# MCP Security Probe Library This section documents the **MCP Security Probe Library** built by Akto to probe Model Context Protocol (MCP) servers, tools, agents, and downstream integrations. Each probe represents a **concrete, executable security probe** that targets a specific MCP failure mode. Probes are organized by **MCP OWASP Top 10 category** and are executed using real MCP protocol flows (JSON-RPC, function calls, tool execution, session handling). > **Note**\ > The lists below show representative probes for each category. The full library contains **4,000+ MCP and agentic security probes** and continues to expand. ### MCP01: Token Mismanagement & Secret Exposure Probes in this category validate whether authentication tokens, session identifiers, and secrets are properly handled across MCP requests, tool calls, and downstream APIs. #### Sample Probes in Akto Probe Library * `MCP_TOKEN_PASSTHROUGH_API_KEY` * `MCP_TOKEN_PASSTHROUGH_DOWNSTREAM` * `MCP_TOKEN_PASSTHROUGH_OPAQUE_TOKEN` * `AUTHENTICATION_TOKEN_REFLECTION_IN_RESPONSE_MCP` * `AUTHENTICATION_TOKEN_REFLECTION_IN_HEADERS_MCP` * `REPLACE_AUTH_TOKEN_MCP` * `MCP_REMOVE_TOKENS` * `AUTHENTICATION_WITH_WRONG_AUTH_SCHEME_MCP` * `MCP_PREDICTABLE_SESSION_IDS` * `MCP_SESSION_STATE_PERSISTENCE` * `MCP_SESSION_NOT_BOUND_TO_USER` * `MCP_SESSION_MUST_USE_PER_REQUEST_AUTH` * `MCP_SESSION_HIJACKING_PROMPT_INJECTION` * `MCP_SESSION_HIJACKING_FILTERED_ATTACK` *** ### MCP02: Privilege Escalation via Scope Creep Validates whether MCP function calls and tools allow unauthorized privilege expansion through parameter manipulation, excessive invocation, or input validation bypass. #### Sample Probes in Akto Probe Library * `MCP_FUNCTION_CALL_PRIVILEGE_ESCALATION` * `MCP_UNAUTHORIZED_TOOL_ACCESS` * `MCP_FUNCTION_CALL_DIRECT_METHOD_MANIPULATION` * `MCP_FUNCTION_CALL_EXCESSIVE_INVOCATION` * `MCP_EXCESSIVE_RESOURCE_READS_RATE_LIMIT` * `IMPROPER_PAGE_SIZE_HANDLING_MCP` * `MCP_PARAM_OVERLOAD` * `BYPASS_INPUT_LENGTH_VALIDATION_MCP` * `BYPASS_INPUT_VALIDATION_WITH_NULL_VALUES_MCP` * `INPUT_VALIDATION_BY_PASSING_UNSUPPORTED_MCP_METHOD` * `INPUT_VALIDATION_BY_PASSING_UNSUPPORTED_JSONRPC_VERISON` * `INPUT_VALIDATION_BY_REPLACING_PARAM_WITH_ARRAY_MCP` * `INPUT_VALIDATION_FOR_BOOLEAN_MCP` * `MCP_INVALID_REQUEST_REMOVED_PARAM` * `MCP_INVALID_PARAMS` *** ### MCP03: Tool Poisoning Probes whether tool outputs, metadata, or execution paths can be manipulated to influence agent behavior or bypass safety controls. #### Sample Probes in Akto Probe Library * `TOOL_POISONING_OUTPUT_INJECTION_MCP` * `MCP_FUNCTION_CALL_OUTPUT_MANIPULATION` * `MCP_FUNCTION_CALL_RESPONSE_MANIPULATION` * `MCP_TPA_TOOL_METADATA_INJECTION` * `MCP_TPA_OBFUSCATED_OUTPUT_PAYLOADS` * `MCP_TPA_OVERRIDE_SAFETY_CHECKS` * `MCP_ELICITATION_ABUSE_GENERAL` *** ### MCP04: Software Supply Chain Attacks & Dependency Tampering Validates whether MCP implementations securely handle external resources, dependencies, SDK