@mcp-shark/mcp-shark 1.5.13 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +396 -59
- package/bin/mcp-shark.js +146 -52
- package/core/cli/AutoFixEngine.js +93 -0
- package/core/cli/ConfigScanner.js +193 -0
- package/core/cli/DataLoader.js +200 -0
- package/core/cli/DeclarativeRuleEngine.js +363 -0
- package/core/cli/DoctorCommand.js +218 -0
- package/core/cli/FixHandlers.js +222 -0
- package/core/cli/HtmlReportGenerator.js +203 -0
- package/core/cli/IdeConfigPaths.js +175 -0
- package/core/cli/ListCommand.js +224 -0
- package/core/cli/LockCommand.js +164 -0
- package/core/cli/LockDiffEngine.js +152 -0
- package/core/cli/RuleRegistryConfig.js +131 -0
- package/core/cli/ScanCommand.js +244 -0
- package/core/cli/ScanService.js +200 -0
- package/core/cli/SecretDetector.js +92 -0
- package/core/cli/SharkScoreCalculator.js +109 -0
- package/core/cli/ToolClassifications.js +51 -0
- package/core/cli/ToxicFlowAnalyzer.js +212 -0
- package/core/cli/UpdateCommand.js +188 -0
- package/core/cli/WalkthroughGenerator.js +195 -0
- package/core/cli/WatchCommand.js +129 -0
- package/core/cli/YamlRuleEngine.js +197 -0
- package/core/cli/data/rule-packs/agentic-security-2026.json +180 -0
- package/core/cli/data/rule-packs/general-security.json +173 -0
- package/core/cli/data/rule-packs/owasp-mcp-2026.json +244 -0
- package/core/cli/data/rule-packs/toxic-flow-heuristics.json +21 -0
- package/core/cli/data/rule-sources.json +5 -0
- package/core/cli/data/secret-patterns.json +18 -0
- package/core/cli/data/tool-classifications.json +111 -0
- package/core/cli/data/toxic-flow-rules.json +47 -0
- package/core/cli/index.js +23 -0
- package/core/cli/output/Banner.js +52 -0
- package/core/cli/output/Formatter.js +183 -0
- package/core/cli/output/JsonFormatter.js +106 -0
- package/core/cli/output/index.js +16 -0
- package/core/cli/secureRegistryFetch.js +157 -0
- package/core/cli/symbols.js +16 -0
- package/core/container/DependencyContainer.js +4 -1
- package/core/repositories/PacketRepository.js +16 -0
- package/core/services/AuditService.js +2 -0
- package/core/services/security/StaticRulesService.js +69 -13
- package/core/services/security/TrafficAnalysisService.js +19 -1
- package/core/services/security/TrafficToxicFlowService.js +154 -0
- package/core/services/security/index.js +2 -1
- package/core/services/security/rules/index.js +25 -59
- package/core/services/security/rules/scans/configPermissions.js +91 -0
- package/core/services/security/rules/scans/duplicateToolNames.js +85 -0
- package/core/services/security/rules/scans/insecureTransport.js +148 -0
- package/core/services/security/rules/scans/missingContainment.js +123 -0
- package/core/services/security/rules/scans/shellEnvInjection.js +101 -0
- package/core/services/security/rules/scans/unsafeDefaults.js +99 -0
- package/core/services/security/toolsListFromTrafficParser.js +70 -0
- package/core/tui/App.js +144 -0
- package/core/tui/FindingsPanel.js +115 -0
- package/core/tui/FixPanel.js +132 -0
- package/core/tui/Header.js +51 -0
- package/core/tui/HelpBar.js +42 -0
- package/core/tui/ServersPanel.js +109 -0
- package/core/tui/ToxicFlowsPanel.js +100 -0
- package/core/tui/h.js +8 -0
- package/core/tui/index.js +11 -0
- package/core/tui/render.js +22 -0
- package/package.json +24 -16
- package/ui/dist/assets/{index-CiCSDYf-.js → index-Buah4fNS.js} +32 -32
- package/ui/dist/index.html +1 -1
- package/ui/server/controllers/RequestController.js +9 -1
- package/ui/server/controllers/SecurityFindingsController.js +46 -1
- package/ui/server/routes/requests.js +8 -1
- package/ui/server/routes/security.js +5 -1
- package/ui/server/setup.js +2 -0
- package/ui/server/swagger/paths/components.js +55 -0
- package/ui/server/swagger/paths/securityTrafficFlows.js +59 -0
- package/ui/server/swagger/paths.js +2 -0
- package/ui/server/swagger/swagger.js +5 -1
- package/ui/src/Security.jsx +10 -0
- package/ui/src/components/Security/ScannerContent.jsx +30 -1
- package/ui/src/components/Security/TrafficToxicFlowsPanel.jsx +253 -0
- package/ui/src/components/Security/securityApi.js +15 -0
- package/ui/src/components/Security/useSecurity.js +60 -3
- package/core/services/security/rules/scans/agentic01GoalHijack.js +0 -130
- package/core/services/security/rules/scans/agentic02ToolMisuse.js +0 -129
- package/core/services/security/rules/scans/agentic03IdentityAbuse.js +0 -130
- package/core/services/security/rules/scans/agentic04SupplyChain.js +0 -130
- package/core/services/security/rules/scans/agentic06MemoryPoisoning.js +0 -130
- package/core/services/security/rules/scans/agentic07InsecureCommunication.js +0 -135
- package/core/services/security/rules/scans/agentic08CascadingFailures.js +0 -135
- package/core/services/security/rules/scans/agentic09TrustExploitation.js +0 -135
- package/core/services/security/rules/scans/agentic10RogueAgent.js +0 -130
- package/core/services/security/rules/scans/hardcodedSecrets.js +0 -130
- package/core/services/security/rules/scans/mcp01TokenMismanagement.js +0 -127
- package/core/services/security/rules/scans/mcp02ScopeCreep.js +0 -130
- package/core/services/security/rules/scans/mcp03ToolPoisoning.js +0 -132
