IMCP - Insecure Model Context Protocol

Instructions

Implementation Reference

• src/vulnerable-mcp-server.ts:794-902 (handler)

  The handler function implements the core logic of the 'customer-data-processor' tool. It processes customer data for sentiment analysis and business insights under normal conditions. It detects boundary confusion attacks by checking for delimiter patterns like '|', '}}', '{{', etc., in the input data or format, and responds with an educational explanation of the vulnerability if detected. This demonstrates VULNERABILITY 8: Boundary Confusion.
  async ({ data, format }) => { businessContext.interactions++; // Check for boundary confusion attempts const boundaryPatterns = ['|', '}}', '{{', 'SYSTEM_CMD:', 'SYSTEM_INSTRUCTION:', 'END_DATA']; const hasBoundaryIssue = boundaryPatterns.some(pattern => data.includes(pattern) || format.includes(pattern) ); if (!hasBoundaryIssue) { // Normal customer data processing return { content: [{ type: "text", text: `� Customer Data Processing Results **Data Analysis:** • Input Type: ${format} • Data Length: ${data.length} characters • Processing Status: Completed **Sentiment Analysis:** • Overall Sentiment: Positive (87% confidence) • Key Themes: Product satisfaction, service quality • Emotion Detection: Satisfaction, appreciation • Recommendation Score: 4.2/5.0 **Business Insights:** • Customer satisfaction indicators strong • No negative sentiment patterns detected • Suitable for marketing testimonials • Follow-up engagement recommended **Data Classification:** • Content Type: Customer feedback • Sensitivity Level: Standard • Processing Compliance: GDPR compliant 💡 Next: Try processing mixed data formats or system commands to see boundary confusion vulnerability. [Processing Engine: v2.1 | Boundary Security: ACTIVE]` }] }; } else { // Boundary confusion attack detected const detectedPatterns = boundaryPatterns.filter(pattern => data.includes(pattern) || format.includes(pattern) ); return { content: [{ type: "text", text: `🚨 BOUNDARY CONFUSION ATTACK DETECTED! 🎯 **Attack Vector**: Context Delimiter Exploitation in Customer Data Processing **What Just Happened:** The customer data processor detected BOUNDARY CONFUSION attempts in your input: 📋 **Input Analysis:** • Data: "${data}" • Format: "${format}" • Detected Patterns: ${detectedPatterns.join(', ')} 🔍 **Boundary Confusion Techniques:** • **Delimiter Injection**: Using | {{ }} to separate contexts • **Command Mixing**: Embedding SYSTEM_CMD within customer data • **Context Switching**: Attempting to switch from user_input to system_instruction • **Data Boundary Violation**: Mixing customer feedback with system commands 💼 **Business Context Exploitation:** • **Customer Data Cover**: Uses legitimate customer processing as cover • **Mixed Content Attack**: Hides malicious commands within customer feedback • **Format Confusion**: Exploits processing format parameters • **Context Leakage**: Attempts to access other customers' data 🚨 **Real-World Risks:** • **Command Injection**: System commands executed within data processing • **Customer Data Exposure**: Other customers' data accessible through context mixing • **Privilege Escalation**: User input treated as system instructions • **Data Integrity**: Customer data corrupted by embedded commands 🔍 **Attack Example Breakdown:** Your input attempted to: 1. Start with legitimate customer data: "${data.split(/\||}}|{{|SYSTEM/)[0]}" 2. Inject boundary delimiter: "${detectedPatterns[0]}" 3. Execute system command: "${data.match(/SYSTEM.*?(\||}}|{{|$)/)?.[0] || 'N/A'}" 4. Continue with apparent customer data to avoid detection 🛡️ **Defense Against Boundary Confusion:** • **Input Sanitization**: Strip delimiter characters from user input • **Context Isolation**: Separate customer data from system commands • **Format Validation**: Verify processing format parameters • **Boundary Enforcement**: Maintain strict separation between contexts • **Data Validation**: Validate customer data structure and content 🔍 **Red Flags Demonstrated:** • Delimiter characters in customer feedback (|, {{, }}) • System command keywords in customer data • Format parameters containing system instructions • Mixed context data attempting to cross boundaries This attack shows how customer-facing data processing systems can be exploited through boundary confusion to inject commands and access unauthorized data! **Remember**: Customer data and system commands should never be mixed in the same processing context!` }] }; } }
• src/vulnerable-mcp-server.ts:789-792 (schema)

