@safebrowse/daemon 0.1.2-rc.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +15 -0
- package/README.md +31 -0
- package/dist/cli.d.ts +8 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +93 -0
- package/dist/cli.js.map +1 -0
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +21 -0
- package/dist/index.js.map +1 -0
- package/dist/loaders.d.ts +23 -0
- package/dist/loaders.d.ts.map +1 -0
- package/dist/loaders.js +181 -0
- package/dist/loaders.js.map +1 -0
- package/dist/runtime/config/adapter-registry.json +65 -0
- package/dist/runtime/config/adapter-registry.json.sig +1 -0
- package/dist/runtime/config/v2-compromised-fixtures.json +34 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_action_integrity_patterns.json +1411 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_artifact_surface_patterns.json +891 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_evaluation_scenarios.json +217 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_incident_response_playbooks.json +209 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json +143 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json.sig +1 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip +0 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip.sig +1 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_memory_context_poisoning_patterns.json +803 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_policy_controls_catalog.json +686 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_prompt_injection_patterns.json +9930 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_source_registry.json +345 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_tool_protocol_supply_chain_patterns.json +879 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_trust_signals_provenance.json +480 -0
- package/dist/runtime/knowledge_base/signing/safebrowse_vf_ed25519_public.pem +3 -0
- package/dist/runtime/policies/base/research.yaml +56 -0
- package/dist/runtime/policies/emergency/default.yaml +14 -0
- package/dist/runtime/policies/project/default.yaml +13 -0
- package/dist/runtime/policies/tenant/default.yaml +12 -0
- package/dist/server.d.ts +14 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +195 -0
- package/dist/server.js.map +1 -0
- package/package.json +53 -0
|
@@ -0,0 +1,879 @@
|
|
|
1
|
+
{
|
|
2
|
+
"kb_meta": {
|
|
3
|
+
"name": "SafeBrowse vf tool/protocol/supply-chain patterns",
|
|
4
|
+
"version": "vf-final",
|
|
5
|
+
"generated_on": "2026-03-28",
|
|
6
|
+
"entry_count": 40,
|
|
7
|
+
"purpose": "Patterns for tool manifests, MCP/OAuth flows, SSRF, session hijacking, and adapter trust."
|
|
8
|
+
},
|
|
9
|
+
"entries": [
|
|
10
|
+
{
|
|
11
|
+
"pattern_id": "TP-01-01",
|
|
12
|
+
"family_key": "malicious_tool_description",
|
|
13
|
+
"family_name": "Malicious tool descriptions and schemas",
|
|
14
|
+
"pattern_name": "Injected tool description for target task",
|
|
15
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
16
|
+
"summary": "Tool manifests, descriptions, or schemas contain manipulative text that influences retrieval or selection.",
|
|
17
|
+
"surface_kind": "tool_manifest",
|
|
18
|
+
"default_controls": [
|
|
19
|
+
"tool manifest linting",
|
|
20
|
+
"separate tool-selection critic",
|
|
21
|
+
"schema sanitization",
|
|
22
|
+
"signed allowlisted tool registry"
|
|
23
|
+
],
|
|
24
|
+
"source_ids": [
|
|
25
|
+
"SRC_TOOLHIJACKER_NDSS_2026",
|
|
26
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
27
|
+
"SRC_LLAMAFIREWALL_DOCS_2026"
|
|
28
|
+
],
|
|
29
|
+
"credibility": "high",
|
|
30
|
+
"last_verified": "2026-03-28"
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"pattern_id": "TP-01-02",
|
|
34
|
+
"family_key": "malicious_tool_description",
|
|
35
|
+
"family_name": "Malicious tool descriptions and schemas",
|
|
36
|
+
"pattern_name": "Schema field descriptions steer misuse",
|
|
37
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
38
|
+
"summary": "Tool manifests, descriptions, or schemas contain manipulative text that influences retrieval or selection.",
|
|
39
|
+
"surface_kind": "tool_schema",
|
|
40
|
+
"default_controls": [
|
|
41
|
+
"tool manifest linting",
|
|
42
|
+
"separate tool-selection critic",
|
|
43
|
+
"schema sanitization",
|
|
44
|
+
"signed allowlisted tool registry"
|
|
45
|
+
],
|
|
46
|
+
"source_ids": [
|
|
47
|
+
"SRC_TOOLHIJACKER_NDSS_2026",
|
|
48
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
49
|
+
"SRC_LLAMAFIREWALL_DOCS_2026"
|
|
50
|
+
],
|
|
51
|
+
"credibility": "high",
|
|
52
|
+
"last_verified": "2026-03-28"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"pattern_id": "TP-01-03",
|
|
56
|
+
"family_key": "malicious_tool_description",
|
|
57
|
+
"family_name": "Malicious tool descriptions and schemas",
|
|
58
|
+
"pattern_name": "Example payload smuggles hidden instruction",
|
|
59
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
60
|
+
"summary": "Tool manifests, descriptions, or schemas contain manipulative text that influences retrieval or selection.",
|
|
61
|
+
"surface_kind": "tool_example",
|
|
62
|
+
"default_controls": [
|
|
63
