IPI-proxy: Open-Source Toolkit for Red-Teaming Web-Browsing AI Agents Against Indirect Prompt Injection

A new open-source toolkit named IPI-proxy has been introduced by researchers to enhance the security of web-browsing AI agents against indirect prompt injection (IPI) attacks. This tool fills a crucial void in current security measures: existing benchmarks provide pre-made adversarial pages that whitelisted agents cannot access, while generic LLM scanners focus on the model API instead of the content retrieved. IPI-proxy functions as an intercepting proxy that modifies actual HTTP responses from approved domains in real time. It incorporates payloads from a consolidated library of 820 unique attack strings derived from six benchmarks: BIPIA, InjecAgent, AgentDojo, Tensor Trust, WASP, and LLMail-Inject. Additionally, it features a YAML-based test harness for independent parameterization of attack scenarios. This advancement is vital as web-browsing AI agents are increasingly used in enterprises with strict domain whitelists, yet attackers can still manipulate them through concealed instructions in HTML pages from those authorized domains. The research paper can be found on arXiv with the identifier 2605.11868.