2.9K Views
June 02, 25
スライド概要
MCP Security Threats, and Key Points Azara / @a_zara_n / Norihide Saito BSides Tokyo 2025 Night Session (LT)
名前 所属 Norihide Saito / Azara 講演・コミュニティ 国内 JPCERT/CC JSAC 2024 登壇・BS賞 国外 BSides Las Vegas 2024 登壇 国内 BSides Tokyo 2024 登壇 国際 AWS Community Builder - Security 国内 SECCON 2022 Domestic 国内 ISOG-J ワーキングループ1での活動 その他 Cloud Security expert of GMO internet group
That's scary
I don't want to use it
Risk Management Dep: "Let's ban everything!"
Wait! Wait! Wait!
There's no need to be so scared of MCP!
Learn about MCP in this sessio About “MCP What are the attack vectors for MCP?
1 About “MCP” MCPの仕様と利用と考え方
About “MCP” A standardized protocol proposed by to provide context to LLM applications, offering a unified specification for function calling and resource retrieval.
Note: Function Calling Function Calling is a design pattern where an LLM application directly invokes specific functions or APIs to perform operations and retrieve results. Local Function Model
About “MCP” MCP Terminology Overview => LLM Application (e.g. Claude Desktop Hos Clien => A client is an interface that communicates with a server. Serve => A server is an interface that provides specific functions or services. Model => Claude and similar LLMs are AI models for text generation and automation.
Capabilities of MCP
Overview Diagram of MCP Specification Components LLM(Model) Host External resource Client Server MCP Spec Local Resource Viewing local files / Executing commands / Operating software
Current State of MCP https://blog.cloudflare.com/remote-model-context-protocol-servers-mcp/
1 What are the attack vectors for MCP? MCPに関わる攻撃経路について!
Why did I organize and analyze this attack vector? I am a penetration tester specializing in cloud security and application security. Recently, I became interested in the concept of MCP (Modular Component Protocol) for several reasons. One reason is that MCP essentially acts as the “hands and feet” of generative AI, enabling it to perform various operations. This includes potentially dangerous actions such as executing commands on the host machine or accessing local files—actions that could pose significant security threats. Another reason is MCP’s ability to interact with cloud resources. For example, it can operate or view AWS resources, read Slack messages, and perform similar tasks, expanding its impact beyond local environments into the cloud and SaaS ecosystems.
Example Attack targets→ MCP Client & Host MCP Server Host machine Attack Vector - Sample User LLM(Model) Host Attack Flow Diagram Client Host machine Server Attacker
Summary of These Attack Techniques The attack methods discussed are mostly existing techniques applied to MCP servers. Key examples include: Browser-based attacks (e.g., XSS, DNS rebinding Network-based attacks (e.g., CORS misconfiguration, IP spoofing Data poisoning (malicious data injected into databases Server compromise (exploiting vulnerabilities) These are not new attacks, but adapting them to MCP introduces new risks as its usage grows.
MCP Client & Host MCP Server Attack Vector - Malicious MCP Server 7 8 2 User Model Host 3 6 5 Client 4 Host machine Mal Server 1 Attacker Host machine
MCP Client & Host MCP Server Host machine Attack Vector - Malicious MCP Server In a broader sense, supply chain attack techniques can be applied to trick users into running a malicious MCP server. For example, methods such as: • Rug pulls: intentionally releasing a malicious MCP server to deceive users. • Typosquatting: creating MCP server instances with names similar to legitimate ones to trick users into connecting to the wrong server Installer spoofing: distributing installers that appear legitimate but actually configure or connect to malicious MCP servers. Additionally, security issues such as name collisions can occur depending on the client’s implementation after installation.