- package/core/services/security/rules/scans/mcp04SupplyChain.js +0 -131
- package/core/services/security/rules/scans/mcp06PromptInjection.js +0 -200
- package/core/services/security/rules/scans/mcp07InsufficientAuth.js +0 -130
- package/core/services/security/rules/scans/mcp08LackAudit.js +0 -129
- package/core/services/security/rules/scans/mcp09ShadowServers.js +0 -129
- package/core/services/security/rules/scans/mcp10ContextInjection.js +0 -130
|
@@ -0,0 +1,180 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schema_version": "1.0",
|
|
3
|
+
"pack_id": "agentic-security-2026",
|
|
4
|
+
"pack_name": "Agentic Security Initiative (2026)",
|
|
5
|
+
"version": "1.0.0",
|
|
6
|
+
"updated": "2026-03-15",
|
|
7
|
+
"source_url": "https://owasp.org/www-project-agentic-security/",
|
|
8
|
+
"rules": [
|
|
9
|
+
{
|
|
10
|
+
"id": "asi01-goal-hijack",
|
|
11
|
+
"name": "Agent Goal Hijack Detection",
|
|
12
|
+
"owasp_id": "ASI01",
|
|
13
|
+
"severity": "high",
|
|
14
|
+
"type": "agentic-security",
|
|
15
|
+
"description": "Detects attempts to hijack or modify agent goals.",
|
|
16
|
+
"recommendation": "Implement goal validation and verification. Monitor for unauthorized goal changes. Use goal isolation and protection mechanisms.",
|
|
17
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
18
|
+
"match_mode": "all_matches",
|
|
19
|
+
"severity_overrides": { "prompt": "critical" },
|
|
20
|
+
"patterns": [
|
|
21
|
+
"(?:hijack|override|replace|change|modify)\\s+(?:goal|objective|purpose|mission|task)",
|
|
22
|
+
"(?:ignore|forget|disregard)\\s+(?:original|initial|intended|primary)\\s+(?:goal|objective|purpose)",
|
|
23
|
+
"(?:new|different|alternative|malicious)\\s+(?:goal|objective|purpose|mission)",
|
|
24
|
+
"(?:steer|redirect|manipulate)\\s+(?:agent|system)\\s+(?:toward|to|into)",
|
|
25
|
+
"(?:unauthorized|malicious|harmful)\\s+(?:goal|objective|purpose|action)"
|
|
26
|
+
]
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"id": "asi02-tool-misuse",
|
|
30
|
+
"name": "Tool Misuse Detection",
|
|
31
|
+
"owasp_id": "ASI02",
|
|
32
|
+
"severity": "high",
|
|
33
|
+
"type": "agentic-security",
|
|
34
|
+
"description": "Detects tool misuse and exploitation patterns.",
|
|
35
|
+
"recommendation": "Implement tool usage monitoring and restrictions. Enforce scope boundaries for tool usage. Monitor for unauthorized tool combinations.",
|
|
36
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
37
|
+
"match_mode": "all_matches",
|
|
38
|
+
"severity_overrides": { "resource": "medium" },
|
|
39
|
+
"patterns": [
|
|
40
|
+
"(?:misuse|abuse|exploit|manipulate)\\s+(?:tool|function|capability|feature)",
|
|
41
|
+
"(?:use|utilize|invoke)\\s+(?:tool|function)\\s+(?:outside|beyond|outside\\s+of)\\s+(?:intended|authorized|allowed)\\s+(?:scope|purpose|context)",
|
|
42
|
+
"(?:unauthorized|illegitimate|improper)\\s+(?:tool|function)\\s+(?:usage|use|invocation)",
|
|
43
|
+
"(?:combine|chain|sequence)\\s+(?:tools|functions)\\s+(?:to|for)\\s+(?:achieve|perform|execute)\\s+(?:unauthorized|malicious)"
|
|
44
|
+
]
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"id": "asi03-identity-abuse",
|
|
48
|
+
"name": "Identity Abuse Detection",
|
|
49
|
+
"owasp_id": "ASI03",
|
|
50
|
+
"severity": "high",
|
|
51
|
+
"type": "agentic-security",
|
|
52
|
+
"description": "Detects identity and privilege abuse patterns.",
|
|
53
|
+
"recommendation": "Implement strict identity and privilege management. Monitor for privilege escalation. Enforce least privilege principles.",
|
|
54
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
55
|
+
"match_mode": "all_matches",
|
|
56
|
+
"severity_overrides": { "prompt": "medium" },
|
|
57
|
+
"patterns": [
|
|
58
|
+
"(?:abuse|misuse|exploit|impersonate|spoof)\\s+(?:identity|privilege|permission|access|role)",
|
|
59
|
+
"(?:escalate|elevate|raise|upgrade)\\s+(?:privilege|permission|access|authority)",
|
|
60
|
+
"(?:assume|take|steal|hijack)\\s+(?:identity|role|privilege|permission)",
|
|
61
|
+
"(?:unauthorized|illegitimate|improper)\\s+(?:privilege|permission|access|authority)\\s+(?:use|usage|exercise)",
|
|
62
|
+
"(?:bypass|circumvent|override)\\s+(?:identity|authentication|authorization|access\\s+control)"
|
|
63
|
+
]
|
|
64
|
+
},
|
|
65
|
+
{
|
|
66
|
+
"id": "asi04-supply-chain",
|
|
67
|
+
"name": "Agentic Supply Chain Detection",
|
|
68
|
+
"owasp_id": "ASI04",
|
|
69
|
+
"severity": "high",
|
|
70
|
+
"type": "agentic-security",
|
|
71
|
+
"description": "Detects agentic supply chain vulnerabilities.",
|
|
72
|
+
"recommendation": "Verify agent framework and model integrity. Use signed and verified dependencies. Monitor for supply chain attacks.",
|
|
73
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
74
|
+
"match_mode": "all_matches",
|
|
75
|
+
"severity_overrides": { "prompt": "medium" },
|
|
76
|
+
"patterns": [
|
|
77
|
+
"(?:compromised|vulnerable|malicious)\\s+(?:agent|framework|model|dependency|package)",
|
|
78
|
+
"(?:supply\\s+chain|dependency)\\s+(?:attack|vulnerability|compromise|tampering)",
|
|
79
|
+
"(?:unsigned|unverified|untrusted)\\s+(?:agent|framework|model|dependency)",
|
|
80
|
+