references, and content types. #### Covered Probe Templates * `MCP_RESOURCE_BINARY_URI_DESERIALIZATION_ATTACK` * `HallucinatedSdkPackageSuggestion` * `MCP_PATH_TRAVERSAL_RESOURCE_URI` * `MCP_PATH_TRAVERSAL_PARAMETER_INJECTION` * `MCP_INVALID_ORIGIN_HEADER_REBINDING` * `MCP_INVALID_MIME_TYPE_INJECTION` *** ### MCP05: Command Injection & Execution Probes whether MCP tools or resources can be abused to execute arbitrary commands or escape execution boundaries. #### Sample Probes in Akto Probe Library * `MCP_REMOTE_COMMAND_INJECTION_RCE` * `MCP_COMMAND_INJECTION_PARAMETER_INJECTION` * `COMMAND_INJECTION_BY_PASSING_EXTRA_VALUES_MCP` * `MCP_TOOLS_CALL_CODE_INJECTION` * `MCP_TOOLS_CALL_CODE_INJECTION_SANDBOX_ESCAPE` * `MCP_TOOLS_CALL_SHELL_LIKE_COMMAND` * `MCP_RESOURCES_READ_CODE_INJECTION` * `MCP_INDIRECT_PROMPT_INJECTION_COMMAND_INJECTION_AGENT_TEST` * `MCP_COMMAND_INJECTION_WITH_OPERATORS` * `MCP_COMMAND_INJECTION_WITH_REDIRECTION_AND_VAR_MANIPULATION` * `MCP_COMMAND_INJECTION_WITH_REDIRECTION_AND_VAR_MANIPULATION_CHAINED` * `MCP_COMMAND_INJECTION_VARIABLE_ASSIGN` * `MCP_COMMAND_INJECTION_VARIABLE_ASSIGN_CHAINED` * `MCP_COMMAND_INJECTION_USER_AGENT_HEADER_CHAINED` * `MCP_COMMAND_INJECTION_URL_PATH` * `MCP_COMMAND_INJECTION_URL_PATH_CHAINED` * `MCP_COMMAND_INJECTION_TIME_DELAY` * `MCP_COMMAND_INJECTION_TIME_DELAY_CHAINED` * `MCP_COMMAND_INJECTION_CURL_HTTP_REQUEST` * `MCP_COMMAND_INJECTION_CURL_HTTP_REQUEST_CHAINED_COMMANDS` *** ### MCP06: Prompt Injection via Contextual Payloads Validates whether prompts, tool parameters, resources, or metadata can be abused to override agent behavior or bypass safeguards. #### Sample Probes in Akto Probe Library * `MCP_DIRECT_PROMPT_INJECTION` * `MCP_INDIRECT_PROMPT_INJECTION` * `MCP_RESOURCE_PROMPT_INJECTION` * `MCP_INDIRECT_PROMPT_INJECTION_TOOL_BYPASS` * `MCP_INDIRECT_PROMPT_INJECTION_TOOL_BYPASS_AGENT_TEST` * `MCP_INDIRECT_PROMPT_INJECTION_RESPONSE_BODY` * `MCP_FUNCTION_CALL_PARAMETER_INJECTION` * `MCP_FUNCTION_CALL_NESTED_PARAMETER_INJECTION` * `MCP_PING_PARAMETER_INJECTION` * `MCP_XSS_INJECTION_PARAMETER_INJECTION` * `MCP_SQL_INJECTION_PARAMETER_INJECTION` * `MCP_LDAP_INJECTION_PARAMETER_INJECTION` * `MCP_PATH_TRAVERSAL_PARAMETER_INJECTION` * `PromptInjectionMarkdownAbuseInjection` * `MCP_FUNCTION_CALL_PARAMS_NAME_MANIPULATION` * `MCP_FUNCTION_CALL_METADATA_INJECTION` * `MCP_ANSI_CURSOR_MANIPULATION_DECEPTION` * `MCP_ANSI_HYPERLINK_MANIPULATION_DECEPTION` * `MCP_ANSI_INVISIBLE_TEXT_DECEPTION` * `MCP_ANSI_SCREEN_CLEARING_DECEPTION` * `MCP_CONSENT_FATIGUE_EXPLOITATION` *** ### MCP07: Insufficient Authentication & Authorization Scans whether authentication and authorization are consistently enforced across MCP sessions, tools, and function calls. #### Sample Probes in Akto Probe Library * `MCP_SESSION_HIJACKING_PROMPT_INJECTION` * `MCP_SESSION_HIJACKING_FILTERED_ATTACK` * `MCP_SESSION_NOT_BOUND_TO_USER` * `MCP_SESSION_MUST_USE_PER_REQUEST_AUTH` * `MCP_SESSION_STATE_PERSISTENCE` * `AUTHENTICATION_WITH_WRONG_AUTH_SCHEME_MCP` * `MCP_REMOVE_TOKENS` * `REPLACE_AUTH_TOKEN_MCP` * `MCP_PREDICTABLE_SESSION_IDS` * `MCP_UNAUTHORIZED_TOOL_ACCESS` * `MCP_FUNCTION_CALL_PRIVILEGE_ESCALATION` * `MCP_INVALID_REQUEST_REMOVED_PARAM` *** ### MCP08: Lack of Audit and Telemetry Validates whether MCP implementations provide sufficient logging, error handling, and resilience against abuse and denial-of-service conditions. #### Sample Probes in Akto Probe Library * `MCP_MISSING_LOG_FOR_SECURITY_ERRORS` * `MCP_REFLECTIVE_INVALID_TOOL_CALLS` * `MCP_METHOD_NOT_FOUND` * `MCP_TIMEOUT_NOT_HANDLED_PROPERLY` * `MCP_INTERNAL_ERROR_EXPOSURE` * `MCP_UNHANDLED_ERROR_DISCLOSURE_MALFORMED_JSONRPC` * `MCP_PING_MISSING_RESPONSE` * `MCP_PING_INVALID_JSONRPC` * `MCP_PING_SLOW_RESPONSE` * `MCP_PING_TIMING_INFORMATION_LEAK` * `MCP_PING_NO_RATE_LIMITING` * `MCP_PING_FLOODING_DOS` * `MCP_PING_AMPLIFICATION_ATTACK` * `DOS_TEST_URL_MCP` * `DATE_FIELD_DOS_MCP` * `JSON_BODY_PARAM_BOMBING_DOS_MCP` * `DOS_TEST_LARGE_NUMBERS_MCP` * `DOS_FILE_URL_CSV_MCP` * `DOS_HEADER_KEY_MCP` * `DOS_HEADER_VALUE_MCP` *** ### MCP09: Shadow MCP Servers Probes whether internal MCP infrastructure, models, tools, or configuration details can be discovered or fingerprinted by an attacker. #### Sample Probes in Akto Probe Library * `MCP_TOOLS_LIST_EXTRACTION_VIA_PARAMETERS` * `MCP_INTERNAL_SYSTEM_DETAILS_EXTRACTION` * `MCP_MODEL_NAME_EXTRACTION_VIA_PARAMETERS` * `MCP_CONFIGURATION_INFORMATION_EXTRACTION` * `MCP_ENVIRONMENT_VARIABLES_EXTRACTION` * `MCP_DEBUG_INFORMATION_EXTRACTION` * `MCP_MODEL_ARCHITECTURE_PROBE` * `MCP_MODEL_BACKEND_FINGERPRINTING` * `MCP_MODEL_CAPABILITY_INFERENCE` * `MCP_MODEL_PARAM_INFERENCE` * `MCP_MODEL_ASSET_EXFILTRATION_BY_PROMPT` * `MCP_SCAN_DEV_INFRA_BY_PROMPT` * `MCP_BROWSER_DRIVER_VERSION_DISCLOSURE_LT` * `MCP_WEBDRIVER_SESSIONID_EXPOSURE_LT` * `FILE_SYSTEM_PATH_DISCLOSURE` *** ### MCP10: Context Injection & Over-Sharing Validates whether MCP systems correctly isolate context, memory, and data across sessions, agents, and tools. #### Sample Probes in Akto Probe Library * `MCP_CONTEXT_BLEED` * `MCP_SHARED_MEMORY_CONTEXT_LEAKAGE` * `MCP_GLOBAL_MEMORY_BUFFER_LEAKAGE` * `MCP_CROSS_SESSION_CONTEXT_BLEEDING` * `MCP_VECTOR_STORE_CONTEXT_BLEEDING` * `MCP_CONVERSATION_HISTORY_THEFT` * `MCP_CONVERSATION_HISTORY_EXTRACTION_VIA_PARAMETERS` * `MCP_TOOL_CALL_HISTORY_EXTRACTION_VIA_PARAMETERS` * `MCP_CHAIN_OF_THOUGHT_EXTRACTION_VIA_PARAMETERS` * `MCP_SYSTEM_PROMPT_EXTRACTION` * `MCP_SYSTEM_PROMPT_EXTRACTION_VIA_PARAMETERS` * `MCP_RESPONSE_DATA_LEAK_CHECK` * `MEMORY_LEAK_OR_OBJECT_DUMP_MCP` * `MCP_DATA_RETENTION_AND_SOURCE_DISCLOSURE` * `MCP_DATA_EXFILTRATION_REFLECTION_ATTACK` * `MCP_SHELL_CONFIGURATION_OVERRIDE_ATTACK` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ai-security-docs.akto.io/akto-argus-agentic-ai-security-for-homegrown-ai/probe-library/mcp-security-library.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.