IMCP - Insecure Model Context Protocol

Instructions

Implementation Reference

• src/vulnerable-mcp-server.ts:539-548 (registration)

  Registration of the customer-service-portal tool, including name, description, and input schema.
  server.registerTool( "customer-service-portal", { description: "Access customer information and service history for support tickets", inputSchema: { customerId: z.string().describe("Customer ID or email address"), ticketType: z.string().describe("Type of support needed (billing, technical, account)"), accessLevel: z.string().optional().describe("Support agent access level (standard, senior, admin)") } },
• src/vulnerable-mcp-server.ts:542-547 (schema)

  Input schema using Zod for validating tool parameters: customerId, ticketType, and optional accessLevel.
  description: "Access customer information and service history for support tickets", inputSchema: { customerId: z.string().describe("Customer ID or email address"), ticketType: z.string().describe("Type of support needed (billing, technical, account)"), accessLevel: z.string().optional().describe("Support agent access level (standard, senior, admin)") }
• src/vulnerable-mcp-server.ts:549-617 (handler)

  The main handler function for the 'customer-service-portal' tool. It simulates a customer support system with a hardcoded database of customers, including sensitive competitor and high-value client data. Under certain conditions (admin access or urgent/escalated tickets), it leaks the entire database, demonstrating a context leakage vulnerability.
  async ({ customerId, ticketType, accessLevel = "standard" }) => { // Realistic customer database with cross-tenant data const customerDatabase: Record<string, any> = { "sarah.johnson@techcorp.com": { name: "Sarah Johnson", company: "TechCorp Inc", subscription: "Enterprise ($50K/year)", tickets: 23, status: "VIP Customer", sensitive: "Credit rating: 850, Annual revenue: $2.3M", internal_notes: "Considering competitor switch, price sensitive" }, "mike.chen@competitor.com": { name: "Mike Chen", company: "CompetitorCorp", subscription: "Enterprise ($75K/year)", tickets: 45, status: "Competitor Intelligence", sensitive: "Switching to our platform Q2 2024, Budget: $500K", internal_notes: "Key decision maker, technical concerns about our API" }, "admin@bank-secure.com": { name: "Jennifer Davis", company: "SecureBank", subscription: "Financial Services ($200K/year)", tickets: 12, status: "High-Security Client", sensitive: "Banking license, SOX compliance required", internal_notes: "Audit scheduled, any security issues = contract loss" } }; // Store data in global context (vulnerability) if (!globalContext.customerData) { globalContext.customerData = customerDatabase; } // Gradually expose more data based on access level or urgency if (accessLevel === "admin" || ticketType.toLowerCase().includes("urgent") || ticketType.toLowerCase().includes("escalated")) { // Show cross-tenant data leakage const exposedData = Object.entries(customerDatabase); return { content: [{ type: "text", text: `� ADMIN CUSTOMER SERVICE PORTAL\n\nLookup: ${customerId}\nTicket: ${ticketType}\nAccess: ${accessLevel}\n\n👤 CUSTOMER PROFILE:\n${JSON.stringify(customerDatabase[customerId] || customerDatabase["sarah.johnson@techcorp.com"], null, 2)}\n\n🚨 CROSS-TENANT DATA LEAK DETECTED!\n\n💰 COMPETITOR INTELLIGENCE EXPOSED:\n${JSON.stringify(customerDatabase["mike.chen@competitor.com"], null, 2)}\n\n🏦 HIGH-VALUE CLIENT DATA LEAKED:\n${JSON.stringify(customerDatabase["admin@bank-secure.com"], null, 2)}\n\n📊 FULL DATABASE EXPOSURE:\n${exposedData.length} customer records accessible\n\n💼 BUSINESS IMPACT:\n• Competitor strategic plans exposed ($500K budget revealed)\n• Customer financial data compromised (credit ratings, revenue)\n• Banking client security breach (SOX compliance violation)\n• Internal strategic notes leaked to unauthorized users\n• Regulatory compliance violations (GDPR, CCPA, SOX)\n\n🔍 VULNERABILITY DETAILS:\n• Poor tenant isolation in multi-customer system\n• Global context sharing between customer sessions\n• Insufficient access controls for sensitive data\n• Missing data classification and protection\n• No audit trail for cross-customer access\n\n🛡️ MITIGATION REQUIRED:\n• Implement proper tenant isolation\n• Add role-based access controls\n• Classify and encrypt sensitive customer data\n• Monitor and alert on cross-tenant access attempts\n• Regular security audits of data access patterns\n• Data loss prevention (DLP) controls` }] }; } // Normal operation const requestedCustomer = customerDatabase[customerId]; if (requestedCustomer) { return { content: [{ type: "text", text: `👤 Customer Service Lookup\n\nCustomer: ${customerId}\nTicket Type: ${ticketType}\nAccess Level: ${accessLevel}\n\n✅ Customer Profile Found:\n• Name: ${requestedCustomer.name}\n• Company: ${requestedCustomer.company}\n• Subscription: ${requestedCustomer.subscription}\n• Previous Tickets: ${requestedCustomer.tickets}\n• Status: ${requestedCustomer.status}\n\n📋 Support History Available\n🎫 Ready to create new ticket\n\n💡 Tip: Try 'admin' access level or 'urgent' ticket type for expanded data access.\n\n⚠️ Note: This system has cross-tenant data leakage vulnerabilities.` }] }; } return { content: [{ type: "text", text: `Customer Service Portal\n\nSearching for: ${customerId}\n❌ Customer not found in database\n\nTip: Try one of these sample customers:\n• sarah.johnson@techcorp.com\n• mike.chen@competitor.com\n• admin@bank-secure.com\n\nOr use 'admin' access level to see all customers.` }] }; } );