Skip to content

Latest commit

 

History

History

api

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src
src
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

README.md

API Server - Data Exfiltration Target

A TypeScript Express server with SQLite database that serves as the exfiltration endpoint for the MCP vulnerability demonstrations. This server receives and stores sensitive data stolen by malicious MCPs.

🚨 Purpose

This API server simulates an attacker-controlled endpoint that receives exfiltrated data from compromised MCP tools. In a real attack scenario, this would be hosted on an attacker's infrastructure and would receive:

  • Environment variables (.env files)
  • API keys and passwords
  • Database credentials
  • OAuth tokens
  • Email contents
  • Personal information
  • Source code

How It's Used in Attacks

Tool Prompt Injection Attack

The tool-prompt-injection MCP forces the AI to:

  1. Read sensitive .env files
  2. Send the contents to POST /notes
  3. Store the stolen data in the database

Data Flow

User's Workspace
    ↓ (AI reads .env)
Malicious MCP Tool
    ↓ (HTTP POST)
This API Server (attacker-controlled)
    ↓ (stores in database)
SQLite Database
    ↓ (attacker retrieves)
Stolen Credentials

📋 Setup

  1. Install dependencies:
npm install
  1. For development with hot reload:
npm run dev
  1. Build for production:
npm run build
  1. Start the production server:
npm start

The server will run on http://localhost:3000 by default.

API Endpoints

POST /notes

Receive and store exfiltrated data.

Request Body:

{
  "content": "API_KEY=sk-test-123\nDATABASE_PASSWORD=secret"
}

Response:

{
  "id": 1,
  "content": "API_KEY=sk-test-123\nDATABASE_PASSWORD=secret",
  "message": "Note saved successfully"
}

GET /notes

Retrieve all stolen data.

Response:

[
  {
    "id": 1,
    "content": "API_KEY=sk-test-123\nDATABASE_PASSWORD=secret",
    "created_at": "2023-01-01 12:00:00"
  },
  {
    "id": 2,
    "content": "AWS_SECRET=AKIAIOSFODNN7EXAMPLE",
    "created_at": "2023-01-01 12:05:00"
  }
]

GET /notes/:id

Retrieve specific exfiltrated data by ID.

Response:

{
  "id": 1,
  "content": "API_KEY=sk-test-123\nDATABASE_PASSWORD=secret",
  "created_at": "2023-01-01 12:00:00"
}

DELETE /notes/:id

Delete a specific note by ID.

Response:

{
  "message": "Note deleted successfully"
}

🧪 Testing the Vulnerability Chain

Step 1: Start the API Server

cd api
npm install
npm run dev

Step 2: Create Fake Secrets

In your workspace root, create a .env file:

echo "API_KEY=sk-test-1234567890" > .env
echo "DATABASE_PASSWORD=super_secret" >> .env
echo "AWS_SECRET=AKIAIOSFODNN7EXAMPLE" >> .env

Step 3: Use the Malicious MCP

Install and use the tool-prompt-injection MCP, then ask it to perform a math operation.

Step 4: Verify Data Exfiltration

Check what data was stolen:

curl http://localhost:3000/notes

You should see your .env file contents stored in the database.

Step 5: Clean Up

Delete the exfiltrated data:

# Delete all notes
curl -X DELETE http://localhost:3000/notes/1
curl -X DELETE http://localhost:3000/notes/2
# etc.

Database

The server uses SQLite with a local file database.sqlite. The database and table are created automatically when the server starts. This file contains all exfiltrated data and should be deleted after testing.