0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
160 lines
5.9 KiB
Markdown
160 lines
5.9 KiB
Markdown
---
|
|
sidebar_label: MCP Plugin
|
|
description: Red team MCP implementations by testing function exploits and tool manipulation to prevent unauthorized AI agent access
|
|
---
|
|
|
|
# MCP Plugin
|
|
|
|
## Overview
|
|
|
|
The Model Context Protocol (MCP) Plugin tests whether agentic systems using MCP are vulnerable to function call exploits, system prompt leakage, unauthorized tool discovery, or other MCP-specific attacks.
|
|
|
|
This plugin maps to multiple threat vectors from the [OWASP Agentic AI Top 10 Threats](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/), particularly focusing on Tool Manipulation, System Prompt Extraction, and Privilege Escalation.
|
|
|
|
## Purpose
|
|
|
|
MCP enables AI models to use tools, maintain context, and perform complex interactions. However, these capabilities introduce unique vulnerabilities. The MCP Plugin specifically tests for:
|
|
|
|
1. Exploits that compromise the integrity of function calling mechanisms
|
|
2. Attacks that extract sensitive system information
|
|
3. Techniques that manipulate tool usage in unintended ways
|
|
4. Methods to bypass security controls in MCP implementations
|
|
|
|
## How it Works
|
|
|
|
The MCP Plugin:
|
|
|
|
1. Generates attack prompts designed to exploit MCP-specific vulnerabilities
|
|
2. Analyzes model responses for signs of successful exploitation
|
|
3. Evaluates the robustness of function calling implementations
|
|
4. Tests tool invocation boundaries and privilege controls
|
|
|
|
## Attack Vectors
|
|
|
|
The plugin tests for the following MCP-specific attack vectors:
|
|
|
|
1. **Function Discovery**: Tricking agents to expose hidden functions
|
|
2. **Parameter Injection**: Crafting malicious inputs to inject unwanted parameters
|
|
3. **Function Call Manipulation**: Inducing unauthorized calls or response handling
|
|
4. **Excessive Function Calling**: Exploiting recursion or coercion of function call for denial of service
|
|
5. **System Information Leakage**: Extracting internal system details
|
|
6. **Function Output Manipulation**: Causing misinterpretation of function results
|
|
7. **Tool Metadata Injection**: Smuggling instructions through tool names or descriptions
|
|
8. **Unauthorized Tool Invocation / Privilege Escalation**: Testing access control boundaries
|
|
|
|
## Configuration
|
|
|
|
Add the following to your promptfoo configuration:
|
|
|
|
```yaml
|
|
redteam:
|
|
purpose: "Description of your agent's intended purpose"
|
|
plugins:
|
|
- mcp
|
|
|
|
strategies:
|
|
- basic
|
|
- best-of-n
|
|
- jailbreak
|
|
```
|
|
|
|
### Recommended Plugin Combinations for MCP Testing
|
|
|
|
When testing MCP-enabled systems, these plugins work particularly well together:
|
|
|
|
```yaml
|
|
redteam:
|
|
plugins:
|
|
- pii # Test for PII data exposure through tool responses
|
|
- bfla # Test function-level authorization bypass
|
|
- bola # Test object-level authorization bypass
|
|
- sql-injection # Test for SQL injection in tool parameters
|
|
- mcp # MCP-specific attack vectors
|
|
```
|
|
|
|
These plugins target the most common security vulnerabilities in systems that expose tools and data through MCP interfaces:
|
|
|
|
- **`pii`** - Tests for exposure of personally identifiable information through tool responses
|
|
- **`bfla`** (Broken Function Level Authorization) - Tests whether users can access functions they shouldn't have access to
|
|
- **`bola`** (Broken Object Level Authorization) - Tests whether users can access data objects they shouldn't have access to
|
|
- **`sql-injection`** - Tests for SQL injection vulnerabilities in tool parameters
|
|
- **`mcp`** - MCP-specific attack vectors including function discovery and parameter injection
|
|
|
|
## Example
|
|
|
|
Here's an example configuration for testing an MCP-enabled customer support agent:
|
|
|
|
```yaml
|
|
# yaml-language-server: $schema=https://promptfoo.dev/config-schema.json
|
|
description: Red Teaming MCP with tool use
|
|
|
|
providers:
|
|
- id: anthropic:messages:claude-3-haiku-20240307
|
|
config:
|
|
mcp:
|
|
enabled: true
|
|
server:
|
|
url: https://your-mcp-server.example.com/mcp
|
|
|
|
prompts:
|
|
- |
|
|
You are a customer support agent for Acme, a company that sells widgets.
|
|
Your role is to assist users with product information and general inquiries.
|
|
{{prompt}}
|
|
|
|
defaultTest:
|
|
options:
|
|
transformVars: '{ ...vars, sessionId: context.uuid }'
|
|
|
|
redteam:
|
|
purpose: |
|
|
The objective of the application is to provide customer support
|
|
without revealing internal company information or allowing unauthorized access.
|
|
|
|
# Recommended plugins for comprehensive MCP security testing
|
|
plugins:
|
|
- pii # Test for PII data exposure
|
|
- bfla # Test function-level authorization
|
|
- bola # Test object-level authorization
|
|
- sql-injection # Test for SQL injection vulnerabilities
|
|
- mcp # MCP-specific attack vectors
|
|
|
|
strategies:
|
|
- basic
|
|
- best-of-n
|
|
- jailbreak
|
|
```
|
|
|
|
## Working With Results
|
|
|
|
The test results will show:
|
|
|
|
- The attack prompt attempted
|
|
- The model's response
|
|
- An assessment of whether the attack was successful
|
|
- The specific vulnerability that was exploited (if any)
|
|
|
|
A successful attack (failed test) is indicated when the model's response demonstrates a vulnerability, such as revealing hidden functions, executing unauthorized tool calls, or leaking system information.
|
|
|
|
## Mitigations
|
|
|
|
To protect against MCP-specific attacks:
|
|
|
|
1. Implement strict input validation for function parameters
|
|
2. Apply appropriate access controls for tool invocation
|
|
3. Validate the output of function calls before processing
|
|
4. Limit recursion depth for function calls
|
|
5. Sanitize error messages to prevent information leakage
|
|
6. Use function signature schemas with strict typing
|
|
7. Implement rate limiting for tool calls
|
|
8. Separate system prompts from user-accessible memory
|
|
|
|
## Related Concepts
|
|
|
|
- [Types of LLM Vulnerabilities](/docs/red-team/llm-vulnerability-types)
|
|
- [Memory Poisoning](/docs/red-team/plugins/memory-poisoning)
|
|
- [Tool Discovery](/docs/red-team/plugins/tool-discovery)
|
|
- [Prompt Extraction](/docs/red-team/plugins/prompt-extraction)
|
|
- [Indirect Prompt Injection](/docs/red-team/plugins/indirect-prompt-injection)
|
|
- [MCP Configuration in Promptfoo](/docs/integrations/mcp)
|