Skip to content

DOC: Add MCP XPIA attack notebook (MCP-03, MCP-06)#1619

Closed
diamond8658 wants to merge 6 commits intomicrosoft:mainfrom
diamond8658:feat/mcp-security-targets
Closed

DOC: Add MCP XPIA attack notebook (MCP-03, MCP-06)#1619
diamond8658 wants to merge 6 commits intomicrosoft:mainfrom
diamond8658:feat/mcp-security-targets

Conversation

@diamond8658
Copy link
Copy Markdown

@diamond8658 diamond8658 commented Apr 15, 2026

Description

Follows up on #1552 and the feedback from @romanlutz — adds the XPIA orchestrator example he suggested, addressing the PromptTarget abstraction concern from the original PR.

Related: #1470, #1552. Of interest to @razashariff.

MCP servers speak JSON-RPC, not natural language — PromptTarget is the wrong abstraction for them. Instead of subclassing PromptTarget, this PR uses plain async helper classes (MCPToolPoisoningSetup, MCPPromptInjectionSetup) that call the MCP server directly inside XPIAOrchestrator's processing_callback. The attack_setup_target is a TextTarget() that records the attack intent in PyRIT memory. This follows the pattern @romanlutz described: the MCP server interaction is the attack setup, and the victim LLM agent is the processing target.

What's added:

  • doc/code/executor/attack/mcp_xpia_attack.py + .ipynb — MCP-03 (Tool Poisoning) and MCP-06 (Prompt Injection) wired into XPIAOrchestrator, with SubStringScorer and SelfAskTrueFalseScorer capturing attack success/failure end-to-end
  • doc/code/targets/mcp_security_testing.py — updated existing notebook to use current AttackScoringConfig API

Tests and Documentation

  • Existing 21 unit tests in tests/unit/prompt_target/target/test_mcp_target.py cover the underlying MCP target classes and still pass
  • Both .py (JupyText source) and .ipynb (rendered) provided for the new notebook, matching repo conventions
  • JupyText not run locally as the notebook requires a live MCP server endpoint — cells are marked accordingly
  • Inline comments throughout explain the attack flow, injection vectors, and design rationale

@diamond8658
FEAT: Add MCP security testing targets (OWASP MCP-03, MCP-06)
a7edd7e 
- Add MCPTarget base class with JSON-RPC 2.0 dispatch over aiohttp
- Add MCPToolPoisoningTarget implementing OWASP MCP-03 (tool poisoning)
- Add MCPPromptInjectionTarget implementing OWASP MCP-06 (unsigned JSON-RPC injection)
- Add 21 unit tests
- Add notebook walkthrough with scoring examples

Closes microsoft#1470
@diamond8658
FEAT: Add MCP security testing notebook for MCP-03 and MCP-06
33629a0
@diamond8658
Merge branch 'main' of github.com:diamond8658/PyRIT into feat/mcp-sec…
31bed45 
…urity-targets
@diamond8658
Merge upstream/main — move test to tests/unit/prompt_target/target/
4634f82
@diamond8658
DOC: Add MCP XPIA attack notebook (MCP-03, MCP-06)
73a93eb
@diamond8658
DOC: Add .ipynb version of MCP XPIA attack notebook
a96a7c5
@diamond8658 diamond8658 mentioned this pull request Apr 15, 2026
Open
@rlundeen2
Copy link
Copy Markdown
Contributor

rlundeen2 commented Apr 16, 2026

Closing for now; there is still an MCP Target. And also we don't want to just merge a notebook.

I could potentially see for testing MCP tooling in pyrit, but it's a stretch to test for things like auth issues, etc. There are other tools for that. PyRIT is better suited for testing shared context, things like that. And it needs to be more carefully thought out.

@rlundeen2 rlundeen2 closed this Apr 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@diamond8658 @rlundeen2