{"id":"https://openalex.org/W7128622687","doi":"https://doi.org/10.48550/arxiv.2602.09222","title":"MUZZLE: Adaptive Agentic Red-Teaming of Web Agents Against Indirect Prompt Injection Attacks","display_name":"MUZZLE: Adaptive Agentic Red-Teaming of Web Agents Against Indirect Prompt Injection Attacks","publication_year":2026,"publication_date":"2026-02-09","ids":{"openalex":"https://openalex.org/W7128622687","doi":"https://doi.org/10.48550/arxiv.2602.09222"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.09222","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5125634948","display_name":"Georgios Syros","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Syros, Georgios","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125627182","display_name":"Evan Rose","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rose, Evan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5010519716","display_name":"Brian Grinstead","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Grinstead, Brian","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5019189066","display_name":"Christoph Kerschbaumer","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kerschbaumer, Christoph","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5085358980","display_name":"William Robertson","orcid":"https://orcid.org/0000-0002-6968-0273"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Robertson, William","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125638230","display_name":"Cristina Nita-Rotaru","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Nita-Rotaru, Cristina","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5124899118","display_name":"Alina Oprea","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Oprea, Alina","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5125634948"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.6632000207901001,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.6632000207901001,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.17720000445842743,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.023099999874830246,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.5724999904632568},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.4616999924182892},{"id":"https://openalex.org/keywords/sql-injection","display_name":"SQL injection","score":0.4357999861240387},{"id":"https://openalex.org/keywords/muzzle","display_name":"Muzzle","score":0.4336000084877014},{"id":"https://openalex.org/keywords/phishing","display_name":"Phishing","score":0.42160001397132874},{"id":"https://openalex.org/keywords/limiting","display_name":"Limiting","score":0.4027000069618225},{"id":"https://openalex.org/keywords/hacker","display_name":"Hacker","score":0.37209999561309814},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.35580000281333923}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7904000282287598},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6970000267028809},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.5724999904632568},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.4616999924182892},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.4357999861240387},{"id":"https://openalex.org/C2780673119","wikidata":"https://www.wikidata.org/wiki/Q487192","display_name":"Muzzle","level":3,"score":0.4336000084877014},{"id":"https://openalex.org/C83860907","wikidata":"https://www.wikidata.org/wiki/Q135005","display_name":"Phishing","level":3,"score":0.42160001397132874},{"id":"https://openalex.org/C188198153","wikidata":"https://www.wikidata.org/wiki/Q1613840","display_name":"Limiting","level":2,"score":0.4027000069618225},{"id":"https://openalex.org/C86844869","wikidata":"https://www.wikidata.org/wiki/Q2798820","display_name":"Hacker","level":2,"score":0.37209999561309814},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.35580000281333923},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3517000079154968},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.3269999921321869},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.3248000144958496},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.3231000006198883},{"id":"https://openalex.org/C2777672014","wikidata":"https://www.wikidata.org/wiki/Q1172573","display_name":"Web traffic","level":3,"score":0.3156999945640564},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.31029999256134033},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.3084999918937683},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.2833999991416931},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.26969999074935913}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.09222","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.09222","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.09222","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.09222","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[{"score":0.7822179198265076,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"model":[2],"(LLM)":[3],"based":[4,141],"web":[5,19,45,101,162,180,198],"agents":[6,29,102,181],"are":[7],"increasingly":[8],"deployed":[9],"to":[10,37,49,81,113,172],"automate":[11],"complex":[12],"online":[13],"tasks":[14],"by":[15],"directly":[16],"interacting":[17],"with":[18,182,200],"sites":[20],"and":[21,53,119,131,148,166,174,223],"performing":[22],"actions":[23],"on":[24,66,142,196],"users'":[25],"behalf.":[26],"While":[27],"these":[28],"offer":[30],"powerful":[31],"capabilities,":[32],"their":[33,79],"design":[34],"exposes":[35],"them":[36],"indirect":[38,104],"prompt":[39,105,220],"injection":[40,72,106,117,221],"attacks":[41,85,151,195,222],"embedded":[42],"in":[43,87],"untrusted":[44],"content,":[46],"enabling":[47],"adversaries":[48],"hijack":[50],"agent":[51,167],"behavior":[52],"violate":[54,205],"user":[55,164],"intent.":[56],"Despite":[57],"growing":[58],"awareness":[59],"of":[60,100,128,179],"this":[61],"threat,":[62],"existing":[63],"evaluations":[64],"rely":[65],"fixed":[67],"attack":[68,139,215],"templates,":[69],"manually":[70],"selected":[71],"surfaces,":[73,118],"or":[74,208],"narrowly":[75],"scoped":[76],"scenarios,":[77],"limiting":[78],"ability":[80,171],"capture":[82],"realistic,":[83],"adaptive":[84],"encountered":[86],"practice.":[88],"We":[89,157],"present":[90],"MUZZLE,":[91],"an":[92,224],"automated":[93],"agentic":[94],"framework":[95],"for":[96],"evaluating":[97],"the":[98,110,143,177],"security":[99,178],"against":[103],"attacks.":[107],"MUZZLE":[108,136,159,190,211],"utilizes":[109],"agent's":[111,144],"trajectories":[112],"automatically":[114,173],"identify":[115],"high-salience":[116],"adaptively":[120,175],"generate":[121],"context-aware":[122],"malicious":[123],"instructions":[124],"that":[125,189,204],"target":[126],"violations":[127],"confidentiality,":[129,206],"integrity,":[130],"availability.":[132],"Unlike":[133],"prior":[134],"approaches,":[135],"adapts":[137],"its":[138,170],"strategy":[140],"observed":[145],"execution":[146],"trajectory":[147],"iteratively":[149],"refines":[150],"using":[152],"feedback":[153],"from":[154],"failed":[155],"executions.":[156],"evaluate":[158],"across":[160],"diverse":[161],"applications,":[163],"tasks,":[165],"configurations,":[168],"demonstrating":[169],"assess":[176],"minimal":[183],"human":[184],"intervention.":[185],"Our":[186],"results":[187],"show":[188],"effectively":[191],"discovers":[192],"37":[193],"new":[194],"4":[197],"applications":[199],"10":[201],"adversarial":[202],"objectives":[203],"availability,":[207],"privacy":[209],"properties.":[210],"also":[212],"identifies":[213],"novel":[214],"strategies,":[216],"including":[217],"2":[218],"cross-application":[219],"agent-tailored":[225],"phishing":[226],"scenario.":[227]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-02-12T00:00:00"}