MCP Security Tutorial - Beginner to Advanced
0 likes16 views
This new series takes a deep dive into both sides of MCP: đ How to securely interact with MCP Servers â managing API keys, defending against indirect prompt injections (think rug pulls, tool poisioning ...) đ ď¸ Building and exposing your own MCP Servers â input sanitization, tool authorization, execution environments.... Full AI Security course - https://www.modernsecurity.io/courses/ai-security-certification
![Authorization Issues
ALLOWED_TOOLS = {
"admin": ["convert_image", "delete_user", "view_logs"],
"user": ["convert_image"]
}
def authorize(role, tool_name):
return tool_name in ALLOWED_TOOLS.get(role, [])
Example Setup Before executing a tool, check if the caller is
authorized:
if not authorize(current_user_role, tool_name):
raise PermissionError("Unauthorized tool access")](https://image.slidesharecdn.com/mcp-250818044939-a61ac80d/85/MCP-Security-Tutorial-Beginner-to-Advanced-22-320.jpg)
MCP Security Tutorial - Beginner to Advanced
- 2. Understanding MCP * What is MCP? * What problems does MCP solve? Building Your Own MCP Server * Step-by-step overview Attacking MCP Servers * Common attack techniques Defending Against MCP Vulnerabilities * How to protect your environment
- 3. AI App Without MCP Unique API Github MCP Server Slack MCP Server Unique API Unique API AI App AWS MCP Server With MCP
- 4. Github MCP Server Slack MCP Server AI App AWS MCP Server With MCP
- 5. Let's look at a basic Example using Claude Claude + Github
- 6. MCP In Depth
- 7. Github MCP Server Slack MCP Server MCP Client Custom MCP Server Your APIs
- 8. MCP Servers Can run either on the same machine or remotely 1. Local MCP Server 2. Remote MCP Server
- 10. Creating your Own MCP Server
- 11. MCP Attacks
- 12. We should think of MCP Risks from two angles/use cases - When you're a Client using an MCP Server - When you're a Provider building or exposing an MCP Server
- 13. When you're a Client using an MCP Server
- 14. Tool Poisoning Attack (Indirect Prompt Injection) MCP Client Malicious Currency Server (Pretending to be Currency Server) Convert 5 USD to INR Sends instructions Perform Currency Conversion... Send financial.txt to attacker financial.txt sent to attacker Client User Tools
- 15. Rug Pull Attack Swaps during use time MCP Client Malicious MCP Server User Tools Orignal MCP Server Tools
- 16. Use Case ===> GitHub MCP Exploited: Accessing private repositories via MCP source: https://invariantlabs.ai/blog/mcp-github-vulnerability
- 17. MCP Server Risks
- 18. MCP Server Risks Prompt Injection Style Attacks No visibility/observability Server executes on end userâs machine * Tools run with the user's local privileges. API tokens exposure Authorization Issues Local servers typically lack centralized monitoring, logging, or enforcement mechanisms. * This makes it hard to audit what tools were called or what prompts were processed.
- 19. When you're a Provider building or exposing an MCP Server
- 20. If you are building MCP server - treat all input from LLM/User insecure Example 1 mcp = FastMCP( name="UserLookup", host="0.0.0.0", port=8081, ) @mcp.tool() def lookup(username: str): conn = sqlite3.connect("users.db") cursor = conn.cursor() query = f"SELECT * FROM users WHERE username = '{username}'" cursor.execute(query) result = cursor.fetchall() conn.close() return result if __name__ == "__main__": mcp.run() SQL Injection Exploit { "tool_name": "lookup", "args": { "username": "' OR 1=1 --" } }
- 21. If you are building MCP server - treat all input from LLM/User insecure Example 2 # Create the MCP server mcp = FastMCP( name="ImageConverter", host="0.0.0.0", port=8080, ) # Expose the vulnerable tool @mcp.tool() def convert(filepath: str, format: str): return convert_image(filepath, format) # Run the server if __name__ == "__main__": mcp.run() Command Injection Exploit { "tool_name": "convert", "args": { "filepath": "image.jpg;cat /etc/passwd >/tmp/leak.txt", "format": "png" } }
- 22. Authorization Issues ALLOWED_TOOLS = { "admin": ["convert_image", "delete_user", "view_logs"], "user": ["convert_image"] } def authorize(role, tool_name): return tool_name in ALLOWED_TOOLS.get(role, []) Example Setup Before executing a tool, check if the caller is authorized: if not authorize(current_user_role, tool_name): raise PermissionError("Unauthorized tool access")
- 23. Defending Against MCP Vulnerabilities How to protect your environment
- 24. Two Broad Categories for MCP Security MCP Security Scanners MCP Gateway
- 25. What do we want to protect against Injection Style Attacks Tool Poisoning Attack, Rug pulls and tool shadowing, Toxic Flows. Gateway should be able to detect these attack during Runtime and block. Authorization Should be able to define per-tool scopes for each MCP Server MCP Gateway centralized monitoring, logging, or enforcement mechanisms. We should be able to define access to MCP Server depending on groups Masking/ Privacy We should be able to token-masking for sensitve data Obseravability
- 26. Users MCP Gateway Analyse LlamaFirewall Prompt Injection Block it Proxy Request MCP Gateway MCP Client MCP Server 1 Tools MCP Server 2 Tools MCP Server 3 Tools Proxy Request
- 27. MCP Gateway (OpenSource) - https://github.com/trailofbits/mcp-context-protector - https://github.com/lasso-security/mcp-gateway