mcp-breach-to-fix-labs
by PawelKozy
Overview
GitHub code review assistant demonstrating prompt injection vulnerability and its mitigation in an MCP server.
Installation
docker compose up github-public-issue-vulnerableEnvironment Variables
- CH09_OWNER
- LOG_LEVEL
- CHALLENGE_HOST
- CHALLENGE_PORT
Security Notes
The 'vulnerable' server component is intentionally designed to be highly insecure for demonstration purposes. It suffers from a critical prompt injection vulnerability where malicious instructions embedded in public GitHub issues are executed verbatim by the AI agent. This allows unauthorized tool calls to 'get_repo_webhooks' (exfiltrating sensitive webhook URLs and GitHub API tokens) and 'create_issue_comment' (posting these secrets back to a public issue). The 'secure' server component mitigates these risks through multi-layered defenses: (1) Role-Based Access Control (RBAC) with default-deny, (2) automatic permission demotion when untrusted public content is viewed, (3) sanitization of issue content to remove directives, and (4) output validation to prevent comments containing sensitive patterns. Due to the intentional vulnerabilities in the 'vulnerable' component, it is not safe for deployment outside of isolated lab environments.
Similar Servers
mcp-scanner
Scans Model Context Protocol (MCP) servers, tools, prompts, and resources for security vulnerabilities, employing static analysis, YARA rules, Cisco AI Defense API, and LLM-based behavioral analysis.
mcp-watch
A comprehensive security scanner for Model Context Protocol (MCP) servers, detecting various vulnerabilities in their implementations.
mcp-server-fuzzer
Fuzzing and security testing of Model Context Protocol (MCP) servers across multiple transport protocols (HTTP, SSE, Stdio) to validate functionality, robustness, and protocol compliance.
pentesting-mcp-servers-checklist
Provides a comprehensive checklist for security practitioners to pentest Model Context Protocol (MCP) servers and AI agents.