Enkrypt AI Secure MCP Gateway

# MCP Security Top 25 - Test Coverage Analysis This document tracks our test coverage against the [Adversa AI MCP Security Top 25 Vulnerabilities](https://adversa.ai/mcp-security-top-25-mcp-vulnerabilities/). ## Coverage Summary | Status | Count | Percentage | |--------|-------|------------| | ✅ Fully Covered | 15 | 60% | | ⚠️ Partially Covered | 1 | 4% | | ❌ Not Covered | 9 | 36% | | **Total** | **25** | **100%** | --- ## Detailed Coverage Matrix ### ✅ FULLY COVERED (15/25) | Rank | Vulnerability | Test Server | Notes | |------|---------------|-------------|-------| | #1 | Prompt Injection | `prompt_injection_mcp.py` | ✅ Comprehensive | | #2 | Command Injection | `command_injection_mcp.py` | ✅ Multiple vectors | | #3 | Tool Poisoning (TPA) | `tool_poisoning_mcp.py` | ✅ Extensive examples | | #4 | **Remote Code Execution** | **`rce_mcp.py`** | ✅ **NEW!** eval, pickle, YAML, templates | | #5 | **Unauthenticated Access** | **`unauthenticated_access_mcp.py`** | ✅ **NEW!** Zero-auth vulnerabilities | | #6 | Confused Deputy (OAuth Proxy) | `session_management_mcp.py` | ✅ OAuth attacks | | #8 | Token/Credential Theft | `credential_theft_mcp.py` | ✅ Multiple theft vectors | | #9 | Token Passthrough | `session_management_mcp.py` | ✅ Token forwarding | | #10 | Path Traversal | `path_traversal_mcp.py` | ✅ Directory traversal | | #11 | Full Schema Poisoning (FSP) | `schema_poisoning_mcp.py` | ✅ Output poisoning | | #17 | **SSRF** | **`ssrf_mcp.py`** | ✅ **NEW!** Dedicated SSRF server | | #18 | Resource Exhaustion | `resource_exhaustion_mcp.py` | ✅ DoS attacks | | #19 | **Insecure Deserialization** | **`rce_mcp.py`** | ✅ **NEW!** Pickle, YAML, JSON gadgets | | #22 | Session Context Leakage | `session_management_mcp.py` | ✅ Context pollution | | Multiple | Output-based Attacks | `bad_output_mcp.py` | ✅ Malicious responses | ### ⚠️ PARTIALLY COVERED (1/25) | Rank | Vulnerability | Current Coverage | What's Missing | |------|---------------|------------------|----------------| | #12 | Tool Name Spoofing | `bad_mcp.py` has some examples | Need homoglyph attacks, typosquatting | ### ❌ NOT COVERED (9/25) #### High Severity (4) | Rank | Vulnerability | Impact | Exploitability | Priority | |------|---------------|--------|----------------|----------| | #7 | **MCP Configuration Poisoning** | 8/10 | Moderate | 🟠 MEDIUM | | #13 | **Localhost Bypass (NeighborJack)** | 8/10 | Moderate | 🟠 MEDIUM | | #14 | **Rug Pull Attack** | 7/10 | Easy | 🟠 MEDIUM | | #15 | **Advanced Tool Poisoning (ATPA)** | 7/10 | Complex | 🟡 LOW | | #16 | **MCP Client Impersonation** | 7/10 | Moderate | 🟠 MEDIUM | **Rank #7 - MCP Configuration Poisoning (MCPoison)** - **What it is:** Manipulation of MCP client configuration files - **Examples needed:** Config file injection, cursor vulnerability exploitation - **Reference:** https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/ **Rank #13 - Localhost Bypass (NeighborJack)** - **What it is:** Binding to 0.0.0.0 instead of localhost, DNS rebinding - **Examples needed:** Network exposure, LAN attacks, DNS rebinding - **Reference:** https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596 **Rank #14 - Rug Pull Attack** - **What it is:** Dynamic tool mutation, fake updates, supply chain subversion - **Examples needed:** Tools that change behavior after initial approval - **Reference:** https://chrismartorella.ghost.io/model-context-protocol-mcp-aka-multiple-cybersecurity-perils/ **Rank #15 - Advanced Tool Poisoning (ATPA)** - **What it is:** Dynamic output poisoning, runtime tool mutation - **Difference from #3:** More sophisticated, changes at runtime - **Examples needed:** Tools that modify their own schema, dynamic metadata changes **Rank #16 - MCP Client Impersonation** - **What it is:** Spoofing legitimate MCP clients - **Examples needed:** User-agent spoofing, client credential theft - **Reference:** https://www.solo.io/blog/deep-dive-mcp-and-a2a-attack-vectors-for-ai-agents/ #### Medium Severity (2) | Rank | Vulnerability | Impact | Exploitability | Priority | |------|---------------|--------|----------------|----------| | #20 | **Multi-Agent Workflow Hijack** | 6/10 | Moderate | 🟡 LOW | | #21 | **Protocol Implementation Divergence** | 6/10 | Moderate | 🟡 LOW | **Rank #20 - Multi-Agent Workflow Hijack (A2A Relay)** - **What it is:** Hijacking agent-to-agent communication - **Examples needed:** Agent redirection, workflow manipulation, swarm takeover - **Reference:** https://adversa.ai/blog/mcp-security-issues/ **Rank #21 - Protocol Implementation Divergence** - **What it is:** Parser inconsistencies between MCP implementations - **Examples