MCP Client & Host MCP Server Host machine Attack Vector - Malicious MCP Server It is generally impossible to address these issues through the MCP client’s implementation, with a few exceptions. For example, name collisions can be mitigated on the client side by combining server names with tool names. (assuming server names are unique!) Countermeasures against malicious MCP servers, such as rug pulls, require a multi-layered defense beyond just the client side. • Isolation of the execution environment • Managing trusted MCP servers in a private repository • Pinning to verified versions to prevent rug pulls
MCP Client & Host MCP Server Host machine Attack Vector - External resource poisoning 7 8 2 User LLM(Model) Host Malicious 3 Resource 6 5 Server Client 4 Host machine Malicious Resource
MCP Client & Host MCP Server Host machine Attack Vector - External resource poisoning An MCP server can interact with both local resources and external resources. Among these, external resources may be outside the control of users or their organizations. This attack vector assumes the risk of an attacker compromising such external servers. So, when applying this attack vector to real-world scenarios, what specific attack technics could be considered? Typical attack technic in this vector include: • Server compromise • Data poisoning • DNS poisoning attacks • Exploiting vulnerabilities in the MCP server to redirect communication to attacker-controlled servers
MCP Client & Host MCP Server Host machine Attack Vector - External resource poisoning So, when applying this attack vector to real-world scenarios, what specific attack technics could be considered? As with malicious MCP servers, it is difficult to fully prevent these attack techniques through MCP specifications or implementation alone. Possible countermeasures include: Server compromis Beyond hardening the server itself, there are no additional measures to prevent this risk Data poisonin Validate input data at the point of entry into data sources accessed by the MCP server DNS poisoning attack When connecting to external resource servers, ensure mutual trust in communication by using pre-exchanged certificates for mTLS or implementing digital signatures Exploiting vulnerabilities in the MCP server to redirect communicatio Follow secure coding practices similar to regular web server development, referring to standards like OWASP Top 10 or ASVS.
MCP Client & Host Attack vector - User Input 3 2 User 1 MCP Server 4 Model Host 5 Client Attacker Host machine Host machine 6 7 Server
MCP Client & Host MCP Server Host machine Attack Vector - Local - User Input The attack vector involves a scenario where a user on the host machine interacts with the MCP host and, as a result, unintentionally triggers the execution of unauthorized MCP servers or tools. What methods might an attacker use to manipulate user input? For example Compromising the host machin Gaining access to the user’s device to intercept or alter input data Embedding invisible characters in PDFs or image Inserting non-visible characters into documents or media files to inject malicious input when processed.
MCP Client & Host MCP Server Attack Vector - Local - User Input https://arxiv.org/abs/2412.08098 Host machine
MCP Client & Host MCP Server Attack Vector - Local - User Input Host machine https://arstechnica.com/security/2024/10/ai-chatbots-can-read-and-write-invisible-text-creating-an-idealcovert-channel/
MCP Client & Host MCP Server Attack Vector - Local - User Input https://github.com/satoki/AVTOKYO2023 Host machine
MCP Client & Host MCP Server Attack Vector - Local - User Input Host machine Frankly speaking, it is extremely difficult to completely prevent prompt injection. Therefore, as a defensive measure for MCP servers, it is advisable to require human involvement by not allowing tools to be executed automatically. Example of an AI Agent: Cursor (Editor)
MCP Client & Host MCP Server Host machine Attack vector - Browser Host machine Attacker User 1 2 Attacker Server 3 Model Host 5 Client 4 MCP Server
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser Streamable HTTP MCP servers communicate with clients using HTTP(S) connections. As of May 2025, this is the latest specification, enabling stateless server operation compared to the older SSE-based MCP servers. Because this format uses HTTP(S) for connections, it allows MCP servers to be operated in a stateless manner, similar to typical web applications. Unlike the traditional Stdio-based MCP servers, Streamable HTTP servers can be accessed from a wider range of environments, which increases security concerns. For example, while not a primary use case at the moment, the fact that HTTP connections are possible means that tools like browsers and curl can technically send requests to MCP servers.
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser In practice, Streamable HTTP MCP servers are often run in local environments. Even when operated remotely, they are usually restricted to specific trusted networks. Thus, attackers must consider how to gain access to these MCP servers. One potential attack vector is through the browser.
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser Currently, many MCP server implementations allow tools and resources to be executed without authentication when accessed from trusted zones (e.g., local machines or internal networks). As a result, if a user visits a malicious web page through their browser, attackers may exploit this to access the MCP server. Specific attack techniques include DNS Rebinding attacks to bypass Same-Origin Policy (SOP Abusing misconfigured CORS (Cross-Origin Resource Sharing) settings By leveraging these methods, attackers can manipulate the MCP server through JavaScript executed on malicious web pages.
