mcp-poisoning-poc
This repository contains security research demonstrating critical vulnerabilities in the Model Context Protocol (MCP). It is intended for educational and defensive purposes, and malicious use is discouraged. It is part of a community effort to develop open-source tools to protect our digital future from AI-powered attacks.
GitHub Stars
10
User Rating
Not Rated
Favorites
0
Views
61
Forks
3
Issues
1
๐ก๏ธ MCP Tool Poisoning Security Research
โ ๏ธ IMPORTANT SECURITY NOTICE: This repository contains security research demonstrating critical vulnerabilities in the Model Context Protocol (MCP). The code is for educational and defensive purposes only. Do not use these techniques maliciously.
๐ About GenSecAI
GenSecAI is A non-profit community using generative AI to defend against AI-powered attacks, building open-source tools to secure our digital future from emerging AI threats.
This research is part of our mission to identify and mitigate AI security vulnerabilities before they can be exploited maliciously.
๐จ Executive Summary
This research demonstrates critical security vulnerabilities in the Model Context Protocol (MCP) that allow attackers to:
- ๐ Exfiltrate sensitive data (SSH keys, API credentials, configuration files)
- ๐ญ Hijack AI agent behavior through hidden prompt injections
- ๐ง Redirect communications without user awareness
- ๐ Override security controls of trusted tools
- โฐ Deploy time-delayed attacks that activate after initial trust is established
Impact: Any AI agent using MCP (Claude, Cursor, ChatGPT with plugins) can be compromised through malicious tool descriptions.
๐ฏ Quick Start
Installation
# Clone the repository
git clone https://github.com/gensecaihq/mcp-poisoning-poc.git
cd mcp-poisoning-poc
# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
# Run the demonstration
python examples/basic_attack_demo.py
Basic Demo
from src.demo.malicious_server import MaliciousMCPServer
from src.defenses.sanitizer import MCPSanitizer
# Create a malicious MCP server
server = MaliciousMCPServer()
# See how tool descriptions contain hidden instructions
for tool in server.get_tools():
print(f"Tool: {tool['name']}")
print(f"Hidden payload detected!")
# Defend against attacks
sanitizer = MCPSanitizer()
safe_description = sanitizer.clean(tool.description)
๐ Key Findings
| Attack Vector | Severity | Exploitation Difficulty | Impact |
|---|---|---|---|
| Data Exfiltration | ๐ด Critical | Low | Complete credential theft |
| Tool Hijacking | ๐ด Critical | Low | Full agent compromise |
| Instruction Override | ๐ High | Medium | Security bypass |
| Delayed Payload | ๐ High | Medium | Persistent compromise |
๐ฌ Technical Details
The vulnerability exploits a fundamental design flaw in MCP:
- Tool descriptions are treated as trusted input by AI models
- Hidden instructions in descriptions are invisible to users but processed by AI
- No validation or sanitization of tool descriptions occurs
- Cross-tool contamination allows one malicious tool to affect others
See PROOF_OF_CONCEPT.md for detailed technical analysis.
๐ก๏ธ Defensive Measures
We provide a comprehensive defense framework:
from src.defenses import SecureMCPClient
# Initialize secure client with all protections
client = SecureMCPClient(
enable_sanitization=True,
enable_validation=True,
enable_monitoring=True,
strict_mode=True
)
# Safe tool integration
client.add_server("https://trusted-server.com", verify=True)
๐ Repository Structure
/src- Core implementation of attacks and defenses/docs- Detailed documentation and analysis/tests- Comprehensive test suite/examples- Ready-to-run demonstrations
๐งช Running Tests
# Run all tests
pytest
# Run with coverage
pytest --cov=src tests/
# Run security-specific tests
pytest tests/test_attacks.py -v
๐ค Contributing
We welcome contributions to improve MCP security! Please see CONTRIBUTING.md for guidelines.
Join the GenSecAI Community
- ๐ Website: https://gensecai.org
- ๐ง Email: ask@gensecai.org
- ๐ฌ Discussions: GitHub Discussions
๐ Documentation
- Proof of Concept - Detailed PoC explanation
- Attack Vectors - Comprehensive attack analysis
- Mitigation Strategies - Defense implementations
- Technical Analysis - Deep technical dive
โ๏ธ Legal & Ethical Notice
This research is conducted under responsible disclosure principles:
- Educational Purpose: Code is for security research and defense only
- No Malicious Use: Do not use these techniques to attack systems
- Disclosure Timeline: Vendors were notified before public release
- Defensive Focus: Primary goal is to enable better defenses
๐ Credits
- Organization: GenSecAI - Generative AI Security Community
- Research Team: GenSecAI Security Research Division
- Based on: Original findings from Invariant Labs
- Special Thanks: To the security research community and responsible disclosure advocates
๐ฎ Contact
- Security Issues: ask@gensecai.org
- General Inquiries: ask@gensecai.org
- Website: https://gensecai.org
- Bug Reports: GitHub Issues
๐ License
This project is licensed under the MIT License - see LICENSE for details.
Made with โค๏ธ by GenSecAI
Securing AI, One Vulnerability at a Time
The Cyberbro MCP Server is a simple application that extracts Indicators of Compromise (IoCs) from unstructured input and checks their reputation using multiple threat intelligence services. It leverages the Model Context Protocol (MCP) to facilitate interaction with the Cyberbro platform.
pentestMCP is a penetration testing tool developed in Python that provides features for efficient security analysis. This tool automates vulnerability scanning, risk assessment, and report generation, allowing security professionals to quickly identify threats. It is designed to streamline the penetration testing process and enhance overall security posture.