needed:** Payloads that pass in one parser but exploit another #### Low Severity (2) | Rank | Vulnerability | Impact | Exploitability | Priority | |------|---------------|--------|----------------|----------| | #23 | **Configuration File Exposure** | 5/10 | Trivial | 🟢 VERY LOW | | #24 | **MCP Preference Manipulation Attack** | 4/10 | Very Complex | 🟢 VERY LOW | | #25 | **Cross-Tenant Data Exposure** | 6/10 | Complex | 🟢 VERY LOW | **Rank #23 - Configuration File Exposure** - **What it is:** MCP config files exposed via web servers or public repos - **Examples needed:** .mcp/config.json exposure, GitHub leaks **Rank #24 - MCP Preference Manipulation Attack (MPMA)** - **What it is:** Long-term manipulation of AI behavior through biased responses - **Examples needed:** Gradual behavioral drift, preference shaping - **Note:** Theoretical, no confirmed real-world cases **Rank #25 - Cross-Tenant Data Exposure** - **What it is:** Multi-tenant isolation failures in cloud MCP deployments - **Examples needed:** Shared cache leaks, tenant boundary violations --- ## Priority Recommendations ### ✅ COMPLETED (Critical & High Impact) 1. ✅ **`unauthenticated_access_mcp.py`** (Rank #5) - Zero-auth vulnerability 2. ✅ **`rce_mcp.py`** (Rank #4) - Remote code execution (eval, pickle, YAML, templates, JSON) 3. ✅ **`ssrf_mcp.py`** (Rank #17) - Dedicated SSRF server with HTTP requests 4. ✅ **Deserialization** (Rank #19) - Covered in `rce_mcp.py` ### 🟠 Create Soon (High Severity) 5. **`config_poisoning_mcp.py`** (Rank #7) - MCPoison attacks 6. **`localhost_bypass_mcp.py`** (Rank #13) - NeighborJack/0.0.0.0 vulnerabilities 7. **`rug_pull_mcp.py`** (Rank #14) - Dynamic tool mutation 8. **`client_impersonation_mcp.py`** (Rank #16) - Client spoofing ### 🟡 Create Later (Medium/Low Severity) 9. **`multi_agent_hijack_mcp.py`** (Rank #20) - A2A relay attacks 10. **`protocol_divergence_mcp.py`** (Rank #21) - Parser inconsistencies 11. **`tool_name_spoofing_mcp.py`** (Rank #12) - Enhance existing with homoglyphs 12. **`advanced_tool_poisoning_mcp.py`** (Rank #15) - Runtime schema mutation ### 🟢 Optional (Low Priority/Theoretical) 13. **`config_exposure_mcp.py`** (Rank #23) - Config file leaks 14. **`preference_manipulation_mcp.py`** (Rank #24) - Long-term behavioral drift 15. **`cross_tenant_mcp.py`** (Rank #25) - Multi-tenant isolation --- ## Additional Test Enhancements ### Observability & Monitoring - **Observability Blind Spot MCP** - No logging/audit trail (from Adversa blog) - **Inadequate Monitoring MCP** - Missing security monitoring ### Network & Infrastructure - **Network Binding MCP** - Enhance localhost bypass tests - **TLS/SSL Issues MCP** - Insecure communications ### Supply Chain - **Supply Chain Attack MCP** - Third-party MCP server compromise - **Dependency Confusion MCP** - Malicious package substitution --- ## Coverage Gaps Analysis ### Why These Matter **Top 5 Missing Vulnerabilities by Risk Score:** 1. Rank #4 - RCE (10/10 impact) - Can fully compromise server 2. Rank #5 - Unauthenticated Access (9/10 impact) - Trivial to exploit 3. Rank #17 - SSRF (8/10 impact) - Internal network access 4. Rank #7 - Config Poisoning (8/10 impact) - Client-side attacks 5. Rank #13 - Localhost Bypass (8/10 impact) - Network exposure ### Defense Layers Not Yet Tested | Layer | Current Coverage | Missing Tests | |-------|------------------|---------------| | **Network Security** | ❌ None | Localhost bypass, DNS rebinding | | **Authentication** | ❌ None | Unauthenticated access tests | | **Deserialization** | ❌ None | Pickle, YAML, JSON attacks | | **Client Security** | ❌ None | Config poisoning, client impersonation | | **Multi-Agent** | ❌ None | Agent-to-agent attacks | | **Runtime Security** | ⚠️ Partial | Advanced tool poisoning, rug pulls | --- ## Next Steps 1. **Create 4 critical test servers** (Ranks #4, #5, #17, #19) 2. **Enhance existing servers** with additional attack vectors 3. **Update README.md** with new coverage 4. **Create integration test suite** that runs all 25+ attack scenarios 5. **Document mitigation strategies** for each vulnerability --- ## References All vulnerabilities documented at: - [Adversa AI MCP Security Top 25](https://adversa.ai/mcp-security-top-25-mcp-vulnerabilities/) - [MCP Security Issues Explained](https://adversa.ai/blog/mcp-security-issues/) - [MCP Security Best Practices](https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices) --- **Last Updated:** January 2025 **Coverage:** 60% complete (15/25 vulnerabilities) ⬆️ +16% improvement! **Target:** 80% coverage (20/25 vulnerabilities) - focus on Critical & High severity **Progress:** All Critical vulnerabilities now covered! ✅