|
+
"tool manifest linting",
|
|
64
|
+
"separate tool-selection critic",
|
|
65
|
+
"schema sanitization",
|
|
66
|
+
"signed allowlisted tool registry"
|
|
67
|
+
],
|
|
68
|
+
"source_ids": [
|
|
69
|
+
"SRC_TOOLHIJACKER_NDSS_2026",
|
|
70
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
71
|
+
"SRC_LLAMAFIREWALL_DOCS_2026"
|
|
72
|
+
],
|
|
73
|
+
"credibility": "high",
|
|
74
|
+
"last_verified": "2026-03-28"
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
"pattern_id": "TP-01-04",
|
|
78
|
+
"family_key": "malicious_tool_description",
|
|
79
|
+
"family_name": "Malicious tool descriptions and schemas",
|
|
80
|
+
"pattern_name": "Ranking-biased tool metadata",
|
|
81
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
82
|
+
"summary": "Tool manifests, descriptions, or schemas contain manipulative text that influences retrieval or selection.",
|
|
83
|
+
"surface_kind": "tool_metadata",
|
|
84
|
+
"default_controls": [
|
|
85
|
+
"tool manifest linting",
|
|
86
|
+
"separate tool-selection critic",
|
|
87
|
+
"schema sanitization",
|
|
88
|
+
"signed allowlisted tool registry"
|
|
89
|
+
],
|
|
90
|
+
"source_ids": [
|
|
91
|
+
"SRC_TOOLHIJACKER_NDSS_2026",
|
|
92
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
93
|
+
"SRC_LLAMAFIREWALL_DOCS_2026"
|
|
94
|
+
],
|
|
95
|
+
"credibility": "high",
|
|
96
|
+
"last_verified": "2026-03-28"
|
|
97
|
+
},
|
|
98
|
+
{
|
|
99
|
+
"pattern_id": "TP-02-01",
|
|
100
|
+
"family_key": "dynamic_tool_list_change",
|
|
101
|
+
"family_name": "Dynamic tool-list mutation",
|
|
102
|
+
"pattern_name": "Unexpected tool appears mid-session",
|
|
103
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
104
|
+
"summary": "Available tools change during a session and the agent could consume unreviewed capabilities.",
|
|
105
|
+
"surface_kind": "tool_list_changed",
|
|
106
|
+
"default_controls": [
|
|
107
|
+
"tool inventory snapshots",
|
|
108
|
+
"delta approval",
|
|
109
|
+
"signed registry comparison",
|
|
110
|
+
"capability diff alerts"
|
|
111
|
+
],
|
|
112
|
+
"source_ids": [
|
|
113
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
114
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
115
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
116
|
+
],
|
|
117
|
+
"credibility": "high",
|
|
118
|
+
"last_verified": "2026-03-28"
|
|
119
|
+
},
|
|
120
|
+
{
|
|
121
|
+
"pattern_id": "TP-02-02",
|
|
122
|
+
"family_key": "dynamic_tool_list_change",
|
|
123
|
+
"family_name": "Dynamic tool-list mutation",
|
|
124
|
+
"pattern_name": "Capability set expands after reconnect",
|
|
125
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
126
|
+
"summary": "Available tools change during a session and the agent could consume unreviewed capabilities.",
|
|
127
|
+
"surface_kind": "tool_list_changed",
|
|
128
|
+
"default_controls": [
|
|
129
|
+
"tool inventory snapshots",
|
|
130
|
+
"delta approval",
|
|
131
|
+
"signed registry comparison",
|
|
132
|
+
"capability diff alerts"
|
|
133
|
+
],
|
|
134
|
+
"source_ids": [
|
|
135
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
136
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
137
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
138
|
+
],
|
|
139
|
+
"credibility": "high",
|
|
140
|
+
"last_verified": "2026-03-28"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"pattern_id": "TP-02-03",
|
|
144
|
+
"family_key": "dynamic_tool_list_change",
|
|
145
|
+
"family_name": "Dynamic tool-list mutation",
|
|
146
|
+
"pattern_name": "Tool alias masks new capability",
|
|
147
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
148
|
+
"summary": "Available tools change during a session and the agent could consume unreviewed capabilities.",
|
|
149
|
+
"surface_kind": "tool_alias",
|
|
150
|
+
"default_controls": [
|
|
151
|
+
"tool inventory snapshots",
|
|
152
|
+
"delta approval",
|
|
153
|
+
"signed registry comparison",
|
|
154
|
+
"capability diff alerts"
|
|
155
|
+
],
|
|
156
|
+
"source_ids": [
|
|
157
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
158
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
159
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
160
|
+
],
|
|
161
|
+
"credibility": "high",
|
|
162
|
+
"last_verified": "2026-03-28"
|
|
163
|
+
},
|
|
164
|
+
{
|
|
165
|
+
"pattern_id": "TP-02-04",
|
|
166
|
+
"family_key": "dynamic_tool_list_change",
|
|
167
|
+
"family_name": "Dynamic tool-list mutation",
|
|
168
|
+
"pattern_name": "Third-party plugin injects extra tool",
|
|
169
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
170
|
+
"summary": "Available tools change during a session and the agent could consume unreviewed capabilities.",
|
|
171
|
+
"surface_kind": "plugin_tool_add",
|
|
172
|
+
"default_controls": [
|
|
173
|
+
"tool inventory snapshots",
|
|
174
|
+
"delta approval",
|
|
175
|
+
"signed registry comparison",
|
|
176
|
+
"capability diff alerts"
|
|
177
|
+
],
|
|
178
|
+
"source_ids": [
|
|
179
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
180
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
181
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
