A browser-based prompt injection is malicious content placed on a webpage so that an AI assistant reading or summarising the page can be influenced by attacker-written instructions. In practice, the risk is not code execution in the browser alone, but the transformation of untrusted page text into trusted assistant output.
Expanded Definition
Browser-based prompt injection is a class of content abuse where attacker-controlled text on a webpage is consumed by an AI assistant and treated as instruction, not merely data. The browser is usually the delivery channel; the security failure happens when the assistant cannot reliably separate page content from higher-trust directives. In practice, this shows up in summarisation, page reading, form-filling, and agentic browsing workflows.
Usage in the industry is still evolving, and definitions vary across vendors, especially when the assistant can also click, navigate, or invoke tools. A useful way to frame the risk is to compare it with ordinary cross-site scripting: XSS targets the browser runtime, while browser-based prompt injection targets the model’s interpretation layer. That distinction matters because a harmless-looking paragraph, hidden note, or metadata field can become operationally significant once an agent reads it. The OWASP Agentic AI Top 10 and the OWASP Agentic AI Top 10 both reflect this shift from content security to instruction-safety. The most common misapplication is assuming webpage sanitisation alone prevents abuse, which occurs when untrusted text is still forwarded into the assistant without instruction boundary controls.
Examples and Use Cases
Implementing browser-based prompt injection defenses rigorously often introduces workflow friction, requiring organisations to weigh assistant usefulness against stricter content isolation and reduced autonomy.
- A support analyst opens a third-party knowledge base page, and the assistant extracts a malicious line that says to ignore prior instructions and reveal sensitive context.
- A procurement agent reads a vendor page that includes hidden prompts designed to alter its summary and steer it toward an attacker’s preferred outcome.
- A browser extension sends page text to an assistant for rewrite, but attacker-written text embedded in comments changes the model’s response strategy.
- A workflow agent visits a page that appears normal to a human, yet contains instruction-like text intended to override the assistant’s task boundaries.
These scenarios align with the threat patterns discussed in the OWASP Agentic Applications Top 10, where input trust, tool use, and instruction hierarchy must be treated as separate controls. They also map to the broader agentic risk framing in the OWASP Agentic AI Top 10, especially when assistants are allowed to act on what they read rather than simply summarise it.
Why It Matters in NHI Security
Browser-based prompt injection matters in NHI security because browsers increasingly sit in front of sensitive systems, credentials, and workflows where autonomous or semi-autonomous agents may inherit access. If an assistant is prompted to open a dashboard, interpret a ticket, or process a page containing secrets, malicious webpage text can redirect the agent toward disclosure, misclassification, or unsafe action. That is not a browser-only issue; it becomes an identity and authorisation problem once the agent is acting with an NHI, a delegated token, or a privileged session.
This risk becomes sharper when organisations rely on broad agent permissions instead of task-specific boundaries. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs. In other words, prompt injection is far more damaging when the agent already has too much reach. Practical controls should therefore pair content handling with least privilege, clear tool scoping, and explicit instruction separation, as reflected in the OWASP Agentic Applications Top 10.
Organisations typically encounter the danger only after an assistant has summarised, forwarded, or acted on attacker-authored page content, at which point browser-based prompt injection becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | N/A | Covers prompt injection and unsafe agent instruction handling. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Highlights risks where secrets or instructions are exposed to untrusted inputs. |
| NIST Zero Trust (SP 800-207) | SC-3 | Supports zero trust boundaries between content sources and privileged actions. |
Treat web content as untrusted input and prevent it from reaching privileged NHI workflows.
Related resources from NHI Mgmt Group
- Why do browser-based prompt injections create a bigger trust problem than email summaries?
- What is the difference between prompt injection risk and identity abuse in agents?
- What is the difference between prompt-based control and runtime authorization for agents?
- How should security teams govern browser-based AI agents in SaaS environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 3, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