"(?:tampered|modified|altered)\\s+(?:agent|framework|model|dependency)",
|
|
81
|
+
"(?:typosquatting|brandjacking|namespace)\\s+(?:agent|framework|model|package)"
|
|
82
|
+
]
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
"id": "asi06-memory-poisoning",
|
|
86
|
+
"name": "Memory Poisoning Detection",
|
|
87
|
+
"owasp_id": "ASI06",
|
|
88
|
+
"severity": "high",
|
|
89
|
+
"type": "agentic-security",
|
|
90
|
+
"description": "Detects memory and context poisoning patterns.",
|
|
91
|
+
"recommendation": "Implement memory and context validation. Monitor for data poisoning. Use memory isolation and sanitization.",
|
|
92
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
93
|
+
"match_mode": "all_matches",
|
|
94
|
+
"severity_overrides": { "prompt": "critical" },
|
|
95
|
+
"patterns": [
|
|
96
|
+
"(?:poison|corrupt|taint|contaminate|manipulate)\\s+(?:memory|context|data|information)",
|
|
97
|
+
"(?:inject|insert)\\s+(?:malicious|harmful|poisoned|corrupted)\\s+(?:data|information|memory|context)",
|
|
98
|
+
"(?:memory|context|data)\\s+(?:poisoning|corruption|manipulation|tampering)",
|
|
99
|
+
"(?:compromise|compromised)\\s+(?:memory|context|data|information)",
|
|
100
|
+
"(?:tainted|poisoned|corrupted)\\s+(?:memory|context|data|information)"
|
|
101
|
+
]
|
|
102
|
+
},
|
|
103
|
+
{
|
|
104
|
+
"id": "asi07-insecure-communication",
|
|
105
|
+
"name": "Insecure Communication Detection",
|
|
106
|
+
"owasp_id": "ASI07",
|
|
107
|
+
"severity": "high",
|
|
108
|
+
"type": "agentic-security",
|
|
109
|
+
"description": "Detects insecure inter-agent communication patterns.",
|
|
110
|
+
"recommendation": "Implement encrypted communication channels. Use TLS/SSL for all inter-agent communications. Authenticate all agent interactions.",
|
|
111
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
112
|
+
"match_mode": "all_matches",
|
|
113
|
+
"severity_overrides": { "prompt": "medium" },
|
|
114
|
+
"patterns": [
|
|
115
|
+
"(?:unencrypted|plaintext|cleartext|unsecured)\\s+(?:communication|channel|connection|transmission)",
|
|
116
|
+
"(?:http:\\/\\/|ftp:\\/\\/|ws:\\/\\/)\\s+(?:instead\\s+of|without|missing)",
|
|
117
|
+
"(?:no|missing|lack|without)\\s+(?:encryption|tls|ssl|https|authentication|auth)",
|
|
118
|
+
"(?:insecure|vulnerable|weak)\\s+(?:communication|channel|protocol|connection)",
|
|
119
|
+
"(?:intercept|eavesdrop|man-in-the-middle|mitm)\\s+(?:communication|channel|message)"
|
|
120
|
+
]
|
|
121
|
+
},
|
|
122
|
+
{
|
|
123
|
+
"id": "asi08-cascading-failures",
|
|
124
|
+
"name": "Cascading Failures Detection",
|
|
125
|
+
"owasp_id": "ASI08",
|
|
126
|
+
"severity": "medium",
|
|
127
|
+
"type": "agentic-security",
|
|
128
|
+
"description": "Detects cascading failure vulnerabilities.",
|
|
129
|
+
"recommendation": "Implement failure isolation and containment. Use circuit breakers and failover mechanisms. Design for graceful degradation.",
|
|
130
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
131
|
+
"match_mode": "all_matches",
|
|
132
|
+
"severity_overrides": { "prompt": "low" },
|
|
133
|
+
"patterns": [
|
|
134
|
+
"(?:cascade|cascading|chain|domino)\\s+(?:failure|error|exception|outage|breakdown)",
|
|
135
|
+
"(?:propagate|spread|ripple|amplify)\\s+(?:failure|error|exception|outage)",
|
|
136
|
+
"(?:single\\s+point\\s+of\\s+failure|spof)",
|
|
137
|
+
"(?:no|missing|lack|without)\\s+(?:isolation|containment|circuit\\s+breaker|failover|redundancy)",
|
|
138
|
+
"(?:unhandled|uncaught|unrecoverable)\\s+(?:failure|error|exception)"
|
|
139
|
+
]
|
|
140
|
+
},
|
|
141
|
+
{
|
|
142
|
+
"id": "asi09-trust-exploitation",
|
|
143
|
+
"name": "Trust Exploitation Detection",
|
|
144
|
+
"owasp_id": "ASI09",
|
|
145
|
+
"severity": "high",
|
|
146
|
+
"type": "agentic-security",
|
|
147
|
+
"description": "Detects human-agent trust exploitation patterns.",
|
|
148
|
+
"recommendation": "Implement trust verification mechanisms. Educate users about agent limitations. Monitor for trust exploitation patterns.",
|
|
149
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
150
|
+
"match_mode": "all_matches",
|
|
151
|
+
"severity_overrides": { "prompt": "critical" },
|
|
152
|
+
"patterns": [
|
|
153
|
+
"(?:exploit|abuse|manipulate|misuse)\\s+(?:trust|confidence|reliance|relationship)",
|
|
154
|
+
"(?:social\\s+engineering|phishing|deception|manipulation)\\s+(?:to|for|in\\s+order\\s+to)",
|
|
155
|
+
"(?:impersonate|spoof|pretend|masquerade)\\s+(?:as|to\\s+be)",
|
|
156
|
+
"(?:exploit|abuse)\\s+(?:human|user|operator)\\s+(?:trust|confidence|reliance)",
|
|
157
|
+
"(?:mislead|deceive|trick|fool)\\s+(?:human|user|operator|agent)"
|
|
158
|
+
]
|
|
159
|
+
},
|
|
160
|
+
{
|
|
161
|
+
"id": "asi10-rogue-agent",
|
|
162
|
+
"name": "Rogue Agent Detection",
|
|
163
|
+
"owasp_id": "ASI10",
|
|
164
|
+
"severity": "critical",
|
|
165
|
+
"type": "agentic-security",
|
|
166
|
+
"description": "Detects rogue agent vulnerabilities.",
|
|
167
|
+
"recommendation": "Implement agent registration and approval processes. Monitor for unauthorized agent creation. Enforce agent lifecycle management.",
|
|
168
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
169