182
|
+
],
|
|
183
|
+
"credibility": "high",
|
|
184
|
+
"last_verified": "2026-03-28"
|
|
185
|
+
},
|
|
186
|
+
{
|
|
187
|
+
"pattern_id": "TP-03-01",
|
|
188
|
+
"family_key": "token_passthrough",
|
|
189
|
+
"family_name": "Token passthrough and audience confusion",
|
|
190
|
+
"pattern_name": "Client token forwarded to downstream API",
|
|
191
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
192
|
+
"summary": "Tokens intended for one service are forwarded or reused without audience validation.",
|
|
193
|
+
"surface_kind": "token_forward",
|
|
194
|
+
"default_controls": [
|
|
195
|
+
"audience validation",
|
|
196
|
+
"token exchange at broker",
|
|
197
|
+
"server-issued credentials only",
|
|
198
|
+
"per-client audit context"
|
|
199
|
+
],
|
|
200
|
+
"source_ids": [
|
|
201
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
202
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
203
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
204
|
+
],
|
|
205
|
+
"credibility": "high",
|
|
206
|
+
"last_verified": "2026-03-28"
|
|
207
|
+
},
|
|
208
|
+
{
|
|
209
|
+
"pattern_id": "TP-03-02",
|
|
210
|
+
"family_key": "token_passthrough",
|
|
211
|
+
"family_name": "Token passthrough and audience confusion",
|
|
212
|
+
"pattern_name": "Opaque upstream token accepted without validation",
|
|
213
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
214
|
+
"summary": "Tokens intended for one service are forwarded or reused without audience validation.",
|
|
215
|
+
"surface_kind": "token_accept",
|
|
216
|
+
"default_controls": [
|
|
217
|
+
"audience validation",
|
|
218
|
+
"token exchange at broker",
|
|
219
|
+
"server-issued credentials only",
|
|
220
|
+
"per-client audit context"
|
|
221
|
+
],
|
|
222
|
+
"source_ids": [
|
|
223
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
224
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
225
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
226
|
+
],
|
|
227
|
+
"credibility": "high",
|
|
228
|
+
"last_verified": "2026-03-28"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"pattern_id": "TP-03-03",
|
|
232
|
+
"family_key": "token_passthrough",
|
|
233
|
+
"family_name": "Token passthrough and audience confusion",
|
|
234
|
+
"pattern_name": "Shared token reused across services",
|
|
235
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
236
|
+
"summary": "Tokens intended for one service are forwarded or reused without audience validation.",
|
|
237
|
+
"surface_kind": "token_reuse",
|
|
238
|
+
"default_controls": [
|
|
239
|
+
"audience validation",
|
|
240
|
+
"token exchange at broker",
|
|
241
|
+
"server-issued credentials only",
|
|
242
|
+
"per-client audit context"
|
|
243
|
+
],
|
|
244
|
+
"source_ids": [
|
|
245
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
246
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
247
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
248
|
+
],
|
|
249
|
+
"credibility": "high",
|
|
250
|
+
"last_verified": "2026-03-28"
|
|
251
|
+
},
|
|
252
|
+
{
|
|
253
|
+
"pattern_id": "TP-03-04",
|
|
254
|
+
"family_key": "token_passthrough",
|
|
255
|
+
"family_name": "Token passthrough and audience confusion",
|
|
256
|
+
"pattern_name": "Audit trail loss from passthrough proxying",
|
|
257
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
258
|
+
"summary": "Tokens intended for one service are forwarded or reused without audience validation.",
|
|
259
|
+
"surface_kind": "audit_gap",
|
|
260
|
+
"default_controls": [
|
|
261
|
+
"audience validation",
|
|
262
|
+
"token exchange at broker",
|
|
263
|
+
"server-issued credentials only",
|
|
264
|
+
"per-client audit context"
|
|
265
|
+
],
|
|
266
|
+
"source_ids": [
|
|
267
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
268
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
269
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
270
|
+
],
|
|
271
|
+
"credibility": "high",
|
|
272
|
+
"last_verified": "2026-03-28"
|
|
273
|
+
},
|
|
274
|
+
{
|
|
275
|
+
"pattern_id": "TP-04-01",
|
|
276
|
+
"family_key": "oauth_confused_deputy",
|
|
277
|
+
"family_name": "OAuth confused deputy via MCP proxying",
|
|
278
|
+
"pattern_name": "Consent-cookie reuse attack",
|
|
279
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
280
|
+
"summary": "Static client IDs, dynamic registration, and weak consent flows enable token theft or unauthorized consent reuse.",
|
|
281
|
+
"surface_kind": "oauth_proxy",
|
|
282
|
+
"default_controls": [
|
|
283
|
+
"per-client consent store",
|
|
284
|
+
"exact redirect URI matching",
|
|
285
|
+
"single-use state",
|
|
286
|
+
"client registry"
|
|
287
|
+
],
|
|
288
|
+
"source_ids": [
|
|
289
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
290
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
291
|
+
],
|
|
292
|
+
"credibility": "high",
|
|
293
|
+
"last_verified": "2026-03-28"
|
|
294
|
+
},
|
|
295
|
+
{
|
|
296
|
+
"pattern_id": "TP-04-02",
|
|
297
|
+
"family_key": "oauth_confused_deputy",
|
|
298
|
+
"family_name": "OAuth confused deputy via MCP proxying",
|
|
299
|
+
