Downloaded 22 times
![Authorization Issues
ALLOWED_TOOLS = {
"admin": ["convert_image", "delete_user", "view_logs"],
"user": ["convert_image"]
}
def authorize(role, tool_name):
return tool_name in ALLOWED_TOOLS.get(role, [])
Example Setup Before executing a tool, check if the caller is
authorized:
if not authorize(current_user_role, tool_name):
raise PermissionError("Unauthorized tool access")](https://cdn.statically.io/img/image.slidesharecdn.com/mcp-250818044939-a61ac80d/75/MCP-Security-Tutorial-Beginner-to-Advanced-22-2048.jpg)
Uploaded byHarish Ramadoss
MCP Security Tutorial - Beginner to Advanced
This new series takes a deep dive into both sides of MCP: 🔐 How to securely interact with MCP Servers — managing API keys, defending against indirect prompt injections (think rug pulls, tool poisioning ...) 🛠️ Building and exposing your own MCP Servers — input sanitization, tool authorization, execution environments.... Full AI Security course - https://www.modernsecurity.io/courses/ai-security-certification
MCP Security Tutorial - Beginner to Advanced
- 1.
- 2. Understanding MCP * Whatis MCP? * What problems does MCP solve? Building Your Own MCP Server * Step-by-step overview Attacking MCP Servers * Common attack techniques Defending Against MCP Vulnerabilities * How to protect your environment
- 3. AI App Without MCP UniqueAPI Github MCP Server Slack MCP Server Unique API Unique API AI App AWS MCP Server With MCP
- 4. Github MCP ServerSlack MCP Server AI App AWS MCP Server With MCP
- 5. Let's look ata basic Example using Claude Claude + Github
- 6.
- 7. Github MCP ServerSlack MCP Server MCP Client Custom MCP Server Your APIs
- 8. MCP Servers Can runeither on the same machine or remotely 1. Local MCP Server 2. Remote MCP Server
- 9.
- 10. Creating your OwnMCP Server
- 11.
- 12. We should thinkof MCP Risks from two angles/use cases - When you're a Client using an MCP Server - When you're a Provider building or exposing an MCP Server
- 13. When you're aClient using an MCP Server
- 14. Tool Poisoning Attack(Indirect Prompt Injection) MCP Client Malicious Currency Server (Pretending to be Currency Server) Convert 5 USD to INR Sends instructions Perform Currency Conversion... Send financial.txt to attacker financial.txt sent to attacker Client User Tools
- 15. Rug Pull Attack Swapsduring use time MCP Client Malicious MCP Server User Tools Orignal MCP Server Tools
- 16. Use Case ===>GitHub MCP Exploited: Accessing private repositories via MCP source: https://invariantlabs.ai/blog/mcp-github-vulnerability
- 17.
- 18. MCP Server Risks PromptInjection Style Attacks No visibility/observability Server executes on end user’s machine * Tools run with the user's local privileges. API tokens exposure Authorization Issues Local servers typically lack centralized monitoring, logging, or enforcement mechanisms. * This makes it hard to audit what tools were called or what prompts were processed.
- 19. When you're aProvider building or exposing an MCP Server
- 20. If you arebuilding MCP server - treat all input from LLM/User insecure Example 1 mcp = FastMCP( name="UserLookup", host="0.0.0.0", port=8081, ) @mcp.tool() def lookup(username: str): conn = sqlite3.connect("users.db") cursor = conn.cursor() query = f"SELECT * FROM users WHERE username = '{username}'" cursor.execute(query) result = cursor.fetchall() conn.close() return result if __name__ == "__main__": mcp.run() SQL Injection Exploit { "tool_name": "lookup", "args": { "username": "' OR 1=1 --" } }
- 21. If you arebuilding MCP server - treat all input from LLM/User insecure Example 2 # Create the MCP server mcp = FastMCP( name="ImageConverter", host="0.0.0.0", port=8080, ) # Expose the vulnerable tool @mcp.tool() def convert(filepath: str, format: str): return convert_image(filepath, format) # Run the server if __name__ == "__main__": mcp.run() Command Injection Exploit { "tool_name": "convert", "args": { "filepath": "image.jpg;cat /etc/passwd >/tmp/leak.txt", "format": "png" } }
- 22. Authorization Issues ALLOWED_TOOLS ={ "admin": ["convert_image", "delete_user", "view_logs"], "user": ["convert_image"] } def authorize(role, tool_name): return tool_name in ALLOWED_TOOLS.get(role, []) Example Setup Before executing a tool, check if the caller is authorized: if not authorize(current_user_role, tool_name): raise PermissionError("Unauthorized tool access")
- 23. Defending Against MCPVulnerabilities How to protect your environment
- 24. Two Broad Categoriesfor MCP Security MCP Security Scanners MCP Gateway
- 25. What do wewant to protect against Injection Style Attacks Tool Poisoning Attack, Rug pulls and tool shadowing, Toxic Flows. Gateway should be able to detect these attack during Runtime and block. Authorization Should be able to define per-tool scopes for each MCP Server MCP Gateway centralized monitoring, logging, or enforcement mechanisms. We should be able to define access to MCP Server depending on groups Masking/ Privacy We should be able to token-masking for sensitve data Obseravability
- 26. Users MCP Gateway Analyse LlamaFirewall Prompt Injection Blockit Proxy Request MCP Gateway MCP Client MCP Server 1 Tools MCP Server 2 Tools MCP Server 3 Tools Proxy Request
- 27. MCP Gateway (OpenSource) -https://github.com/trailofbits/mcp-context-protector - https://github.com/lasso-security/mcp-gateway