|
+
"match_mode": "all_matches",
|
|
170
|
+
"severity_overrides": { "prompt": "high" },
|
|
171
|
+
"patterns": [
|
|
172
|
+
"(?:rogue|unauthorized|unapproved|malicious|harmful)\\s+(?:agent|bot|automation|system)",
|
|
173
|
+
"(?:unauthorized|unapproved|unmanaged)\\s+(?:agent|bot)\\s+(?:creation|deployment|execution|activation)",
|
|
174
|
+
"(?:bypass|circumvent|avoid)\\s+(?:approval|authorization|review|governance)\\s+(?:for|to\\s+create|to\\s+deploy)",
|
|
175
|
+
"(?:hidden|concealed|undocumented|unregistered)\\s+(?:agent|bot|automation)",
|
|
176
|
+
"(?:self-replicating|self-propagating|autonomous)\\s+(?:agent|bot)\\s+(?:without|lacking)"
|
|
177
|
+
]
|
|
178
|
+
}
|
|
179
|
+
]
|
|
180
|
+
}
|
|
@@ -0,0 +1,173 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schema_version": "1.0",
|
|
3
|
+
"pack_id": "general-security",
|
|
4
|
+
"pack_name": "General Security Rules",
|
|
5
|
+
"version": "1.0.0",
|
|
6
|
+
"updated": "2026-03-15",
|
|
7
|
+
"source_url": "https://github.com/mcp-shark/rule-packs",
|
|
8
|
+
"rules": [
|
|
9
|
+
{
|
|
10
|
+
"id": "hardcoded-secrets",
|
|
11
|
+
"name": "Hardcoded Secrets Detection",
|
|
12
|
+
"owasp_id": "SECRET",
|
|
13
|
+
"severity": "high",
|
|
14
|
+
"type": "general-security",
|
|
15
|
+
"description": "Detects hardcoded secrets and API tokens in metadata.",
|
|
16
|
+
"recommendation": "Move secrets or API tokens to secure storage; never embed them directly in tool or resource metadata.",
|
|
17
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
18
|
+
"match_mode": "first",
|
|
19
|
+
"severity_overrides": { "prompt": "medium" },
|
|
20
|
+
"patterns": [
|
|
21
|
+
{ "regex": "sk-[A-Za-z0-9]{20}T3BlbkFJ[A-Za-z0-9]{20}", "label": "OpenAI", "flags": "" },
|
|
22
|
+
{ "regex": "github_pat_[0-9A-Za-z_]{40,90}", "label": "GitHub PAT", "flags": "" },
|
|
23
|
+
{ "regex": "(ghp|gho|ghs|ghu)_[A-Za-z0-9]{36}", "label": "GitHub Token", "flags": "" },
|
|
24
|
+
{ "regex": "glpat-[0-9A-Za-z\\-_]{20}", "label": "GitLab Token", "flags": "" },
|
|
25
|
+
{ "regex": "xox[baprs]-[A-Za-z0-9-]{10,120}", "label": "Slack Token", "flags": "" },
|
|
26
|
+
{
|
|
27
|
+
"regex": "https:\\/\\/hooks\\.slack\\.com\\/services\\/[A-Za-z0-9+/]{30,}",
|
|
28
|
+
"label": "Slack Webhook",
|
|
29
|
+
"flags": ""
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"regex": "[A-Za-z0-9]{24}\\.[A-Za-z0-9]{6}\\.[A-Za-z0-9_-]{27}",
|
|
33
|
+
"label": "Discord Token",
|
|
34
|
+
"flags": ""
|
|
35
|
+
},
|
|
36
|
+
{ "regex": "AKIA[0-9A-Z]{16}", "label": "AWS Access Key", "flags": "" },
|
|
37
|
+
{
|
|
38
|
+
"regex": "(?<![A-Za-z0-9])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9])",
|
|
39
|
+
"label": "AWS Secret Key",
|
|
40
|
+
"flags": ""
|
|
41
|
+
},
|
|
42
|
+
{ "regex": "AIza[0-9A-Za-z\\-_]{35}", "label": "Google API Key", "flags": "" },
|
|
43
|
+
{ "regex": "sk_live_[0-9a-zA-Z]{24}", "label": "Stripe Secret", "flags": "" },
|
|
44
|
+
{ "regex": "rk_live_[0-9a-zA-Z]{24}", "label": "Stripe Restricted", "flags": "" },
|
|
45
|
+
{ "regex": "SK[0-9a-fA-F]{32}", "label": "Twilio API Key", "flags": "" },
|
|
46
|
+
{
|
|
47
|
+
"regex": "SG\\.[0-9A-Za-z\\-_]{22}\\.[0-9A-Za-z\\-_]{43}",
|
|
48
|
+
"label": "SendGrid",
|
|
49
|
+
"flags": ""
|
|
50
|
+
},
|
|
51
|
+
{ "regex": "key-[0-9a-fA-F]{32}", "label": "Mailgun", "flags": "" },
|
|
52
|
+
{ "regex": "[A-Z0-9]{32}-[A-Z0-9]{10}", "label": "Algolia", "flags": "" },
|
|
53
|
+
{
|
|
54
|
+
"regex": "heroku[_a-z]*[:=]\\s*['\\\"]?[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}",
|
|
55
|
+
"label": "Heroku API token",
|
|
56
|
+
"flags": "i"
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
"regex": "pscale_(?:tkn|pw|oauth)_[A-Za-z0-9._=-]{30,60}",
|
|
60
|
+
"label": "PlanetScale",
|
|
61
|
+
"flags": ""
|
|
62
|
+
},
|
|
63
|
+
{ "regex": "PMAK-[0-9a-f]{24}-[0-9a-f]{34}", "label": "Postman", "flags": "" },
|
|
64
|
+
{ "regex": "AAAA[a-zA-Z0-9_-]{7}:[a-zA-Z0-9_-]{140}", "label": "Firebase", "flags": "" }
|
|
65
|
+
]
|
|
66
|
+
},
|
|
67
|
+
{
|
|
68
|
+
"id": "ansi-escape-sequences",
|
|
69
|
+
"name": "ANSI Escape Sequence Detection",
|
|
70
|
+
"owasp_id": "MCP03",
|
|
71
|
+
"severity": "medium",
|
|
72
|
+
"type": "general-security",
|
|
73
|
+
"description": "Detects ANSI escape codes in tool descriptions that could hide malicious content.",
|
|
74
|
+
"recommendation": "Strip ANSI escape sequences from tool descriptions. Run: npx mcp-shark scan --fix",
|
|
75
|
+
"scope": ["tool"],
|
|
76
|
+
"match_mode": "first",
|
|
77
|
+
"text_field": "description",
|
|
78
|
+
"patterns": [
|
|
79
|
+
{ "regex": "\u001b\\[[0-9;]*[a-zA-Z]", "label": "ANSI escape sequence", "flags": "" }
|
|
80
|
+
],
|
|
81
|
+
"severity_escalation_patterns": [
|
|
82
|
+
{ "regex": "\u001b\\[\\d*[ABCDHJ]", "label": "ANSI cursor movement", "severity": "high" }
|
|
83
|
+
]
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
"id": "dns-rebinding",
|
|
87
|
+
"name": "DNS Rebinding Detection",
|
|
88
|
+
"owasp_id": "MCP07",
|
|
89
|
+
"severity": "high",
|
|
90
|
+
"type": "network-security",
|
|
91
|
+
"description": "Detects servers bound to 0.0.0.0 vulnerable to DNS rebinding attacks.",