"pattern_name": "Malicious dynamic client registration",
|
|
300
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
301
|
+
"summary": "Static client IDs, dynamic registration, and weak consent flows enable token theft or unauthorized consent reuse.",
|
|
302
|
+
"surface_kind": "oauth_proxy",
|
|
303
|
+
"default_controls": [
|
|
304
|
+
"per-client consent store",
|
|
305
|
+
"exact redirect URI matching",
|
|
306
|
+
"single-use state",
|
|
307
|
+
"client registry"
|
|
308
|
+
],
|
|
309
|
+
"source_ids": [
|
|
310
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
311
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
312
|
+
],
|
|
313
|
+
"credibility": "high",
|
|
314
|
+
"last_verified": "2026-03-28"
|
|
315
|
+
},
|
|
316
|
+
{
|
|
317
|
+
"pattern_id": "TP-04-03",
|
|
318
|
+
"family_key": "oauth_confused_deputy",
|
|
319
|
+
"family_name": "OAuth confused deputy via MCP proxying",
|
|
320
|
+
"pattern_name": "State/consent mismatch",
|
|
321
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
322
|
+
"summary": "Static client IDs, dynamic registration, and weak consent flows enable token theft or unauthorized consent reuse.",
|
|
323
|
+
"surface_kind": "oauth_state",
|
|
324
|
+
"default_controls": [
|
|
325
|
+
"per-client consent store",
|
|
326
|
+
"exact redirect URI matching",
|
|
327
|
+
"single-use state",
|
|
328
|
+
"client registry"
|
|
329
|
+
],
|
|
330
|
+
"source_ids": [
|
|
331
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
332
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
333
|
+
],
|
|
334
|
+
"credibility": "high",
|
|
335
|
+
"last_verified": "2026-03-28"
|
|
336
|
+
},
|
|
337
|
+
{
|
|
338
|
+
"pattern_id": "TP-04-04",
|
|
339
|
+
"family_key": "oauth_confused_deputy",
|
|
340
|
+
"family_name": "OAuth confused deputy via MCP proxying",
|
|
341
|
+
"pattern_name": "Unauthorized client approval reuse",
|
|
342
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
343
|
+
"summary": "Static client IDs, dynamic registration, and weak consent flows enable token theft or unauthorized consent reuse.",
|
|
344
|
+
"surface_kind": "oauth_consent",
|
|
345
|
+
"default_controls": [
|
|
346
|
+
"per-client consent store",
|
|
347
|
+
"exact redirect URI matching",
|
|
348
|
+
"single-use state",
|
|
349
|
+
"client registry"
|
|
350
|
+
],
|
|
351
|
+
"source_ids": [
|
|
352
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
353
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
354
|
+
],
|
|
355
|
+
"credibility": "high",
|
|
356
|
+
"last_verified": "2026-03-28"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"pattern_id": "TP-05-01",
|
|
360
|
+
"family_key": "redirect_uri_abuse",
|
|
361
|
+
"family_name": "Redirect URI abuse and callback interception",
|
|
362
|
+
"pattern_name": "Malicious redirect_uri parameter",
|
|
363
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
364
|
+
"summary": "Authorization codes or tokens are redirected to attacker-controlled endpoints through malformed or changed redirect URIs.",
|
|
365
|
+
"surface_kind": "redirect_uri",
|
|
366
|
+
"default_controls": [
|
|
367
|
+
"exact redirect comparison",
|
|
368
|
+
"registered callback allowlist",
|
|
369
|
+
"HTTPS-only production",
|
|
370
|
+
"post-consent validation"
|
|
371
|
+
],
|
|
372
|
+
"source_ids": [
|
|
373
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
374
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
375
|
+
],
|
|
376
|
+
"credibility": "high",
|
|
377
|
+
"last_verified": "2026-03-28"
|
|
378
|
+
},
|
|
379
|
+
{
|
|
380
|
+
"pattern_id": "TP-05-02",
|
|
381
|
+
"family_key": "redirect_uri_abuse",
|
|
382
|
+
"family_name": "Redirect URI abuse and callback interception",
|
|
383
|
+
"pattern_name": "Wildcard redirect matching",
|
|
384
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
385
|
+
"summary": "Authorization codes or tokens are redirected to attacker-controlled endpoints through malformed or changed redirect URIs.",
|
|
386
|
+
"surface_kind": "redirect_uri",
|
|
387
|
+
"default_controls": [
|
|
388
|
+
"exact redirect comparison",
|
|
389
|
+
"registered callback allowlist",
|
|
390
|
+
"HTTPS-only production",
|
|
391
|
+
"post-consent validation"
|
|
392
|
+
],
|
|
393
|
+
"source_ids": [
|
|
394
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
395
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
396
|
+
],
|
|
397
|
+
"credibility": "high",
|
|
398
|
+
"last_verified": "2026-03-28"
|
|
399
|
+
},
|
|
400
|
+
{
|
|
401
|
+
"pattern_id": "TP-05-03",
|
|
402
|
+
"family_key": "redirect_uri_abuse",
|
|
403
|
+
"family_name": "Redirect URI abuse and callback interception",
|
|
404
|
+
"pattern_name": "Callback host substitution",
|
|
405
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
406
|
+
"summary": "Authorization codes or tokens are redirected to attacker-controlled endpoints through malformed or changed redirect URIs.",
|
|
407
|
+
"surface_kind": "redirect_uri",
|
|
408
|
+
"default_controls": [
|
|
409
|
+
"exact redirect comparison",
|
|
410
|
+
"registered callback allowlist",
|
|
411
|
+
"HTTPS-only production",
|
