The Security Risks of MCP Servers

> Dienstleistungen mit einem integrierten Ansatz > Entry 925362

The backbone of modern AI systems is the Large Language Models (LLM). In isolation, however, LLMs have no utility beyond conversation. This changed with the introduction of the Model Context Protocol (MCP): MCP establishes the standard communication protocol for AI systems to connect with external systems. This has dramatically increased the capabilities of LLMs by allowing them to interface with virtually any software. With MCP servers, LLMs are no longer conversational chatbots confined to their training data, but full-fledged agents capable of acting autonomously on behalf of users. MCP has enabled AI agents, which now dominate the AI and software landscape. 

Image in image block

Figure 1 - Diagram showing a typical architecture of a system using an MCP server.

MCP servers function as a bridge between LLMs and external systems. At a high level, an AI application is first pre-configured with the ability to use trusted MCP servers. Upon connecting, the MCP Server provides the application the list of Tools available for use, descriptions of the Tools, and instructions for how and when to use them. The application’s underlying LLM serves as the decision maker, deciding when it will benefit from an MCP tool call. When the LLM decides to use an MCP Tool, it outputs a Tool request for the MCP Client to send to the MCP Server. The MCP Server authenticates and authorizes the request, executes the Tool, interacting with external services as needed, and returns the final response to the MCP Client. Lastly, the LLM uses the Tool response to continue completing its task. 

For the finer details, the MCP specification can be found here: https://modelcontextprotocol.io/specification

Threats and Mitigations

The end-to-end MCP client-server dataflow presents a unique threat model. When threat modeling an AI system using an MCP Server, it is crucial to consider the non-deterministic nature of AI. Below we consider the threats and mitigations of a basic system with two components: an AI Application communicating with an MCP Server. 

AI Application

Threat

Mitigations

Indirect Prompt Injection
AI model inadvertently treats data returned by the MCP server as instructions which an attacker exploits to hijack the AI model

  • Prompt engineering: Ensure the system prompt instructs to model to not treat data as instructions
  • AI guardrails: Architect the system with safety layers that continuously monitor and verify the AI model’s inputs and outputs

Direct Prompt Injection
MCP server is compromised and an attacker causes it to respond with malicious instructions, hijacking the AI model

Unintended Tool Execution
AI model calls an MCP tool without the user’s intent or knowledge (e.g. a dangerous mutating tool)

  • Human-in-the-loop: Require human approval for dangerous tool calls
  • Tool allowlisting: Restrict the MCP tools that the LLM is allowed to call

Insecure MCP Response Handling
Malicious MCP response flows into unsafe sinks (e.g. command executions, filesystem writes, network calls, etc.)

  • Input validation: Restrict allowed inputs to only what is expected
  • Input sanitization: Escape and encode dangerous control characters like “&”

Context Window Poisoning
An MCP response poisons the AI agent’s memory or its other sources

  • HMAC signing: Sign each entry and verify the signature before use
  • Distrust MCP responses: Avoid storing data from MCP responses

MCP Server Spoofing
The application unknowingly communicates with an attacker-controlled MCP server

  • mTLS: Require Mutual TLS with short-lived certificates to authenticate the server
  • Network segmentation: Restrict allowed network communications to only trusted destinations
```html
MCP Server
Threat Mitigations
Confused Deputy
An attacker manipulates the MCP Server to perform actions using the server’s elevated privileges rather than their own limited privileges
  • Client authorization: Authorize each client individually and separate from the server’s identity
  • Continuous verification: Re-verify the client’s authorization for every request and at each step of the delegation chain
Excessive Capabilities
An MCP Tool accesses resources or performs operations on behalf of the user that the user by themself lacks the permissions to do
  • Strict authorization: Execute code only within the user’s own authorization context
  • Tool authorization: Restrict the advertised tools list based on the user’s permission level
Improper Access Controls
An attacker gains access to sensitive data or operations due to insufficient access controls
  • Authenticate users: Verify user identity with access tokens like API keys
  • Authorize access: Verify all resource access through an ACL
Insecure Input Handling
Untrusted user input may flow into unsafe sinks and result in a variety of injection attacks (e.g. SQLi, IDOR, RCE, etc.)
  • Input validation: Restrict allowed inputs to only what is expected
  • Input sanitization: Escape and encode dangerous control characters like “&”
Insecure Configuration
A misconfigured server introduces a variety of vulnerabilities
  • Continuous scanning: Configure periodic scans on the code and server to identify known vulnerabilities
  • Principle of least privilege: Limit the service user’s OS privileges to the minimum needed to function
Image in image block

Full Coverage and Customization
An API definition in a spec file is not a one-to-one to the API request – it’s one-to-many relationship. An API can support a multitude of parameters, content types, authentication methods, and hosts in endless combinations. API Parser handles this:

  • Parameter Generation – all parameters are included in the request, whether it be in the query, header, or request body
     
Image in image block

  • Unique Serializers (content types) – API Parser creates multiple serializers for each API’s unique configurations and allows you to choose which serializer to use. For example, with OpenAPI specs you can select which content type and example to use (if examples exist in the spec)
Image in image block

  • Customize Auth – Select which authentication method defined in the spec to use
Image in image block

Supported API Specs
Currently, several widely used API specs on the internet are supported: OpenAPI (formerly Swagger), AWS JSON (botocore), and MCP.
For more information, see: https://github.com/bvcyber/Burp-API-Parser?tab=readme-ov-file#-supported-formats 


Future Work
We designed API Parser with extensibility in mind and plan to continue iterating and expanding support. Development teams are working with countless formats to manage their APIs. It is important that we continue to implement support for common formats, including new and upcoming formats that are being adopted.
For example, the rapid adoption of AI has been accompanied by the creation of MCP, a new protocol that lets AIs discover and use external tools. API Parser provides the framework and extensibility to support new file formats like MCP. New API formats will continue to emerge, and API Parser provides a stable framework and extensibility needed for continued seamless integration for API testing in Burp Suite.
 

Conclusion
API Parser has been an invaluable tool for our team, and we’re excited to release it externally. We hope by open-sourcing it we can help make API testing in Burp a better experience for everyone and open it to contributions to make it even better. If you’d like support applying this in your environment or want feedback on your API testing approach, feel free to get in touch.

Logo

More information

Discover how cyber experts like Philip Salire Security Engineer and author of this article, can help secure your organization with AI Security Services. Fill out the form, and we’ll contact you within one business day.

Warum sollten Sie sich für Bureau Veritas Cybersecurity entscheiden?

Bureau Veritas Cybersecurity ist Ihr kompetenter Partner für Cybersicherheit. Wir unterstützen Unternehmen dabei, Risiken zu identifizieren, ihre Abwehrmaßnahmen zu stärken und Cybersicherheitsstandards und -vorschriften einzuhalten. Unsere Dienstleistungen umfassen Menschen, Prozesse und Technologien, von Sensibilisierungsschulungen und Social Engineering bis hin zu Sicherheitsberatung, Compliance und Penetrationstests.

Wir sind in IT-, OT- und IoT-Umgebungen tätig und unterstützen sowohl digitale Systeme als auch vernetzte Produkte. Mit über 300 Cybersicherheitsexperten weltweit verbinden wir fundiertes technisches Fachwissen mit einer globalen Präsenz. Bureau Veritas Cybersecurity ist Teil der Bureau Veritas Group, einem weltweit führenden Unternehmen im Bereich Prüfung, Inspektion und Zertifizierung.