search

MCP Security Probe Library

Probe Library for OWASP MCP Top 10 for Security in Akto

This section documents the MCP Security Probe Library built by Akto to test Model Context Protocol (MCP) servers, tools, agents, and downstream integrations.

Each probe represents a concrete, executable security test that targets a specific MCP failure mode. Probes are organized by MCP OWASP Top 10 category and are executed using real MCP protocol flows (JSON-RPC, function calls, tool execution, session handling).

Note The lists below show representative probes for each category. The full library contains 4,000+ MCP and agentic security probes and continues to expand.

hashtag
MCP01: Token Mismanagement & Secret Exposure

Tests in this category validate whether authentication tokens, session identifiers, and secrets are properly handled across MCP requests, tool calls, and downstream APIs.

hashtag
Sample Probes in Akto Probe Library

  • MCP_TOKEN_PASSTHROUGH_API_KEY

  • MCP_TOKEN_PASSTHROUGH_DOWNSTREAM

  • MCP_TOKEN_PASSTHROUGH_OPAQUE_TOKEN

  • AUTHENTICATION_TOKEN_REFLECTION_IN_RESPONSE_MCP

  • AUTHENTICATION_TOKEN_REFLECTION_IN_HEADERS_MCP

  • REPLACE_AUTH_TOKEN_MCP

  • MCP_REMOVE_TOKENS

  • AUTHENTICATION_WITH_WRONG_AUTH_SCHEME_MCP

  • MCP_PREDICTABLE_SESSION_IDS

  • MCP_SESSION_STATE_PERSISTENCE

  • MCP_SESSION_NOT_BOUND_TO_USER

  • MCP_SESSION_MUST_USE_PER_REQUEST_AUTH

  • MCP_SESSION_HIJACKING_PROMPT_INJECTION

  • MCP_SESSION_HIJACKING_FILTERED_ATTACK

hashtag
MCP02: Privilege Escalation via Scope Creep

Validates whether MCP function calls and tools allow unauthorized privilege expansion through parameter manipulation, excessive invocation, or input validation bypass.

hashtag
Sample Probes in Akto Probe Library

  • MCP_FUNCTION_CALL_PRIVILEGE_ESCALATION

  • MCP_UNAUTHORIZED_TOOL_ACCESS

  • MCP_FUNCTION_CALL_DIRECT_METHOD_MANIPULATION

  • MCP_FUNCTION_CALL_EXCESSIVE_INVOCATION

  • MCP_EXCESSIVE_RESOURCE_READS_RATE_LIMIT

  • IMPROPER_PAGE_SIZE_HANDLING_MCP

  • MCP_PARAM_OVERLOAD

  • BYPASS_INPUT_LENGTH_VALIDATION_MCP

  • BYPASS_INPUT_VALIDATION_WITH_NULL_VALUES_MCP

  • INPUT_VALIDATION_BY_PASSING_UNSUPPORTED_MCP_METHOD

  • INPUT_VALIDATION_BY_PASSING_UNSUPPORTED_JSONRPC_VERISON

  • INPUT_VALIDATION_BY_REPLACING_PARAM_WITH_ARRAY_MCP

  • INPUT_VALIDATION_FOR_BOOLEAN_MCP

  • MCP_INVALID_REQUEST_REMOVED_PARAM

  • MCP_INVALID_PARAMS

hashtag
MCP03: Tool Poisoning

Tests whether tool outputs, metadata, or execution paths can be manipulated to influence agent behavior or bypass safety controls.

hashtag
Sample Probes in Akto Probe Library

  • TOOL_POISONING_OUTPUT_INJECTION_MCP

  • MCP_FUNCTION_CALL_OUTPUT_MANIPULATION

  • MCP_FUNCTION_CALL_RESPONSE_MANIPULATION

  • MCP_TPA_TOOL_METADATA_INJECTION

  • MCP_TPA_OBFUSCATED_OUTPUT_PAYLOADS

  • MCP_TPA_OVERRIDE_SAFETY_CHECKS

  • MCP_ELICITATION_ABUSE_GENERAL

hashtag
MCP04: Software Supply Chain Attacks & Dependency Tampering

Validates whether MCP implementations securely handle external resources, dependencies, SDK references, and content types.

hashtag
Covered Test Templates

  • MCP_RESOURCE_BINARY_URI_DESERIALIZATION_ATTACK

  • HallucinatedSdkPackageSuggestion

  • MCP_PATH_TRAVERSAL_RESOURCE_URI

  • MCP_PATH_TRAVERSAL_PARAMETER_INJECTION

  • MCP_INVALID_ORIGIN_HEADER_REBINDING

  • MCP_INVALID_MIME_TYPE_INJECTION

hashtag
MCP05: Command Injection & Execution

Tests whether MCP tools or resources can be abused to execute arbitrary commands or escape execution boundaries.

