MCP Protocol Attack

MCP protocol attacks target the communication layer between the agent and the MCP server. Instead of attacking a specific skill, these attacks exploit the protocol to inject new capabilities, intercept existing calls, modify responses, or manipulate the agent understanding of what is available.

The MCP protocol defines how capabilities are discovered, how they are called, and how results are returned. Each of these phases can be attacked. During discovery, a malicious server can offer capabilities that shadow legitimate ones. During invocation, a man-in-the-middle can modify parameters. During response, the server can return crafted results that inject instructions into the agent context.

Aguara detects seven MCP protocol attack patterns, including dynamic capability injection (adding capabilities that were not declared during server initialization), shadowing (offering capabilities with the same name as those from other servers), response injection (embedding prompt-injection payloads in results), and capability escalation (a server declaring minimal access during handshake but exercising broader access during use).

The MCP protocol is designed for flexibility. Servers can dynamically offer capabilities, update what they provide, and return rich structured data. This flexibility is what makes MCP powerful, but it also creates attack surface that does not exist in static API integrations.

In a traditional API, you know exactly what endpoints exist and what they return. The API schema is fixed at deployment time. In MCP, the capability list can change during a session. A server can offer something new at any point, and the agent will include it in its available set. If the new capability has the same name as one from another server, the agent might call the attacker version instead of the legitimate one.

This is particularly dangerous because users grant trust to MCP servers at connection time. You decide to trust "the GitHub MCP server" based on its reputation. But if a malicious server can offer capabilities that look like they come from the GitHub server, your trust decision is being exploited. The agent does not know which server offered which capability unless the framework explicitly tracks provenance.

If you are building agent frameworks or MCP clients, track provenance. Know which server offered which capability. Do not allow servers to shadow capabilities from other servers without explicit user consent. Log all dynamic additions and changes so users can audit what happened during a session.

As a user, limit the number of MCP servers connected simultaneously. Each additional server increases the attack surface for cross-server interference. If you need multiple servers, prefer frameworks that namespace capabilities by server (github.create_pr vs. code.create_pr) rather than sharing a flat namespace.

Be suspicious of MCP servers that offer many capabilities beyond their stated purpose. A "GitHub integration" server should provide GitHub-related capabilities. If it also provides file system, shell, or network capabilities, something is wrong. The principle of least privilege applies here just as much as it applies to permissions.