Otto Support - Testing MCP Servers

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/otto-support-testing-mcp-servers
• Blog Title: Otto Support - Testing MCP Servers
• Suggested Section: AI Security > AI MCP Security

🎯 Content Summary

Bishop Fox's post demonstrates how to security test an exposed Model Context Protocol (MCP) server using the intentionally vulnerable otto-support application. The main issue found is a broken object-level authorization / IDOR-style flaw in the MCP tool delete_ticket: a low-privileged authenticated user cannot read or edit other users' tickets, but can delete them by calling the MCP tool directly with another user's ticke...

🔧 Technical Details

Testing MCP servers as APIs: MCP servers should be assessed like normal HTTP APIs. Start with network discovery, identify exposed HTTP services, then probe common MCP endpoints such as /mcp and /sse. If the response contains MCP metadata such as a server name, the endpoint can often be enumerated and tested directly.

Direct MCP tool invocation without prompt injection: If an MCP endpoint is reachable, an attacker may not need to manipulate an LLM. Tools can be called directly with JSON-RPC-style requests using method: "tools/call", params.name for the tool name, and params.arguments for attacker-controlled inputs. This turns MCP tools into direct attack surfaces and makes server-side validation mandatory.

Verbose diagnostic tool enumeration: Low-risk-looking tools such as status, health, or debug can leak internal service metadata a...

🤖 Agent Actions

Done.

Updated:

• src/AI/AI-MCP-Servers.md

Added:

• A new section on Broken Object-Level Authorization in MCP tools via direct JSON-RPC abuse
• MCP-specific testing guidance for:
  • discovering exposed MCP endpoints
  • invoking tools directly with tools/call
  • using verbose/status tools for ID enumeration
  • checking authz consistency across read/update/delete actions
  • logging and hardening recommendations

Also added the blog to:

• ## References

Validation:

• Confirmed the diff and markdown structure
• mdbook build could not be executed here because mdbook is not installed in this environment (/bin/bash: mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/otto-support-testing-mcp-servers

Content Categories: Based on the analysis, this content was categorized under "AI Security > AI MCP Security".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0