@@ -36,15 +36,16 @@ Attackers can exploit MCP servers proxying other resource servers, creating "[co
36
36
to the Third-Party API. It is the same value for all MCP server to Third-Party API interactions regardless of
37
37
which MCP client initiated the request.
38
38
39
- #### 2.1.2 Architecture and Attack Flow
39
+ #### 2.1.2 Architecture and Attack Flows
40
+
41
+ ##### 2.1.2.1 Normal OAuth proxy usage (preserves user consent)
40
42
41
43
``` mermaid
42
44
sequenceDiagram
43
45
participant UA as User-Agent (Browser)
44
46
participant MC as MCP Client
45
47
participant M as MCP Proxy Server
46
48
participant TAS as Third-Party Authorization Server
47
- participant A as Attacker
48
49
49
50
Note over UA,M: Initial Auth flow completed
50
51
@@ -63,12 +64,25 @@ sequenceDiagram
63
64
M->>UA: Redirect to MCP Client with MCP authorization code
64
65
65
66
Note over M,UA: Exchange code for token, etc.
67
+ ```
68
+
69
+ ##### 2.1.2.3 Malicious OAuth proxy usage (skips user consent)
70
+
71
+ ``` mermaid
72
+ sequenceDiagram
73
+ participant UA as User-Agent (Browser)
74
+ participant M as MCP Proxy Server
75
+ participant TAS as Third-Party Authorization Server
76
+ participant A as Attacker
77
+
66
78
67
- Note over UA,A: Step 2: Attack (leveraging existing cookie)
79
+ Note over UA,A: Step 2: Attack (leveraging existing cookie, skipping consent )
68
80
A->>M: Dynamically register malicious client, redirect_uri: attacker.com
69
81
A->>UA: Sends malicious link
70
82
UA->>TAS: Authorization request (client_id: mcp-proxy) + consent cookie
83
+ rect rgba(255, 17, 0, 0.67)
71
84
TAS->>TAS: Cookie present, consent skipped
85
+ end
72
86
73
87
TAS->>UA: 3P Authorization code + redirect to mcp-proxy-server.com
74
88
UA->>M: 3P Authorization code
0 commit comments