|
412
|
+
"post-consent validation"
|
|
413
|
+
],
|
|
414
|
+
"source_ids": [
|
|
415
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
416
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
417
|
+
],
|
|
418
|
+
"credibility": "high",
|
|
419
|
+
"last_verified": "2026-03-28"
|
|
420
|
+
},
|
|
421
|
+
{
|
|
422
|
+
"pattern_id": "TP-05-04",
|
|
423
|
+
"family_key": "redirect_uri_abuse",
|
|
424
|
+
"family_name": "Redirect URI abuse and callback interception",
|
|
425
|
+
"pattern_name": "Unvalidated post-auth redirect",
|
|
426
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
427
|
+
"summary": "Authorization codes or tokens are redirected to attacker-controlled endpoints through malformed or changed redirect URIs.",
|
|
428
|
+
"surface_kind": "redirect_uri",
|
|
429
|
+
"default_controls": [
|
|
430
|
+
"exact redirect comparison",
|
|
431
|
+
"registered callback allowlist",
|
|
432
|
+
"HTTPS-only production",
|
|
433
|
+
"post-consent validation"
|
|
434
|
+
],
|
|
435
|
+
"source_ids": [
|
|
436
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
437
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
438
|
+
],
|
|
439
|
+
"credibility": "high",
|
|
440
|
+
"last_verified": "2026-03-28"
|
|
441
|
+
},
|
|
442
|
+
{
|
|
443
|
+
"pattern_id": "TP-06-01",
|
|
444
|
+
"family_key": "ssrf_oauth_discovery",
|
|
445
|
+
"family_name": "SSRF in OAuth and metadata discovery",
|
|
446
|
+
"pattern_name": "resource_metadata points to internal IP",
|
|
447
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
448
|
+
"summary": "Tool/protocol discovery fetches attacker-controlled URLs that reach internal networks, cloud metadata, or protected services.",
|
|
449
|
+
"surface_kind": "ssrf",
|
|
450
|
+
"default_controls": [
|
|
451
|
+
"egress proxy",
|
|
452
|
+
"private-range blocking",
|
|
453
|
+
"redirect validation per hop",
|
|
454
|
+
"HTTPS enforcement"
|
|
455
|
+
],
|
|
456
|
+
"source_ids": [
|
|
457
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
458
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
459
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
460
|
+
],
|
|
461
|
+
"credibility": "high",
|
|
462
|
+
"last_verified": "2026-03-28"
|
|
463
|
+
},
|
|
464
|
+
{
|
|
465
|
+
"pattern_id": "TP-06-02",
|
|
466
|
+
"family_key": "ssrf_oauth_discovery",
|
|
467
|
+
"family_name": "SSRF in OAuth and metadata discovery",
|
|
468
|
+
"pattern_name": "authorization_server metadata to cloud metadata endpoint",
|
|
469
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
470
|
+
"summary": "Tool/protocol discovery fetches attacker-controlled URLs that reach internal networks, cloud metadata, or protected services.",
|
|
471
|
+
"surface_kind": "ssrf",
|
|
472
|
+
"default_controls": [
|
|
473
|
+
"egress proxy",
|
|
474
|
+
"private-range blocking",
|
|
475
|
+
"redirect validation per hop",
|
|
476
|
+
"HTTPS enforcement"
|
|
477
|
+
],
|
|
478
|
+
"source_ids": [
|
|
479
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
480
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
481
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
482
|
+
],
|
|
483
|
+
"credibility": "high",
|
|
484
|
+
"last_verified": "2026-03-28"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"pattern_id": "TP-06-03",
|
|
488
|
+
"family_key": "ssrf_oauth_discovery",
|
|
489
|
+
"family_name": "SSRF in OAuth and metadata discovery",
|
|
490
|
+
"pattern_name": "Redirect hop to private range",
|
|
491
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
492
|
+
"summary": "Tool/protocol discovery fetches attacker-controlled URLs that reach internal networks, cloud metadata, or protected services.",
|
|
493
|
+
"surface_kind": "ssrf",
|
|
494
|
+
"default_controls": [
|
|
495
|
+
"egress proxy",
|
|
496
|
+
"private-range blocking",
|
|
497
|
+
"redirect validation per hop",
|
|
498
|
+
"HTTPS enforcement"
|
|
499
|
+
],
|
|
500
|
+
"source_ids": [
|
|
501
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
502
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
503
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
504
|
+
],
|
|
505
|
+
"credibility": "high",
|
|
506
|
+
"last_verified": "2026-03-28"
|
|
507
|
+
},
|
|
508
|
+
{
|
|
509
|
+
"pattern_id": "TP-06-04",
|
|
510
|
+
"family_key": "ssrf_oauth_discovery",
|
|
511
|
+
"family_name": "SSRF in OAuth and metadata discovery",
|
|
512
|
+
"pattern_name": "DNS rebinding against local or reserved range",
|
|
513
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
514
|
+
"summary": "Tool/protocol discovery fetches attacker-controlled URLs that reach internal networks, cloud metadata, or protected services.",
|
|
515
|
+
"surface_kind": "ssrf",
|
|
516
|
+
"default_controls": [
|
|
517
|
+
"egress proxy",
|
|
518
|
+
"private-range blocking",
|
|
519
|
+
"redirect validation per hop",
|
|
520
|
+
"HTTPS enforcement"
|
|
521
|
+
],
|
|
522
|
+
"source_ids": [
|
|
523
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
524
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
525
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
526
|
+
],
|
|