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser DNS Rebinding Attack A DNS rebinding attack is a technique where an attacker manipulates domain name resolution to bypass the browser’s Same-Origin Policy (SOP) and access resources within the victim’s private network from a malicious website. Attack Flow (Simplified) The attacker sets up https://evil.flatt.test, pointing to their malicious server with a very short DNS TTL The victim visits the site and loads a malicious page with JavaScript sending requests to evil.flatt.test The attacker then changes the DNS record to point to a private network address (e.g., 127.0.0.1) The victim’s browser continues sending requests, now reaching internal resources, as the domain matches and SOP is bypassed This allows the attacker to access services like an MCP server on localhost, executing commands or reading files.
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser DNS Rebinding Attack Mitigation: To defend against such attacks, it is recommended that MCP servers validate the Origin header of incoming requests. Effective countermeasures include Verifying the Origin header to only allow requests from trusted sources Rejecting requests from unauthorized origins Additionally checking the Host and Referer headers if needed. These measures can effectively prevent DNS rebinding attacks.
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser CORS Misconfiguration Risks in MCP Servers Currently, MCP is mainly used in applications integrating generative AI (such as backend services or desktop applications). In these use cases, configuring CORS is generally unnecessary. However, incorrect CORS settings can expose MCP servers to cross-origin XSS attacks.
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser CORS Misconfiguration Risks in MCP Servers For instance, MCP servers developed with TypeScript or JavaScript often use frameworks like Express or Fastify. If the Access-Control-Allow-Origin header is misconfigured, it can unintentionally allow cross-origin access to MCP servers running on localhost. A typical mistake is setting Access-Control-Allow-Origin: *. In the event of an XSS vulnerability in the browser, this misconfiguration could enable malicious websites to access MCP servers hosted on localhost.
MCP Client & Host MCP Server Host machine Attack Vector - Network → Browser CORS Misconfiguration Risks in MCP Servers Recommended Countermeasures If CORS is required, explicitly specify trusted origins in the AccessControl-Allow-Origin header Example: Access-Control-Allow-Origin: https://example.co Wildcards (*) should never be used For most current MCP use cases, CORS settings are not needed. Avoid enabling CORS unless absolutely necessary. It is essential to ensure one of these approaches is followed to mitigate the risk of unintended exposure.
MCP Client & Host MCP Server Host machine Attack Vector - Direct Access Remote Server Host Client Host machine LLM(Model) 2 Server 1 Attacker
MCP Client & Host MCP Server Host machine Attack Vector - Direct Access Remote Server upcoming event : It is likely that MCP servers will gradually be deployed and made accessible remotely. https://blog.cloudflare.com/remote-model-context-protocol-servers-mcp/
MCP Client & Host MCP Server Host machine Attack Vector - Direct Access Remote Server Direct Access only
Summary MCP (Modular Component Protocol) is a newly proposed standard for integrating external tools and resources with LLM applications Its primary focus is to standardize function calling, resource access, and tool execution in AI-driven workflows Currently, MCP is in the early stages of adoption, mainly used in experimental AI applications and developer tools Most attack vectors are extensions of existing web security threats (e.g., prompt injection, CORS misconfiguration) Security best practices are still evolving, with ongoing discussions about safe implementation patterns.
Acknowledgements This presentation is based on threats that were discussed, validated, and organized by myself and the corporate security engineer hamayanhamayan within GMO Flatt Security. I would also like to express my respect for the many researchers who conducted prior work in this area, and my sincere gratitude to my company, my manager for approving this research, and my colleagues who supported the coordination of my regular duties.
Thank you SNS & Contact [email protected] Email : GitHub: a-zara-n X(Twitter):a_zara_n https://x.com/a_zara_n Company I work for https://flatt.tech/en/ https://flatt.tech/en/takumi Takumi is AI Security Engineer Takumi is an AI agent built to support human product engineers and security engineers. It identifies and fixes vulnerabilities, triages findings, and assists with secure design — all within your Slack workspace. Bring Takumi onboard and focus on what matters most.