hashtag
Sample Probes in Akto Probe Library

  • MCP_REMOTE_COMMAND_INJECTION_RCE

  • MCP_COMMAND_INJECTION_PARAMETER_INJECTION

  • COMMAND_INJECTION_BY_PASSING_EXTRA_VALUES_MCP

  • MCP_TOOLS_CALL_CODE_INJECTION

  • MCP_TOOLS_CALL_CODE_INJECTION_SANDBOX_ESCAPE

  • MCP_TOOLS_CALL_SHELL_LIKE_COMMAND

  • MCP_RESOURCES_READ_CODE_INJECTION

  • MCP_INDIRECT_PROMPT_INJECTION_COMMAND_INJECTION_AGENT_TEST

  • MCP_COMMAND_INJECTION_WITH_OPERATORS

  • MCP_COMMAND_INJECTION_WITH_REDIRECTION_AND_VAR_MANIPULATION

  • MCP_COMMAND_INJECTION_WITH_REDIRECTION_AND_VAR_MANIPULATION_CHAINED

  • MCP_COMMAND_INJECTION_VARIABLE_ASSIGN

  • MCP_COMMAND_INJECTION_VARIABLE_ASSIGN_CHAINED

  • MCP_COMMAND_INJECTION_USER_AGENT_HEADER_CHAINED

  • MCP_COMMAND_INJECTION_URL_PATH

  • MCP_COMMAND_INJECTION_URL_PATH_CHAINED

  • MCP_COMMAND_INJECTION_TIME_DELAY

  • MCP_COMMAND_INJECTION_TIME_DELAY_CHAINED

  • MCP_COMMAND_INJECTION_CURL_HTTP_REQUEST

  • MCP_COMMAND_INJECTION_CURL_HTTP_REQUEST_CHAINED_COMMANDS

hashtag
MCP06: Prompt Injection via Contextual Payloads

Validates whether prompts, tool parameters, resources, or metadata can be abused to override agent behavior or bypass safeguards.

hashtag
Sample Probes in Akto Probe Library

  • MCP_DIRECT_PROMPT_INJECTION

  • MCP_INDIRECT_PROMPT_INJECTION

  • MCP_RESOURCE_PROMPT_INJECTION

  • MCP_INDIRECT_PROMPT_INJECTION_TOOL_BYPASS

  • MCP_INDIRECT_PROMPT_INJECTION_TOOL_BYPASS_AGENT_TEST

  • MCP_INDIRECT_PROMPT_INJECTION_RESPONSE_BODY

  • MCP_FUNCTION_CALL_PARAMETER_INJECTION

  • MCP_FUNCTION_CALL_NESTED_PARAMETER_INJECTION

  • MCP_PING_PARAMETER_INJECTION

  • MCP_XSS_INJECTION_PARAMETER_INJECTION

  • MCP_SQL_INJECTION_PARAMETER_INJECTION

  • MCP_LDAP_INJECTION_PARAMETER_INJECTION

  • MCP_PATH_TRAVERSAL_PARAMETER_INJECTION

  • PromptInjectionMarkdownAbuseInjection

  • MCP_FUNCTION_CALL_PARAMS_NAME_MANIPULATION

  • MCP_FUNCTION_CALL_METADATA_INJECTION

  • MCP_ANSI_CURSOR_MANIPULATION_DECEPTION

  • MCP_ANSI_HYPERLINK_MANIPULATION_DECEPTION

  • MCP_ANSI_INVISIBLE_TEXT_DECEPTION

  • MCP_ANSI_SCREEN_CLEARING_DECEPTION

  • MCP_CONSENT_FATIGUE_EXPLOITATION

hashtag
MCP07: Insufficient Authentication & Authorization

Tests whether authentication and authorization are consistently enforced across MCP sessions, tools, and function calls.

hashtag
Sample Probes in Akto Probe Library

  • MCP_SESSION_HIJACKING_PROMPT_INJECTION

  • MCP_SESSION_HIJACKING_FILTERED_ATTACK

  • MCP_SESSION_NOT_BOUND_TO_USER

  • MCP_SESSION_MUST_USE_PER_REQUEST_AUTH

  • MCP_SESSION_STATE_PERSISTENCE

  • AUTHENTICATION_WITH_WRONG_AUTH_SCHEME_MCP

  • MCP_REMOVE_TOKENS

  • REPLACE_AUTH_TOKEN_MCP

  • MCP_PREDICTABLE_SESSION_IDS

  • MCP_UNAUTHORIZED_TOOL_ACCESS

  • MCP_FUNCTION_CALL_PRIVILEGE_ESCALATION

  • MCP_INVALID_REQUEST_REMOVED_PARAM

hashtag
MCP08: Lack of Audit and Telemetry

Validates whether MCP implementations provide sufficient logging, error handling, and resilience against abuse and denial-of-service conditions.