527
|
+
"credibility": "high",
|
|
528
|
+
"last_verified": "2026-03-28"
|
|
529
|
+
},
|
|
530
|
+
{
|
|
531
|
+
"pattern_id": "TP-07-01",
|
|
532
|
+
"family_key": "session_hijack_event_injection",
|
|
533
|
+
"family_name": "Session hijacking and event injection",
|
|
534
|
+
"pattern_name": "Stolen session ID reuse",
|
|
535
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
536
|
+
"summary": "Attackers obtain or replay session IDs or inject malicious events into resumable/stateful connections.",
|
|
537
|
+
"surface_kind": "session",
|
|
538
|
+
"default_controls": [
|
|
539
|
+
"no sessions for auth",
|
|
540
|
+
"session binding",
|
|
541
|
+
"secure random IDs",
|
|
542
|
+
"event-source authorization"
|
|
543
|
+
],
|
|
544
|
+
"source_ids": [
|
|
545
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
546
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
547
|
+
],
|
|
548
|
+
"credibility": "high",
|
|
549
|
+
"last_verified": "2026-03-28"
|
|
550
|
+
},
|
|
551
|
+
{
|
|
552
|
+
"pattern_id": "TP-07-02",
|
|
553
|
+
"family_key": "session_hijack_event_injection",
|
|
554
|
+
"family_name": "Session hijacking and event injection",
|
|
555
|
+
"pattern_name": "Malicious resumable-stream event",
|
|
556
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
557
|
+
"summary": "Attackers obtain or replay session IDs or inject malicious events into resumable/stateful connections.",
|
|
558
|
+
"surface_kind": "event_stream",
|
|
559
|
+
"default_controls": [
|
|
560
|
+
"no sessions for auth",
|
|
561
|
+
"session binding",
|
|
562
|
+
"secure random IDs",
|
|
563
|
+
"event-source authorization"
|
|
564
|
+
],
|
|
565
|
+
"source_ids": [
|
|
566
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
567
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
568
|
+
],
|
|
569
|
+
"credibility": "high",
|
|
570
|
+
"last_verified": "2026-03-28"
|
|
571
|
+
},
|
|
572
|
+
{
|
|
573
|
+
"pattern_id": "TP-07-03",
|
|
574
|
+
"family_key": "session_hijack_event_injection",
|
|
575
|
+
"family_name": "Session hijacking and event injection",
|
|
576
|
+
"pattern_name": "Tool-list change through hijacked session",
|
|
577
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
578
|
+
"summary": "Attackers obtain or replay session IDs or inject malicious events into resumable/stateful connections.",
|
|
579
|
+
"surface_kind": "session_tool_injection",
|
|
580
|
+
"default_controls": [
|
|
581
|
+
"no sessions for auth",
|
|
582
|
+
"session binding",
|
|
583
|
+
"secure random IDs",
|
|
584
|
+
"event-source authorization"
|
|
585
|
+
],
|
|
586
|
+
"source_ids": [
|
|
587
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
588
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
589
|
+
],
|
|
590
|
+
"credibility": "high",
|
|
591
|
+
"last_verified": "2026-03-28"
|
|
592
|
+
},
|
|
593
|
+
{
|
|
594
|
+
"pattern_id": "TP-07-04",
|
|
595
|
+
"family_key": "session_hijack_event_injection",
|
|
596
|
+
"family_name": "Session hijacking and event injection",
|
|
597
|
+
"pattern_name": "Weak session binding to user identity",
|
|
598
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
599
|
+
"summary": "Attackers obtain or replay session IDs or inject malicious events into resumable/stateful connections.",
|
|
600
|
+
"surface_kind": "session",
|
|
601
|
+
"default_controls": [
|
|
602
|
+
"no sessions for auth",
|
|
603
|
+
"session binding",
|
|
604
|
+
"secure random IDs",
|
|
605
|
+
"event-source authorization"
|
|
606
|
+
],
|
|
607
|
+
"source_ids": [
|
|
608
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
609
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026"
|
|
610
|
+
],
|
|
611
|
+
"credibility": "high",
|
|
612
|
+
"last_verified": "2026-03-28"
|
|
613
|
+
},
|
|
614
|
+
{
|
|
615
|
+
"pattern_id": "TP-08-01",
|
|
616
|
+
"family_key": "local_server_compromise",
|
|
617
|
+
"family_name": "Local MCP server compromise",
|
|
618
|
+
"pattern_name": "One-click startup command abuse",
|
|
619
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
620
|
+
"summary": "Locally executed MCP servers or helpers run with dangerous host privileges or are configured through unsafe commands.",
|
|
621
|
+
"surface_kind": "local_server",
|
|
622
|
+
"default_controls": [
|
|
623
|
+
"sandbox local servers",
|
|
624
|
+
"show exact command",
|
|
625
|
+
"explicit consent",
|
|
626
|
+
"filesystem/network least privilege"
|
|
627
|
+
],
|
|
628
|
+
"source_ids": [
|
|
629
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
630
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
631
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
632
|
+
],
|
|
633
|
+
"credibility": "high",
|
|
634
|
+
"last_verified": "2026-03-28"
|
|
635
|
+
},
|
|
636
|
+
{
|
|
637
|
+
"pattern_id": "TP-08-02",
|
|
638
|
+
"family_key": "local_server_compromise",
|
|
639
|
+
"family_name": "Local MCP server compromise",
|
|
640
|
+
"pattern_name": "Malicious package in local server install",
|
|
641
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
642
|
+
"summary": "Locally executed MCP servers or helpers run with dangerous host privileges or are configured through unsafe commands.",