|
|
92
|
+
"recommendation": "Bind MCP servers to 127.0.0.1 or localhost instead of 0.0.0.0. Use --host 127.0.0.1 flag.",
|
|
93
|
+
"scope": ["tool"],
|
|
94
|
+
"match_mode": "first",
|
|
95
|
+
"patterns": [
|
|
96
|
+
{ "regex": "0\\.0\\.0\\.0", "flags": "" },
|
|
97
|
+
{ "regex": "--host\\s+0\\.0\\.0\\.0", "flags": "i" },
|
|
98
|
+
{ "regex": "HOST[=:]\\s*0\\.0\\.0\\.0", "flags": "" },
|
|
99
|
+
{ "regex": "listen\\(['\"]0\\.0\\.0\\.0['\"]\\)", "flags": "" },
|
|
100
|
+
{ "regex": "INADDR_ANY", "flags": "" }
|
|
101
|
+
]
|
|
102
|
+
},
|
|
103
|
+
{
|
|
104
|
+
"id": "sensitive-data-exposure",
|
|
105
|
+
"name": "Sensitive Data Exposure",
|
|
106
|
+
"owasp_id": "MCP08",
|
|
107
|
+
"severity": "high",
|
|
108
|
+
"type": "general-security",
|
|
109
|
+
"description": "Detects tools that may expose PII, credentials, or secrets without redaction.",
|
|
110
|
+
"recommendation": "Tools that access sensitive data should redact PII, credentials, and secrets from responses. Apply output filtering.",
|
|
111
|
+
"scope": ["tool"],
|
|
112
|
+
"match_mode": "first",
|
|
113
|
+
"exclude_patterns": ["redact", "mask", "filter", "sanitize", "censor", "strip", "scrub"],
|
|
114
|
+
"patterns": [
|
|
115
|
+
{ "regex": "password", "label": "password field" },
|
|
116
|
+
{ "regex": "credit[_\\s]?card", "label": "credit card data" },
|
|
117
|
+
{ "regex": "social[_\\s]?security", "label": "social security number" },
|
|
118
|
+
{ "regex": "ssn\\b", "label": "SSN field" },
|
|
119
|
+
{ "regex": "private[_\\s]?key", "label": "private key" },
|
|
120
|
+
{ "regex": "secret[_\\s]?key", "label": "secret key" },
|
|
121
|
+
{ "regex": "bearer[_\\s]?token", "label": "bearer token" },
|
|
122
|
+
{ "regex": "access[_\\s]?token", "label": "access token" },
|
|
123
|
+
{ "regex": "refresh[_\\s]?token", "label": "refresh token" },
|
|
124
|
+
{ "regex": "database[_\\s]?url", "label": "database URL" },
|
|
125
|
+
{ "regex": "connection[_\\s]?string", "label": "connection string" }
|
|
126
|
+
]
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
"id": "excessive-permissions",
|
|
130
|
+
"name": "Excessive Permissions",
|
|
131
|
+
"owasp_id": "MCP02",
|
|
132
|
+
"severity": "high",
|
|
133
|
+
"type": "general-security",
|
|
134
|
+
"description": "Detects servers or tools with overly broad permission scopes.",
|
|
135
|
+
"recommendation": "Apply the principle of least privilege. Restrict server permissions to only what is needed for its function.",
|
|
136
|
+
"scope": ["tool"],
|
|
137
|
+
"match_mode": "first",
|
|
138
|
+
"patterns": [
|
|
139
|
+
{ "regex": "\\*:\\*", "label": "wildcard scope (*:*)", "flags": "" },
|
|
140
|
+
{ "regex": "admin[_:]?access", "label": "admin access" },
|
|
141
|
+
{ "regex": "full[_-]?access", "label": "full access" },
|
|
142
|
+
{ "regex": "root[_:]?access", "label": "root access" },
|
|
143
|
+
{ "regex": "sudo\\s", "label": "sudo usage" },
|
|
144
|
+
{ "regex": "--privileged", "label": "privileged flag" },
|
|
145
|
+
{ "regex": "--no-sandbox", "label": "no-sandbox flag" },
|
|
146
|
+
{ "regex": "chmod\\s+777", "label": "chmod 777" },
|
|
147
|
+
{ "regex": "allowAll|allow_all", "label": "allow-all policy" },
|
|
148
|
+
{ "regex": "unrestricted", "label": "unrestricted mode" }
|
|
149
|
+
]
|
|
150
|
+
},
|
|
151
|
+
{
|
|
152
|
+
"id": "path-traversal",
|
|
153
|
+
"name": "Path Traversal Detection",
|
|
154
|
+
"owasp_id": "MCP05",
|
|
155
|
+
"severity": "high",
|
|
156
|
+
"type": "general-security",
|
|
157
|
+
"description": "Detects tools that accept file paths without sanitization, enabling directory traversal.",
|
|
158
|
+
"recommendation": "Validate and sanitize all file paths. Reject paths containing \"..\" or absolute paths outside allowed directories.",
|
|
159
|
+
"scope": ["tool"],
|
|
160
|
+
"match_mode": "first",
|
|
161
|
+
"patterns": [
|
|
162
|
+
{ "regex": "\\.\\.[\\/\\\\]", "label": "literal path traversal (../)", "flags": "" },
|
|
163
|
+
{ "regex": "path[_\\s]*traversal", "label": "path traversal mention" },
|
|
164
|
+
{ "regex": "any\\s+file\\s+path", "label": "unrestricted file path" },
|
|
165
|
+
{ "regex": "arbitrary\\s+(file|path)", "label": "arbitrary file access" },
|
|
166
|
+
{ "regex": "absolute[_\\s]*path", "label": "absolute path accepted" }
|
|
167
|
+
],
|
|
168
|
+
"param_patterns": [
|
|
169
|
+
{ "regex": "^(file_?path|filepath|path|filename|file)$", "label": "file path parameter" }
|
|
170
|
+
]
|
|
171
|
+
}
|
|
172
|
+
]
|
|
173
|
+
}
|
|
@@ -0,0 +1,244 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schema_version": "1.0",
|
|
3
|
+
"pack_id": "owasp-mcp-2026",
|
|
4
|
+
"pack_name": "OWASP MCP Top 10 (2026)",
|
|
5
|
+
"version": "1.0.0",
|
|
6
|
+
"updated": "2026-03-15",
|
|
7
|
+
"source_url": "https://owasp.org/www-project-mcp-top-10/",
|
|
8
|
+
"rules": [
|
|
9
|
+
{
|
|
10
|
+
"id": "mcp01-token-mismanagement",
|
|
11
|
+
"name": "Token Mismanagement & Secret Exposure",
|
|
12
|
+
"owasp_id": "MCP01",
|
|
13
|
+
"severity": "high",
|
|
14
|
+
"type": "owasp-mcp",
|
|
15
|
+
"description": "Detects hard-coded credentials, API keys, and secrets that could be exposed through prompt injection or compromised context.",
