MCP Injection Experiments public mode

Safety model. All effects stay inside var/ and sandbox/effects/. Outbound HTTP is denied by default; the URL classifier blocks loopback, link-local, private and metadata addresses. MockMailServer only accepts the reserved .example TLD. FAKEJWT tokens are intentionally non-cryptographic. Public Mode refuses to start unless the operator overrides DEMO_ADMIN_TOKEN and configures a non-wildcard origin allowlist. See docs/security-review.md for the full review.

This is a teaching-focused implementation of the Model Context Protocol with seventeen exploit demos plus eight Agent-Trap scenarios. Every experiment ships in two explicitly-modeled modes:

The demo never speaks to a real LLM, never speaks to a real third-party API, never executes user-controlled shell input.

Two HTTP surfaces

Each experiment is reachable through two HTTP surfaces. Both enforce the Origin allowlist; the MCP surface additionally runs FastMCP's DNS-rebinding protection.

SurfaceWhat it speaksPath
Real MCP (Streamable HTTP)Official mcp Python SDK on the server side. JSON-RPC 2.0 over HTTP+SSE with initialize, tools/list, tools/call, and the Mcp-Session-Id handshake./mcp/<experiment>/<mode>/
Demo dashboard (JSON)Convenience POST that drives run_scenario and returns the full DemoResult body. Used by the /demo UI and by external scripts.POST /demo/scenario/<experiment>

cURL the real MCP endpoint:

curl -i \
  -H 'Origin: http://127.0.0.1:8000' \
  -H 'Accept: application/json, text/event-stream' \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"demo-client","version":"0.0.1"}}}' \
  http://127.0.0.1:8000/mcp/direct-poisoning/vulnerable/

Or with the official Python client:

from mcp.client.session import ClientSession
from mcp.client.streamable_http import streamable_http_client

async with streamable_http_client(
    'http://127.0.0.1:8000/mcp/direct-poisoning/vulnerable/'
) as (read, write, _):
    async with ClientSession(read, write) as session:
        await session.initialize()
        tools = await session.list_tools()

Experiments

25 experiments registered. The cards on /demo let you trigger any of them with one click; the timeline at /demo/events shows the structured impact ledger across runs.

idtitleOWASPAgent TrapsMCP surfaces
remote-agent-traps-approval-fatigueexpansion-2025-2026Agent Traps - approval fatigue and human-in-the-loopMCP07Human-in-the-Looptools/call
remote-agent-traps-hidden-htmlexpansion-2025-2026Agent Traps - hidden HTML and dynamic cloakingMCP03Content Injection, Behavioural Controlresources/read, tools/call
remote-agent-traps-memory-poisoningexpansion-2025-2026Agent Traps - memory poisoning and delayed activationMCP10Cognitive Stateresources/read, tools/call
remote-agent-traps-subagent-spawningexpansion-2025-2026Agent Traps - subagent spawning from untrusted resourcesMCP02Behavioural Controlresources/read, tools/call
remote-agent-traps-sybil-and-fragmentsexpansion-2025-2026Agent Traps - sybil consensus + compositional fragmentsMCP10Systemicresources/read, tools/call
remote-ai-clickfixexpansion-2025-2026AI ClickFix-style UI social-engineering demoMCP03, MCP06Behavioural Control, Human-in-the-Loopresources/read, tools/call
remote-auth-confused-deputybaselineRemote Auth Confused Deputy (Fake-OAuth)MCP01, MCP07
remote-comment-and-controlexpansion-2025-2026GitHub Comment-and-Control prompt injectionMCP03, MCP10Behavioural Controlresources/read, tools/call
remote-cross-agent-config-priv-escexpansion-2025-2026Cross-agent privilege escalation via shared configsMCP02, MCP07Systemicresources/read, tools/call
remote-cross-session-context-leakbaselineRemote Cross-Session Context LeakMCP10, MCP08
remote-direct-poisoningbaselineRemote Direct PoisoningMCP01, MCP03, MCP06
remote-filesystem-sandbox-escapeexpansion-2025-2026Filesystem MCP sandbox escape (path validation bypass)MCP05, MCP01tools/call
remote-git-filesystem-chain-safeexpansion-2025-2026Git + Filesystem cross-server chained safe demoMCP03, MCP04Behavioural Control, Systemicresources/read, tools/call
remote-github-issue-leakexpansion-2025-2026GitHub MCP issue/PR prompt-injection leakMCP03, MCP10Behavioural Controlresources/read, tools/call
remote-implicit-tool-poisoningexpansion-2025-2026Implicit tool poisoning via tools/list metadataMCP03, MCP09Behavioural Controltools/list, tools/call
remote-inspector-proxy-auth-bypassexpansion-2025-2026MCP Inspector / devtool auth-bypass bounded RCE proofMCP01, MCP07tools/call
remote-mcp-remote-auth-endpoint-injectionexpansion-2025-2026mcp-remote OAuth metadata command-injection (CVE-2025-6514 inspired)MCP01, MCP07Behavioural Controlresources/read, tools/call
remote-promptware-heartbeatexpansion-2025-2026Promptware / Agent Commander heartbeat demoMCP06, MCP08Behavioural Controlresources/read, tools/call
remote-registry-rug-pullbaselineRemote Registry Rug Pull (Pinning + Permission Delta)MCP02, MCP04
remote-sampling-abusebaselineRemote Sampling Abuse (Fake-LLM + Budget)MCP06, MCP08
remote-slack-unfurl-leakexpansion-2025-2026Slack MCP link-unfurling data leak demoMCP03, MCP10Behavioural Control, Human-in-the-Looptools/call
remote-sleeper-rug-pullbaselineRemote Sleeper Rug Pull (Tool Metadata Drift)MCP03, MCP04
remote-ssrf-metadatabaselineRemote SSRF Metadata Discovery (Mock-Resolver)MCP05, MCP01
remote-tool-shadowingbaselineRemote Tool Shadowing with Mock MailMCP03, MCP09, MCP10
remote-trustfall-project-mcp-settingsexpansion-2025-2026TrustFall-style project-defined MCP onboarding riskMCP02, MCP04Human-in-the-Loopresources/read, tools/call

Operational endpoints

PathPurpose
GET /healthzliveness probe (no Origin check)
GET /readyzreadiness probe; lists registered experiments
GET /demoHTML dashboard with one card per experiment
GET /demo/eventstelemetry timeline (JSON or HTML)
POST /demo/resetadmin-token-gated per-session reset

Allowlisted Origins: https://mcp-sec.data.mayflower.tech

Documentation