|
|
643
|
+
"surface_kind": "local_server",
|
|
644
|
+
"default_controls": [
|
|
645
|
+
"sandbox local servers",
|
|
646
|
+
"show exact command",
|
|
647
|
+
"explicit consent",
|
|
648
|
+
"filesystem/network least privilege"
|
|
649
|
+
],
|
|
650
|
+
"source_ids": [
|
|
651
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
652
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
653
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
654
|
+
],
|
|
655
|
+
"credibility": "high",
|
|
656
|
+
"last_verified": "2026-03-28"
|
|
657
|
+
},
|
|
658
|
+
{
|
|
659
|
+
"pattern_id": "TP-08-03",
|
|
660
|
+
"family_key": "local_server_compromise",
|
|
661
|
+
"family_name": "Local MCP server compromise",
|
|
662
|
+
"pattern_name": "DNS rebinding to localhost service",
|
|
663
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
664
|
+
"summary": "Locally executed MCP servers or helpers run with dangerous host privileges or are configured through unsafe commands.",
|
|
665
|
+
"surface_kind": "local_server",
|
|
666
|
+
"default_controls": [
|
|
667
|
+
"sandbox local servers",
|
|
668
|
+
"show exact command",
|
|
669
|
+
"explicit consent",
|
|
670
|
+
"filesystem/network least privilege"
|
|
671
|
+
],
|
|
672
|
+
"source_ids": [
|
|
673
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
674
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
675
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
676
|
+
],
|
|
677
|
+
"credibility": "high",
|
|
678
|
+
"last_verified": "2026-03-28"
|
|
679
|
+
},
|
|
680
|
+
{
|
|
681
|
+
"pattern_id": "TP-08-04",
|
|
682
|
+
"family_key": "local_server_compromise",
|
|
683
|
+
"family_name": "Local MCP server compromise",
|
|
684
|
+
"pattern_name": "Over-privileged local process access",
|
|
685
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
686
|
+
"summary": "Locally executed MCP servers or helpers run with dangerous host privileges or are configured through unsafe commands.",
|
|
687
|
+
"surface_kind": "local_server",
|
|
688
|
+
"default_controls": [
|
|
689
|
+
"sandbox local servers",
|
|
690
|
+
"show exact command",
|
|
691
|
+
"explicit consent",
|
|
692
|
+
"filesystem/network least privilege"
|
|
693
|
+
],
|
|
694
|
+
"source_ids": [
|
|
695
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
696
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
697
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
698
|
+
],
|
|
699
|
+
"credibility": "high",
|
|
700
|
+
"last_verified": "2026-03-28"
|
|
701
|
+
},
|
|
702
|
+
{
|
|
703
|
+
"pattern_id": "TP-09-01",
|
|
704
|
+
"family_key": "scope_oversubscription",
|
|
705
|
+
"family_name": "Excessive scopes and capability oversubscription",
|
|
706
|
+
"pattern_name": "Broad initial scope request",
|
|
707
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
708
|
+
"summary": "Granted scopes exceed the minimum capabilities required for the session or task.",
|
|
709
|
+
"surface_kind": "scope",
|
|
710
|
+
"default_controls": [
|
|
711
|
+
"progressive least-privilege scopes",
|
|
712
|
+
"scope diff approval",
|
|
713
|
+
"down-scoping tolerance",
|
|
714
|
+
"policy-pack scope templates"
|
|
715
|
+
],
|
|
716
|
+
"source_ids": [
|
|
717
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
718
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
719
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
720
|
+
],
|
|
721
|
+
"credibility": "high",
|
|
722
|
+
"last_verified": "2026-03-28"
|
|
723
|
+
},
|
|
724
|
+
{
|
|
725
|
+
"pattern_id": "TP-09-02",
|
|
726
|
+
"family_key": "scope_oversubscription",
|
|
727
|
+
"family_name": "Excessive scopes and capability oversubscription",
|
|
728
|
+
"pattern_name": "Write scopes granted for read-only session",
|
|
729
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
730
|
+
"summary": "Granted scopes exceed the minimum capabilities required for the session or task.",
|
|
731
|
+
"surface_kind": "scope",
|
|
732
|
+
"default_controls": [
|
|
733
|
+
"progressive least-privilege scopes",
|
|
734
|
+
"scope diff approval",
|
|
735
|
+
"down-scoping tolerance",
|
|
736
|
+
"policy-pack scope templates"
|
|
737
|
+
],
|
|
738
|
+
"source_ids": [
|
|
739
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
740
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
741
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
742
|
+
],
|
|
743
|
+
"credibility": "high",
|
|
744
|
+
"last_verified": "2026-03-28"
|
|
745
|
+
},
|
|
746
|
+
{
|
|
747
|
+
"pattern_id": "TP-09-03",
|
|
748
|
+
"family_key": "scope_oversubscription",
|
|
749
|
+
"family_name": "Excessive scopes and capability oversubscription",
|
|
750
|
+
"pattern_name": "Unnecessary admin or destructive scope",
|
|
751
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
752
|
+
"summary": "Granted scopes exceed the minimum capabilities required for the session or task.",
|
|
753
|
+
"surface_kind": "scope",
|
|
754
|
+
"default_controls": [
|
|
755
|
+
"progressive least-privilege scopes",
|
|
756
|
+
"scope diff approval",
|
|
757
|
+