|
|
16
|
+
"recommendation": "Move all tokens and secrets to secure storage (environment variables, secret managers). Never embed credentials in MCP server configurations.",
|
|
17
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
18
|
+
"match_mode": "all_matches",
|
|
19
|
+
"severity_overrides": { "prompt": "medium" },
|
|
20
|
+
"patterns": [
|
|
21
|
+
{ "regex": "sk-[A-Za-z0-9]{20}T3BlbkFJ[A-Za-z0-9]{20}", "label": "OpenAI", "flags": "" },
|
|
22
|
+
{ "regex": "github_pat_[0-9A-Za-z_]{40,90}", "label": "GitHub PAT", "flags": "" },
|
|
23
|
+
{ "regex": "(ghp|gho|ghs|ghu)_[A-Za-z0-9]{36}", "label": "GitHub Token", "flags": "" },
|
|
24
|
+
{ "regex": "glpat-[0-9A-Za-z\\-_]{20}", "label": "GitLab Token", "flags": "" },
|
|
25
|
+
{ "regex": "xox[baprs]-[A-Za-z0-9-]{10,120}", "label": "Slack Token", "flags": "" },
|
|
26
|
+
{
|
|
27
|
+
"regex": "https:\\/\\/hooks\\.slack\\.com\\/services\\/[A-Za-z0-9+/]{30,}",
|
|
28
|
+
"label": "Slack Webhook",
|
|
29
|
+
"flags": ""
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"regex": "[A-Za-z0-9]{24}\\.[A-Za-z0-9]{6}\\.[A-Za-z0-9_-]{27}",
|
|
33
|
+
"label": "Discord Token",
|
|
34
|
+
"flags": ""
|
|
35
|
+
},
|
|
36
|
+
{ "regex": "AKIA[0-9A-Z]{16}", "label": "AWS Access Key", "flags": "" },
|
|
37
|
+
{
|
|
38
|
+
"regex": "(?<![A-Za-z0-9])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9])",
|
|
39
|
+
"label": "AWS Secret Key",
|
|
40
|
+
"flags": ""
|
|
41
|
+
},
|
|
42
|
+
{ "regex": "AIza[0-9A-Za-z\\-_]{35}", "label": "Google API Key", "flags": "" },
|
|
43
|
+
{ "regex": "sk_live_[0-9a-zA-Z]{24}", "label": "Stripe Secret", "flags": "" },
|
|
44
|
+
{ "regex": "rk_live_[0-9a-zA-Z]{24}", "label": "Stripe Restricted", "flags": "" },
|
|
45
|
+
{ "regex": "SK[0-9a-fA-F]{32}", "label": "Twilio API Key", "flags": "" },
|
|
46
|
+
{
|
|
47
|
+
"regex": "SG\\.[0-9A-Za-z\\-_]{22}\\.[0-9A-Za-z\\-_]{43}",
|
|
48
|
+
"label": "SendGrid",
|
|
49
|
+
"flags": ""
|
|
50
|
+
},
|
|
51
|
+
{ "regex": "key-[0-9a-fA-F]{32}", "label": "Mailgun", "flags": "" },
|
|
52
|
+
{ "regex": "[A-Z0-9]{32}-[A-Z0-9]{10}", "label": "Algolia", "flags": "" },
|
|
53
|
+
{
|
|
54
|
+
"regex": "heroku[_a-z]*[:=]\\s*['\\\"]?[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}",
|
|
55
|
+
"label": "Heroku API token",
|
|
56
|
+
"flags": "i"
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
"regex": "pscale_(?:tkn|pw|oauth)_[A-Za-z0-9._=-]{30,60}",
|
|
60
|
+
"label": "PlanetScale",
|
|
61
|
+
"flags": ""
|
|
62
|
+
},
|
|
63
|
+
{ "regex": "PMAK-[0-9a-f]{24}-[0-9a-f]{34}", "label": "Postman", "flags": "" },
|
|
64
|
+
{ "regex": "AAAA[a-zA-Z0-9_-]{7}:[a-zA-Z0-9_-]{140}", "label": "Firebase", "flags": "" }
|
|
65
|
+
]
|
|
66
|
+
},
|
|
67
|
+
{
|
|
68
|
+
"id": "mcp02-scope-creep",
|
|
69
|
+
"name": "Scope Creep Detection",
|
|
70
|
+
"owasp_id": "MCP02",
|
|
71
|
+
"severity": "medium",
|
|
72
|
+
"type": "owasp-mcp",
|
|
73
|
+
"description": "Detects potential privilege escalation via scope creep in tool definitions.",
|
|
74
|
+
"recommendation": "Implement strict scope boundaries for tools. Monitor for unauthorized scope expansion and enforce least privilege principles.",
|
|
75
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
76
|
+
"match_mode": "all_matches",
|
|
77
|
+
"severity_overrides": { "prompt": "low" },
|
|
78
|
+
"patterns": [
|
|
79
|
+
"(?:expand|extend|increase|broaden|widen)\\s+(?:scope|permission|access|capability|authority)",
|
|
80
|
+
"(?:additional|extra|more|further)\\s+(?:privilege|permission|access|right)",
|
|
81
|
+
"(?:escalate|elevate|raise|upgrade)\\s+(?:privilege|permission|access|level)",
|
|
82
|
+
"(?:unrestricted|unlimited|full|complete|total)\\s+(?:access|permission|privilege|control)",
|
|
83
|
+
"(?:bypass|override|circumvent)\\s+(?:restriction|limit|constraint|control)"
|
|
84
|
+
]
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"id": "mcp03-tool-poisoning",
|
|
88
|
+
"name": "Tool Poisoning Detection",
|
|
89
|
+
"owasp_id": "MCP03",
|
|
90
|
+
"severity": "high",
|
|
91
|
+
"type": "owasp-mcp",
|
|
92
|
+
"description": "Detects malicious patterns that could indicate tool poisoning attacks.",
|
|
93
|
+
"recommendation": "Verify tool authenticity and integrity. Implement tool signing and verification mechanisms. Monitor for suspicious tool behavior.",
|
|
94
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
95
|
+
"match_mode": "all_matches",
|
|
96
|
+
"severity_overrides": { "prompt": "medium" },
|
|
97
|
+
"patterns": [
|
|
98
|
+
"(?:malicious|harmful|dangerous|exploit|attack|backdoor|trojan|virus)",
|
|
99
|
+
"(?:unauthorized|illegitimate|fake|spoofed|forged|tampered)",
|
|
100
|
+
"(?:steal|exfiltrate|leak|extract)\\s+(?:data|information|credentials|secrets)",
|
|
101
|
+
"(?:delete|remove|destroy|wipe|erase)\\s+(?:file|data|information)",
|
|
102
|
+
"(?:override|bypass|disable)\\s+(?:security|protection|safeguard|control)",
|
|
103
|
+
"(?:hidden|concealed|obfuscated|encoded)\\s+(?:functionality|behavior|action)"
|
|
104
|
+
]
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
"id": "mcp04-supply-chain",
|
|
108
|
+
