Ch 9: Securing MCP Integrations

Ch 9 — Securing MCP Integrations — Under the Hood

Tool Poisoning, Shadowing, Rug Pulls, MCP-Scan, AttestMCP, OWASP MCP Top 10

Under the Hood

Click play or press Space to begin. Click any node for deep-dive details...

Step- / 10

AMCP Architectural FlawsNo capability attestation, implicit trust, bidirectional sampling

devices

MCP ClientHost app trusts
server descriptions

dns

MCP ServerProvides tools
via JSON-RPC

description

Tool DescriptionsUnverified text
LLM reads blindly

swap_vert

Sampling APIServer can prompt
the LLM directly

arrow_downward Attacks: Tool Poisoning, Shadowing, Rug Pulls

BMCP Attack TaxonomyInvariant Labs TPAs, Tool Shadowing, MCP Rug Pulls

science

Tool PoisoningHidden instructions
in tool descriptions

content_copy

Tool ShadowingOverride legitimate
tools silently

swap_horiz

Rug PullChange behavior
after approval

arrow_downward OWASP MCP Top 10 & Shadow MCP Servers

COWASP MCP Top 10 (2025)Shadow servers, token mismanagement, supply chain

visibility_off

Shadow ServersMCP09: unauthorized
MCP endpoints

token

Token MismanageMCP01: OAuth tokens
over-scoped

package_2

Supply ChainMCP04: malicious
server packages

arrow_downward Defense: MCP-Scan, AttestMCP, secrets management

DMCP Security Tools & DefensesMCP-Scan, AttestMCP protocol extension, secrets vaulting

radar

MCP-ScanScan tool descriptions
for hidden payloads

verified

AttestMCPCryptographic tool
attestation protocol

key

Secrets VaultNever pass tokens
in tool descriptions

arrow_downward Complete secure MCP architecture

ESecure MCP ArchitectureEnd-to-end MCP security pipeline

monitoring

Runtime MonitorDetect description
changes at runtime

layers

Defense StackFull secure
MCP pipeline