« All posts

Prismata: Defending Web Agents Against Prompt Injection Attacks

Prismata introduces a new defense mechanism using dynamic trust labeling and content restriction to protect web agents from cross-site prompt injection attacks.

Autonomous web agents that interpret page content as natural-language instructions inherit a modern version of cross-site scripting: when trusted and untrusted content mix, third-party or user-generated material can hijack the agent through prompt injection. The core difficulty lies in deriving a task-specific security policy when page structure is entangled with attacker-controlled content.

To address this, researchers introduce Prismata, a defense system that enforces contextual least privilege by dynamically assigning trust labels to page content, constraining both what an agent perceives and what actions it can take. Drawing on classical integrity models, its structural confinement mechanism guarantees that any labeling errors can only reduce privilege, bounding the impact of mislabeling. A mechanical confinement layer then enforces these labels through content redaction and capability restriction.

Notably, Prismata requires no developer annotations, making it applicable across the long tail of real-world websites without custom integration. Evaluated against recently published web agent attacks, including adaptive variants, it substantially reduces attack success rates while preserving the agent's usefulness for legitimate tasks — offering a practical path toward securely deploying LLM-based agents in production environments.