"name": "Supply Chain Vulnerability Detection",
|
|
109
|
+
"owasp_id": "MCP04",
|
|
110
|
+
"severity": "high",
|
|
111
|
+
"type": "owasp-mcp",
|
|
112
|
+
"description": "Detects potential supply chain vulnerabilities in MCP configurations.",
|
|
113
|
+
"recommendation": "Pin all dependencies to specific versions. Verify package integrity and signatures. Use trusted repositories and registries.",
|
|
114
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
115
|
+
"match_mode": "all_matches",
|
|
116
|
+
"severity_overrides": { "prompt": "medium" },
|
|
117
|
+
"patterns": [
|
|
118
|
+
"(?:unsigned|unverified|untrusted|unauthenticated)\\s+(?:package|dependency|module|library)",
|
|
119
|
+
"(?:tampered|modified|altered|compromised)\\s+(?:package|dependency|module|library)",
|
|
120
|
+
"(?:dependency|package|module)\\s+(?:confusion|substitution|hijacking)",
|
|
121
|
+
"(?:typosquatting|brandjacking|namespace)\\s+(?:package|dependency|module)",
|
|
122
|
+
"(?:unpinned|floating|wildcard)\\s+(?:version|dependency|package)",
|
|
123
|
+
"(?:from|source)\\s+(?:unknown|unverified|suspicious|untrusted)\\s+(?:source|repository|registry)"
|
|
124
|
+
]
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"id": "mcp06-prompt-injection",
|
|
128
|
+
"name": "Prompt Injection Detection",
|
|
129
|
+
"owasp_id": "MCP06",
|
|
130
|
+
"severity": "high",
|
|
131
|
+
"type": "owasp-mcp",
|
|
132
|
+
"description": "Detects prompt injection attempts via contextual payloads and suspicious tool names.",
|
|
133
|
+
"recommendation": "Implement prompt injection defenses. Validate and sanitize all user inputs. Use prompt isolation and output filtering.",
|
|
134
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
135
|
+
"match_mode": "all_matches",
|
|
136
|
+
"severity_overrides": { "prompt": "critical" },
|
|
137
|
+
"patterns": [
|
|
138
|
+
"(?:ignore|forget|disregard)\\s+(?:\\w+\\s+)*(?:previous|prior|earlier|above|instructions|prompts|system)",
|
|
139
|
+
"(?:new|different|override|replace)\\s+(?:instructions|prompt|system|rules)",
|
|
140
|
+
"(?:you\\s+are|act\\s+as|pretend\\s+to\\s+be|roleplay\\s+as)",
|
|
141
|
+
"(?:system|admin|root|sudo)\\s+(?:access|privilege|permission|command)",
|
|
142
|
+
"(?:extract|reveal|show|display|output)\\s+(?:system|prompt|instruction|secret|password|token)",
|
|
143
|
+
"(?:execute|run|perform)\\s+(?:arbitrary|any|unrestricted|unlimited)\\s+(?:command|action|code)"
|
|
144
|
+
],
|
|
145
|
+
"tool_name_patterns": [
|
|
146
|
+
{
|
|
147
|
+
"regex": "instruction_?override",
|
|
148
|
+
"label": "Instruction Override Tool",
|
|
149
|
+
"severity": "critical"
|
|
150
|
+
},
|
|
151
|
+
{
|
|
152
|
+
"regex": "system_?prompt|systemprompt",
|
|
153
|
+
"label": "System Prompt Access Tool",
|
|
154
|
+
"severity": "critical"
|
|
155
|
+
},
|
|
156
|
+
{
|
|
157
|
+
"regex": "ignore_?instruction",
|
|
158
|
+
"label": "Ignore Instruction Tool",
|
|
159
|
+
"severity": "critical"
|
|
160
|
+
},
|
|
161
|
+
{ "regex": "bypass_?security", "label": "Security Bypass Tool", "severity": "critical" },
|
|
162
|
+
{ "regex": "admin_?override", "label": "Admin Override Tool", "severity": "critical" },
|
|
163
|
+
{ "regex": "privilege_?escalat", "label": "Privilege Escalation Tool", "severity": "high" },
|
|
164
|
+
{ "regex": "sudo|root_?access", "label": "Elevated Privilege Tool", "severity": "high" },
|
|
165
|
+
{ "regex": "hidden_?command", "label": "Hidden Command Tool", "severity": "high" },
|
|
166
|
+
{ "regex": "secret_?access", "label": "Secret Access Tool", "severity": "high" }
|
|
167
|
+
]
|
|
168
|
+
},
|
|
169
|
+
{
|
|
170
|
+
"id": "mcp07-insufficient-auth",
|
|
171
|
+
"name": "Insufficient Authentication Detection",
|
|
172
|
+
"owasp_id": "MCP07",
|
|
173
|
+
"severity": "high",
|
|
174
|
+
"type": "owasp-mcp",
|
|
175
|
+
"description": "Detects potential authentication and authorization weaknesses.",
|
|
176
|
+
"recommendation": "Implement proper authentication and authorization mechanisms. Enforce access controls for all tools and resources.",
|
|
177
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
178
|
+
"match_mode": "all_matches",
|
|
179
|
+
"severity_overrides": { "prompt": "medium" },
|
|
180
|
+
"patterns": [
|
|
181
|
+
"(?:no|missing|lack|absent|without)\\s+(?:authentication|auth|authorization|authz|access\\s+control)",
|
|
182
|
+
"(?:public|open|unrestricted|unprotected|unsecured)\\s+(?:access|endpoint|api|tool|resource)",
|
|
183
|
+
"(?:anonymous|guest|unauthenticated)\\s+(?:user|access|request)",
|
|
184
|
+
"(?:skip|bypass|ignore|disable)\\s+(?:authentication|auth|authorization|check|validation)",
|
|
185
|
+
"(?:weak|insecure|poor|insufficient)\\s+(?:authentication|auth|authorization|security)"
|
|
186
|
+
]
|
|
187
|
+
},
|
|
188
|
+
{
|
|
189
|
+
"id": "mcp08-lack-audit",
|
|
190
|
+
"name": "Lack of Audit Detection",
|
|
191
|
+
"owasp_id": "MCP08",
|
|
192
|
+
"severity": "medium",
|
|
193
|
+
"type": "owasp-mcp",
|
|
194
|
+
"description": "Detects potential lack of audit trails and telemetry.",
|
|
195
|
+
"recommendation": "Implement comprehensive logging, audit trails, and telemetry. Monitor all tool usage and resource access.",