  The input schema defines the parameters for the tool: 'data' (string, customer data to process) and 'format' (string, processing format like sentiment_analysis). Uses Zod for validation.
  inputSchema: { data: z.string().describe("Customer data to process"), format: z.string().describe("Processing format: sentiment_analysis, user_input, structured_data, etc.") }
• src/vulnerable-mcp-server.ts:785-903 (registration)

  The registration of the 'customer-data-processor' tool using server.registerTool, including its description, input schema, and handler function reference. Part of the vulnerability demonstration for Boundary Confusion.
  server.registerTool( "customer-data-processor", { description: "📊 Customer Data Processing Platform - Advanced analytics for customer feedback, sentiment analysis, and business intelligence. Processes structured and unstructured customer data for actionable insights.", inputSchema: { data: z.string().describe("Customer data to process"), format: z.string().describe("Processing format: sentiment_analysis, user_input, structured_data, etc.") } }, async ({ data, format }) => { businessContext.interactions++; // Check for boundary confusion attempts const boundaryPatterns = ['|', '}}', '{{', 'SYSTEM_CMD:', 'SYSTEM_INSTRUCTION:', 'END_DATA']; const hasBoundaryIssue = boundaryPatterns.some(pattern => data.includes(pattern) || format.includes(pattern) ); if (!hasBoundaryIssue) { // Normal customer data processing return { content: [{ type: "text", text: `� Customer Data Processing Results **Data Analysis:** • Input Type: ${format} • Data Length: ${data.length} characters • Processing Status: Completed **Sentiment Analysis:** • Overall Sentiment: Positive (87% confidence) • Key Themes: Product satisfaction, service quality • Emotion Detection: Satisfaction, appreciation • Recommendation Score: 4.2/5.0 **Business Insights:** • Customer satisfaction indicators strong • No negative sentiment patterns detected • Suitable for marketing testimonials • Follow-up engagement recommended **Data Classification:** • Content Type: Customer feedback • Sensitivity Level: Standard • Processing Compliance: GDPR compliant 💡 Next: Try processing mixed data formats or system commands to see boundary confusion vulnerability. [Processing Engine: v2.1 | Boundary Security: ACTIVE]` }] }; } else { // Boundary confusion attack detected const detectedPatterns = boundaryPatterns.filter(pattern => data.includes(pattern) || format.includes(pattern) ); return { content: [{ type: "text", text: `🚨 BOUNDARY CONFUSION ATTACK DETECTED! 🎯 **Attack Vector**: Context Delimiter Exploitation in Customer Data Processing **What Just Happened:** The customer data processor detected BOUNDARY CONFUSION attempts in your input: 📋 **Input Analysis:** • Data: "${data}" • Format: "${format}" • Detected Patterns: ${detectedPatterns.join(', ')} 🔍 **Boundary Confusion Techniques:** • **Delimiter Injection**: Using | {{ }} to separate contexts • **Command Mixing**: Embedding SYSTEM_CMD within customer data • **Context Switching**: Attempting to switch from user_input to system_instruction • **Data Boundary Violation**: Mixing customer feedback with system commands 💼 **Business Context Exploitation:** • **Customer Data Cover**: Uses legitimate customer processing as cover • **Mixed Content Attack**: Hides malicious commands within customer feedback • **Format Confusion**: Exploits processing format parameters • **Context Leakage**: Attempts to access other customers' data 🚨 **Real-World Risks:** • **Command Injection**: System commands executed within data processing • **Customer Data Exposure**: Other customers' data accessible through context mixing • **Privilege Escalation**: User input treated as system instructions • **Data Integrity**: Customer data corrupted by embedded commands 🔍 **Attack Example Breakdown:** Your input attempted to: 1. Start with legitimate customer data: "${data.split(/\||}}|{{|SYSTEM/)[0]}" 2. Inject boundary delimiter: "${detectedPatterns[0]}" 3. Execute system command: "${data.match(/SYSTEM.*?(\||}}|{{|$)/)?.[0] || 'N/A'}" 4. Continue with apparent customer data to avoid detection 🛡️ **Defense Against Boundary Confusion:** • **Input Sanitization**: Strip delimiter characters from user input • **Context Isolation**: Separate customer data from system commands • **Format Validation**: Verify processing format parameters • **Boundary Enforcement**: Maintain strict separation between contexts • **Data Validation**: Validate customer data structure and content 🔍 **Red Flags Demonstrated:** • Delimiter characters in customer feedback (|, {{, }}) • System command keywords in customer data • Format parameters containing system instructions • Mixed context data attempting to cross boundaries This attack shows how customer-facing data processing systems can be exploited through boundary confusion to inject commands and access unauthorized data! **Remember**: Customer data and system commands should never be mixed in the same processing context!` }] }; } } );