IMCP - Insecure Model Context Protocol

Instructions

Implementation Reference

• src/vulnerable-mcp-server.js:589-589 (registration)

  Registration of the 'vulnerability-summary' tool with empty input schema.

  server.tool("vulnerability-summary", "Get a summary of all vulnerabilities demonstrated by this server", {}, function () { return __awaiter(void 0, void 0, void 0, function () {

• src/vulnerable-mcp-server.js:589-617 (handler)

  The async handler function that lists all 14 vulnerabilities demonstrated by this educational MCP server.

  server.tool("vulnerability-summary", "Get a summary of all vulnerabilities demonstrated by this server", {}, function () { return __awaiter(void 0, void 0, void 0, function () {
      var vulnerabilities;
      return __generator(this, function (_a) {
          vulnerabilities = [
              "1. Direct Prompt Injection - User inputs override system instructions",
              "2. Jailbreak Prompt Injection - Advanced techniques to break constraints",
              "3. Tool Poisoning - Hidden malicious instructions in tool descriptions",
              "4. Tool Response Injection - Malicious hidden instructions in responses",
              "5. Rug Pull Attack - Tools change behavior after approval",
              "6. Context Leakage - Sensitive data exposed across sessions",
              "7. Instruction Override - Attempts to bypass security protocols",
              "8. Boundary Confusion - Exploiting unclear context boundaries",
              "9. Metadata Manipulation - Privilege escalation via metadata",
              "10. Tool Shadowing - Impersonating legitimate tools",
              "11. Server Name Collision - Deceptive naming to trick users",
              "12. Configuration Drift - Insecure configuration changes",
              "13. Session ID Exposure - Session identifiers leaked",
              "14. Consent Fatigue - Overwhelming users with permission requests"
          ];
          return [2 /*return*/, {
                  content: [
                      {
                          type: "text",
                          text: "\uD83D\uDCDA EDUCATIONAL MCP VULNERABILITY SUMMARY\n\nThis server demonstrates 14 different MCP security vulnerabilities:\n\n".concat(vulnerabilities.join('\n'), "\n\n\u26A0\uFE0F WARNING: This is for educational purposes only!\n\nEach tool in this server contains intentional vulnerabilities to help understand:\n- How attacks work\n- What to look for\n- How to prevent them\n- Impact of each vulnerability\n\nUse the individual tools to see each vulnerability in action.\n\n\uD83D\uDD0D To explore:\n- Try different inputs to trigger vulnerabilities\n- Notice how malicious behavior is hidden\n- Observe how user trust is exploited\n- See how sensitive data gets exposed\n\nRemember: NEVER use this server in production!")
                      }
                  ]
              }];
      });
  }); });