hashtag
Sample Probes in Akto Probe Library

  • MCP_MISSING_LOG_FOR_SECURITY_ERRORS

  • MCP_REFLECTIVE_INVALID_TOOL_CALLS

  • MCP_METHOD_NOT_FOUND

  • MCP_TIMEOUT_NOT_HANDLED_PROPERLY

  • MCP_INTERNAL_ERROR_EXPOSURE

  • MCP_UNHANDLED_ERROR_DISCLOSURE_MALFORMED_JSONRPC

  • MCP_PING_MISSING_RESPONSE

  • MCP_PING_INVALID_JSONRPC

  • MCP_PING_SLOW_RESPONSE

  • MCP_PING_TIMING_INFORMATION_LEAK

  • MCP_PING_NO_RATE_LIMITING

  • MCP_PING_FLOODING_DOS

  • MCP_PING_AMPLIFICATION_ATTACK

  • DOS_TEST_URL_MCP

  • DATE_FIELD_DOS_MCP

  • JSON_BODY_PARAM_BOMBING_DOS_MCP

  • DOS_TEST_LARGE_NUMBERS_MCP

  • DOS_FILE_URL_CSV_MCP

  • DOS_HEADER_KEY_MCP

  • DOS_HEADER_VALUE_MCP

hashtag
MCP09: Shadow MCP Servers

Tests whether internal MCP infrastructure, models, tools, or configuration details can be discovered or fingerprinted by an attacker.

hashtag
Sample Probes in Akto Probe Library

  • MCP_TOOLS_LIST_EXTRACTION_VIA_PARAMETERS

  • MCP_INTERNAL_SYSTEM_DETAILS_EXTRACTION

  • MCP_MODEL_NAME_EXTRACTION_VIA_PARAMETERS

  • MCP_CONFIGURATION_INFORMATION_EXTRACTION

  • MCP_ENVIRONMENT_VARIABLES_EXTRACTION

  • MCP_DEBUG_INFORMATION_EXTRACTION

  • MCP_MODEL_ARCHITECTURE_PROBE

  • MCP_MODEL_BACKEND_FINGERPRINTING

  • MCP_MODEL_CAPABILITY_INFERENCE

  • MCP_MODEL_PARAM_INFERENCE

  • MCP_MODEL_ASSET_EXFILTRATION_BY_PROMPT

  • MCP_SCAN_DEV_INFRA_BY_PROMPT

  • MCP_BROWSER_DRIVER_VERSION_DISCLOSURE_LT

  • MCP_WEBDRIVER_SESSIONID_EXPOSURE_LT

  • FILE_SYSTEM_PATH_DISCLOSURE

hashtag
MCP10: Context Injection & Over-Sharing

Validates whether MCP systems correctly isolate context, memory, and data across sessions, agents, and tools.

hashtag
Sample Probes in Akto Probe Library

  • MCP_CONTEXT_BLEED

  • MCP_SHARED_MEMORY_CONTEXT_LEAKAGE

  • MCP_GLOBAL_MEMORY_BUFFER_LEAKAGE

  • MCP_CROSS_SESSION_CONTEXT_BLEEDING

  • MCP_VECTOR_STORE_CONTEXT_BLEEDING

  • MCP_CONVERSATION_HISTORY_THEFT

  • MCP_CONVERSATION_HISTORY_EXTRACTION_VIA_PARAMETERS

  • MCP_TOOL_CALL_HISTORY_EXTRACTION_VIA_PARAMETERS

  • MCP_CHAIN_OF_THOUGHT_EXTRACTION_VIA_PARAMETERS

  • MCP_SYSTEM_PROMPT_EXTRACTION

  • MCP_SYSTEM_PROMPT_EXTRACTION_VIA_PARAMETERS

  • MCP_RESPONSE_DATA_LEAK_CHECK

  • MEMORY_LEAK_OR_OBJECT_DUMP_MCP

  • MCP_DATA_RETENTION_AND_SOURCE_DISCLOSURE

  • MCP_DATA_EXFILTRATION_REFLECTION_ATTACK

  • MCP_SHELL_CONFIGURATION_OVERRIDE_ATTACK

PreviousProbe LibraryNextAI Agent Security Probe Library

Last updated