preserving original task completion
  • Standard defenses can't restore normal operation because the attack and user goals are seamlessly combined
  • Reveals a critical vulnerability in long-horizon agent tasks: extended execution chains provide more injection opportunities

Relevance

Relevant to my conditional behavior and persona installation work: WebTrap installs a secondary goal (the attack) alongside the primary goal (the user task) and gets the model to execute both conditionally. This is similar to my question of how personas can coexist and whether behavioral installation via prompts can be seamlessly layered.

Abstract

arXiv:2605.08310v1 Announce Type: new Abstract: Browser agents are increasingly deployed in long-horizon tasks, which require executing extended action chains to accomplish user goals. However, this prolonged execution process provides attackers with more opportunities to inject malicious instructions. Existing prompt injection attacks against browser agents expose two key gaps: (1) low effectiveness, as attacks optimized for toy baselines fail to achieve end-to-end goals in real-world scenarios with complex environments and longer steps; (2) weak stealthiness, since most attacks pit the attack goal against the user goal, causing a significant drop in system usability under attack. To address these gaps, we propose WebTrap, a mid-task hijacking injection attack. It employs multi-step instruction fusion steering to seamlessly combine both goals, enabling the agent to resume the original user task after executing the attack goal. Furthermore, we design a context-grounded generation method to align the injected content with the task environment and system instructions, maximizing the hijacking success rate. Extensive experiments on two browser agent tasks, based on extended WASP and InjecAgent environments, demonstrate that our method achieves a high attack success rate while preserving the usability of the original system. We find that WebTrap exploits the agent's navigation vulnerabilities, binding the two goals so tightly that standard defense mechanisms cannot restore the system to normal operation. These findings reveal a critical vulnerability in agent systems during long-horizon tasks that they can be stealthily hijacked.