AI-powered browser assistants use large language models (LLMs) to automate web navigation and interaction. While these agents are revolutionizing productivity, they also come with significant security challenges. The most notable being the risk of prompt injection attacks.
Avihay Cohen, Seraphic co-founder and CTO, just published new research that presents a cutting-edge solution to this issue: an in-browser, LLM-guided fuzzing platform that uncovers prompt injection vulnerabilities in real time. You can access the framework for free by visiting Seraphic’s BrowserTotal™ platform.
In this article, you’ll learn all about the double-edged sword that is AI-powered browser assistants, how the LLM-guided fuzzing platform works, and what the future of browser security might hold.
What is Prompt Injection?
Agentic browsers operate with the privileges of their users and can process web content across domains. Attackers can hide malicious instructions in web pages (often invisible text or HTML comments) that the AI agent reads and executes. This bypasses traditional cybersecurity boundaries and makes it nearly impossible for the user to know an attack is underway. Real-world cases, like agents being tricked into exfiltrating sensitive data or performing unwanted actions, highlight the urgent need for systematic, automated security testing.
The Solution: LLM-Guided Real-Time Fuzzing
The new research introduces a browser-based fuzzing tool guided by LLMs to simulate and evolve prompt injection attacks against AI agents:
- High-Fidelity Testing: Instead of offline simulation, the fuzzer runs inside a real browser environment, using both template attacks and LLM-driven mutations to generate diverse, realistic malicious scenarios.
- Adaptive Attack Generation: Leveraging advanced language models, the fuzzer continuously mutates attack techniques based on live feedback – making each round more sophisticated and harder to defend.
- Real-Time Monitoring: The system observes the agent’s actions (e.g., clicking hidden links) and immediately adapts its attack strategy, learning how to evade simple defenses.
Key Findings and Security Implications
- Rapid Evasion: While agentic browsers and extensions block basic attacks, their defenses fail rapidly as the fuzzer evolves, with failure rates reaching 58–74% after just ten iterations.
- Feature-Specific Risk: Page summarization and question answering features, which ingest all page content and are highly trusted by users, were found to be exceptionally risky, with attack success rates of 73% and 71%, respectively.
- Advanced Models = Advanced Threats: Larger, more powerful LLMs produce more potent prompt injection attacks, underscoring both the power and peril of generative AI in security.
- Continuous Hardening: The publicly available fuzzing platform can be continuously deployed by security teams to “red team” agentic AI browsers and assistant extensions, drastically improving long-term resilience against novel attacks.
What Is BrowserTotal™?
BrowserTotal™ is an AI-powered browser assessment platform for enterprises. Using an advanced in-browser LLM, BrowserTotal™ automatically analyzes your browser’s posture by running a comprehensive series of tests in a controlled simulation environment. In a matter of seconds, BrowserTotal™ provides personalized and actionable insights into your browser’s current security state. There are no software installation or complex integrations required.
Here’s how it works:
- AI-Powered Browser Simulation: BrowserTotal™ replicates your browser environment in a safe, isolated simulation to test how it behaves under various security scenarios.
- Over 130 Security Checks: The platform performs an exhaustive series of tests, examining critical indicators like browser type and version, extension activity, OS-level signals, security hardening configurations, and potential exposure points.
- Detailed Posture Report: Upon completion, BrowserTotal™ delivers a clear, actionable report outlining identified risks, vulnerabilities, and misconfigurations, along with recommended steps to address them.
BrowserTotal™ is open to the public because we believe strong browser security starts with awareness. Whether you’re managing a fleet of enterprise devices or securing an unmanaged enterprise device, a clear understanding of your browser posture is the first step toward safer online experiences.
Why This Matters for AI Browsing Security
This research marks a significant step towards minimizing the security gap in autonomous AI browsing. By enabling real-time, adaptive, and high-fidelity testing, this platform empowers security practitioners and developers to:
- Identify weaknesses before attackers do
- Understand which features need urgent hardening
- Deploy ongoing testing to evolve defenses alongside attack techniques.
Learn More & Contribute
Security researchers and practitioners can access the full in-browser fuzzing framework to run their own tests, compare agents, and contribute new attack templates on Seraphic’s BrowserTotal™. By making the framework free and open to the public, Seraphic is helping to build safer AI-powered web experiences for all. Agentic AI browsers represent the future of digital productivity. Seraphic’s continued leadership, powered by research like this, ensures that the future will be secured.
About the Author