"down-scoping tolerance",
|
|
758
|
+
"policy-pack scope templates"
|
|
759
|
+
],
|
|
760
|
+
"source_ids": [
|
|
761
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
762
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
763
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
764
|
+
],
|
|
765
|
+
"credibility": "high",
|
|
766
|
+
"last_verified": "2026-03-28"
|
|
767
|
+
},
|
|
768
|
+
{
|
|
769
|
+
"pattern_id": "TP-09-04",
|
|
770
|
+
"family_key": "scope_oversubscription",
|
|
771
|
+
"family_name": "Excessive scopes and capability oversubscription",
|
|
772
|
+
"pattern_name": "Scope creep after reconnect or refresh",
|
|
773
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
774
|
+
"summary": "Granted scopes exceed the minimum capabilities required for the session or task.",
|
|
775
|
+
"surface_kind": "scope",
|
|
776
|
+
"default_controls": [
|
|
777
|
+
"progressive least-privilege scopes",
|
|
778
|
+
"scope diff approval",
|
|
779
|
+
"down-scoping tolerance",
|
|
780
|
+
"policy-pack scope templates"
|
|
781
|
+
],
|
|
782
|
+
"source_ids": [
|
|
783
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
784
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
785
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
786
|
+
],
|
|
787
|
+
"credibility": "high",
|
|
788
|
+
"last_verified": "2026-03-28"
|
|
789
|
+
},
|
|
790
|
+
{
|
|
791
|
+
"pattern_id": "TP-10-01",
|
|
792
|
+
"family_key": "cross_tool_harvest_pollute",
|
|
793
|
+
"family_name": "Cross-tool harvesting and pollution",
|
|
794
|
+
"pattern_name": "Tool A harvests secrets for Tool B",
|
|
795
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
796
|
+
"summary": "One tool contaminates data or control flow that is later consumed by another tool or sink.",
|
|
797
|
+
"surface_kind": "cross_tool_flow",
|
|
798
|
+
"default_controls": [
|
|
799
|
+
"tool-to-tool data barriers",
|
|
800
|
+
"capability labels",
|
|
801
|
+
"per-tool scratchpads",
|
|
802
|
+
"flow-policy static analysis"
|
|
803
|
+
],
|
|
804
|
+
"source_ids": [
|
|
805
|
+
"SRC_ACE_NDSS_2026",
|
|
806
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
807
|
+
"SRC_TOOLHIJACKER_NDSS_2026"
|
|
808
|
+
],
|
|
809
|
+
"credibility": "high",
|
|
810
|
+
"last_verified": "2026-03-28"
|
|
811
|
+
},
|
|
812
|
+
{
|
|
813
|
+
"pattern_id": "TP-10-02",
|
|
814
|
+
"family_key": "cross_tool_harvest_pollute",
|
|
815
|
+
"family_name": "Cross-tool harvesting and pollution",
|
|
816
|
+
"pattern_name": "Tool output pollutes planner input for next step",
|
|
817
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
818
|
+
"summary": "One tool contaminates data or control flow that is later consumed by another tool or sink.",
|
|
819
|
+
"surface_kind": "cross_tool_flow",
|
|
820
|
+
"default_controls": [
|
|
821
|
+
"tool-to-tool data barriers",
|
|
822
|
+
"capability labels",
|
|
823
|
+
"per-tool scratchpads",
|
|
824
|
+
"flow-policy static analysis"
|
|
825
|
+
],
|
|
826
|
+
"source_ids": [
|
|
827
|
+
"SRC_ACE_NDSS_2026",
|
|
828
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
829
|
+
"SRC_TOOLHIJACKER_NDSS_2026"
|
|
830
|
+
],
|
|
831
|
+
"credibility": "high",
|
|
832
|
+
"last_verified": "2026-03-28"
|
|
833
|
+
},
|
|
834
|
+
{
|
|
835
|
+
"pattern_id": "TP-10-03",
|
|
836
|
+
"family_key": "cross_tool_harvest_pollute",
|
|
837
|
+
"family_name": "Cross-tool harvesting and pollution",
|
|
838
|
+
"pattern_name": "Shared scratchpad leaks between tools",
|
|
839
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
840
|
+
"summary": "One tool contaminates data or control flow that is later consumed by another tool or sink.",
|
|
841
|
+
"surface_kind": "cross_tool_flow",
|
|
842
|
+
"default_controls": [
|
|
843
|
+
"tool-to-tool data barriers",
|
|
844
|
+
"capability labels",
|
|
845
|
+
"per-tool scratchpads",
|
|
846
|
+
"flow-policy static analysis"
|
|
847
|
+
],
|
|
848
|
+
"source_ids": [
|
|
849
|
+
"SRC_ACE_NDSS_2026",
|
|
850
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
851
|
+
"SRC_TOOLHIJACKER_NDSS_2026"
|
|
852
|
+
],
|
|
853
|
+
"credibility": "high",
|
|
854
|
+
"last_verified": "2026-03-28"
|
|
855
|
+
},
|
|
856
|
+
{
|
|
857
|
+
"pattern_id": "TP-10-04",
|
|
858
|
+
"family_key": "cross_tool_harvest_pollute",
|
|
859
|
+
"family_name": "Cross-tool harvesting and pollution",
|
|
860
|
+
"pattern_name": "Capability bleed across tool chain",
|
|
861
|
+
"entry_kind": "tool_protocol_threat_pattern",
|
|
862
|
+
"summary": "One tool contaminates data or control flow that is later consumed by another tool or sink.",
|
|
863
|
+
"surface_kind": "cross_tool_flow",
|
|
864
|
+
"default_controls": [
|
|
865
|
+
"tool-to-tool data barriers",
|
|
866
|
+
"capability labels",
|
|
867
|
+
"per-tool scratchpads",
|
|
868
|
+
"flow-policy static analysis"
|
|
869
|
+
],
|
|
870
|
+
"source_ids": [
|
|
871
|
+
"SRC_ACE_NDSS_2026",
|
|
872
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
873
|
+
"SRC_TOOLHIJACKER_NDSS_2026"
|
|
874
|
+
],
|
|
875
|
+
"credibility": "high",
|
|
876
|
+
"last_verified": "2026-03-28"
|
|
877
|
+
}
|
|
878
|
+
]
|
|
879
|
+
}
|