|
|
196
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
197
|
+
"match_mode": "all_matches",
|
|
198
|
+
"severity_overrides": { "prompt": "low" },
|
|
199
|
+
"patterns": [
|
|
200
|
+
"(?:no|missing|lack|absent|without)\\s+(?:logging|log|audit|telemetry|monitoring|tracking)",
|
|
201
|
+
"(?:disable|turn\\s+off|remove)\\s+(?:logging|log|audit|telemetry|monitoring)",
|
|
202
|
+
"(?:silent|quiet|no\\s+output)\\s+(?:mode|operation|execution)",
|
|
203
|
+
"(?:unlogged|unmonitored|untracked)\\s+(?:action|operation|event|access)"
|
|
204
|
+
]
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"id": "mcp09-shadow-servers",
|
|
208
|
+
"name": "Shadow Server Detection",
|
|
209
|
+
"owasp_id": "MCP09",
|
|
210
|
+
"severity": "high",
|
|
211
|
+
"type": "owasp-mcp",
|
|
212
|
+
"description": "Detects potential unauthorized or shadow MCP server deployments.",
|
|
213
|
+
"recommendation": "Maintain an inventory of all MCP servers. Implement server registration and approval processes. Monitor for unauthorized deployments.",
|
|
214
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
215
|
+
"match_mode": "all_matches",
|
|
216
|
+
"severity_overrides": { "prompt": "medium" },
|
|
217
|
+
"patterns": [
|
|
218
|
+
"(?:unauthorized|unmanaged|unapproved|unofficial)\\s+(?:server|service|instance|deployment)",
|
|
219
|
+
"(?:shadow|rogue|hidden|concealed|undocumented)\\s+(?:server|service|instance|deployment)",
|
|
220
|
+
"(?:bypass|circumvent|avoid)\\s+(?:approval|review|governance|management|control)",
|
|
221
|
+
"(?:unregistered|unlisted|unmonitored)\\s+(?:server|service|instance|deployment)"
|
|
222
|
+
]
|
|
223
|
+
},
|
|
224
|
+
{
|
|
225
|
+
"id": "mcp10-context-injection",
|
|
226
|
+
"name": "Context Injection Detection",
|
|
227
|
+
"owasp_id": "MCP10",
|
|
228
|
+
"severity": "medium",
|
|
229
|
+
"type": "owasp-mcp",
|
|
230
|
+
"description": "Detects context injection and over-sharing vulnerabilities.",
|
|
231
|
+
"recommendation": "Implement context isolation and filtering. Limit context sharing between tools and servers. Validate all context data.",
|
|
232
|
+
"scope": ["tool", "prompt", "resource", "packet"],
|
|
233
|
+
"match_mode": "all_matches",
|
|
234
|
+
"severity_overrides": { "prompt": "high" },
|
|
235
|
+
"patterns": [
|
|
236
|
+
"(?:over-share|overshare|excessive|too\\s+much)\\s+(?:context|information|data|details)",
|
|
237
|
+
"(?:share|expose|reveal|leak)\\s+(?:all|entire|full|complete|everything)\\s+(?:context|information|data)",
|
|
238
|
+
"(?:inject|insert)\\s+(?:context|information|data|payload)\\s+(?:into|to|in)",
|
|
239
|
+
"(?:context|information|data)\\s+(?:injection|manipulation|tampering|poisoning)",
|
|
240
|
+
"(?:unrestricted|unlimited|unfiltered)\\s+(?:context|information|data)\\s+(?:sharing|access|transfer)"
|
|
241
|
+
]
|
|
242
|
+
}
|
|
243
|
+
]
|
|
244
|
+
}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schema_version": "1.0",
|
|
3
|
+
"pack_id": "toxic-flow-heuristics",
|
|
4
|
+
"pack_name": "Toxic flow capability-pair heuristics",
|
|
5
|
+
"version": "1.0.0",
|
|
6
|
+
"updated": "2026-04-05",
|
|
7
|
+
"source_url": "https://github.com/mcp-shark/rule-packs",
|
|
8
|
+
"description": "Cross-server toxic flow rules consumed by analyzeToxicFlows (CLI, HTML report, proxy traffic panel). Declarative rules[] is empty; heuristics live in toxic_flow_rules.",
|
|
9
|
+
"rules": [],
|
|
10
|
+
"toxic_flow_rules": [
|
|
11
|
+
{
|
|
12
|
+
"source": "writes_code",
|
|
13
|
+
"target": "sends_external",
|
|
14
|
+
"risk": "HIGH",
|
|
15
|
+
"title": "Code change \u2192 external disclosure",
|
|
16
|
+
"scenario": "The agent could alter code or repos via {source} and leak implementation details, tokens, or other sensitive context through {target}.",
|
|
17
|
+
"catalog": "\u00a71.2, \u00a71.10",
|
|
18
|
+
"owasp": "MCP03 + MCP06"
|
|
19
|
+
}
|
|
20
|
+
]
|
|
21
|
+
}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
[
|
|
2
|
+
{ "pattern": "^ghp_[a-zA-Z0-9]{36,}$", "name": "GitHub PAT", "severity": "high" },
|
|
3
|
+
{ "pattern": "^gho_[a-zA-Z0-9]{36,}$", "name": "GitHub OAuth", "severity": "high" },
|
|
4
|
+
{ "pattern": "^sk-[a-zA-Z0-9]{20,}$", "name": "API Key (sk-)", "severity": "high" },
|
|
5
|
+
{ "pattern": "^xoxb-", "name": "Slack Bot Token", "severity": "high" },
|
|
6
|
+
{ "pattern": "^xoxp-", "name": "Slack User Token", "severity": "critical" },
|
|
7
|
+
{ "pattern": "^AKIA[A-Z0-9]{16}$", "name": "AWS Access Key", "severity": "critical" },
|
|
8
|
+
{ "pattern": "^glpat-", "name": "GitLab PAT", "severity": "high" },
|
|
9
|
+
{ "pattern": "^npm_[a-zA-Z0-9]{36,}$", "name": "npm Token", "severity": "high" },
|
|
10
|
+
{ "pattern": "^[a-f0-9]{40}$", "name": "Hex Token (40 chars)", "severity": "medium" },
|
|
11
|
+
{ "pattern": "^AIza[a-zA-Z0-9_-]{35}$", "name": "Google API Key", "severity": "high" },
|
|
12
|
+
{
|
|
13
|
+
"pattern": "^SG\\.[a-zA-Z0-9_-]+\\.[a-zA-Z0-9_-]+$",
|
|
14
|
+
"name": "SendGrid Key",
|
|
15
|
+
"severity": "high"
|
|
16
|
+
},
|
|
17
|
+
{ "pattern": "^sk_live_[a-zA-Z0-9]+$", "name": "Stripe Live Key", "severity": "critical" }
|
|
18
|
+
]
|