The reviewed record of science sign in
Pith

arxiv: 2410.17401 · v4 · pith:QQKG6T5Y · submitted 2024-10-22 · cs.CR · cs.CL

AdvAgent: Controllable Blackbox Red-teaming on Web Agents

Reviewed by Pithpith:QQKG6T5Yopen to challenge →

classification cs.CR cs.CL
keywords agentsadvagentadversarialagentblack-boxexistingframeworkprompts
0
0 comments X
read the original abstract

Foundation model-based agents are increasingly used to automate complex tasks, enhancing efficiency and productivity. However, their access to sensitive resources and autonomous decision-making also introduce significant security risks, where successful attacks could lead to severe consequences. To systematically uncover these vulnerabilities, we propose AdvAgent, a black-box red-teaming framework for attacking web agents. Unlike existing approaches, AdvAgent employs a reinforcement learning-based pipeline to train an adversarial prompter model that optimizes adversarial prompts using feedback from the black-box agent. With careful attack design, these prompts effectively exploit agent weaknesses while maintaining stealthiness and controllability. Extensive evaluations demonstrate that AdvAgent achieves high success rates against state-of-the-art GPT-4-based web agents across diverse web tasks. Furthermore, we find that existing prompt-based defenses provide only limited protection, leaving agents vulnerable to our framework. These findings highlight critical vulnerabilities in current web agents and emphasize the urgent need for stronger defense mechanisms. We release code at https://ai-secure.github.io/AdvAgent/.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 10 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. HLL: Can Agents Cross Humanity's Last Line of Verification?

    cs.AI 2026-06 unverdicted novelty 7.0

    HLL is a new benchmark that evaluates eight frontier multimodal agents on closed-loop interactive CAPTCHA solving, showing sharp performance drops under realism stressors and trace validation.

  2. SkillTrojan: Backdoor Attacks on Skill-Based Agent Systems

    cs.CR 2026-04 unverdicted novelty 7.0

    SkillTrojan demonstrates that backdoors can be placed in composable skills of agent systems to achieve up to 97% attack success rate with only minor loss in clean-task accuracy.

  3. ShieldNet: Network-Level Guardrails against Emerging Supply-Chain Injections in Agentic Systems

    cs.AI 2026-04 unverdicted novelty 7.0

    ShieldNet detects supply-chain poisoned tools in LLM agents by monitoring network interactions with a MITM proxy and lightweight classifier, reaching 0.995 F1 and 0.8% false positives on a new benchmark of 25+ attack types.

  4. Mobile GUI Agents under Real-world Threats: Are We There Yet?

    cs.CR 2025-07 conditional novelty 6.0

    Introduces an app-content instrumentation framework and benchmark showing that examined GUI agents suffer 42.0% and 36.1% average misleading rates from third-party content in dynamic and static tests respectively.

  5. Progent: Securing AI Agents with Privilege Control

    cs.CR 2025-04 unverdicted novelty 6.0

    Progent introduces a privilege-control framework for AI agents that uses LLM-generated symbolic rules over tools, SMT-solver-enforced monotonic updates, and deterministic checks to reduce attack success rates on Agent...

  6. MIRAGE: Stealthy Visual Prompt Injection for Vulnerability Detection in Web Agents

    cs.CV 2026-06 unverdicted novelty 5.0

    MIRAGE creates perceptually benign adversarial images using diffusion and curvature-aware optimization to enable targeted prompt injection attacks on web agents like SeeAct and OpenClaw within attacker-controlled boundaries.

  7. WARD: Adversarially Robust Defense of Web Agents Against Prompt Injections

    cs.CR 2026-05 unverdicted novelty 5.0

    WARD is a guard model trained on 177K web samples and adversarially hardened via attacker-guard co-evolution to achieve high recall on prompt injections with low false positives and no added latency.

  8. A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron?

    cs.CL 2025-05 unverdicted novelty 5.0

    A survey that defines Computer-Using Agents for safety analysis, categorizes their threats, proposes a taxonomy of defensive strategies, and summarizes benchmarks and datasets for evaluating CUA safety and performance.

  9. Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges

    cs.AI 2025-10 unverdicted novelty 4.0

    A survey that taxonomizes threats to agentic AI, reviews benchmarks and evaluation methods, discusses technical and governance defenses, and identifies open challenges.

  10. LLM Agents Are the Antidote to Walled Gardens

    cs.LG 2025-06 unverdicted novelty 4.0

    LLM agents enable universal interoperability by serving as automatic translators and adapters between proprietary digital services.