Describe three categories from the OWASP MCP Top 10 and what risks they codify
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Name and explain three distinct categories from the OWASP MCP Top 10 (2025). For each, describe the specific MCP attack vector and one mitigation.
MCP's risk surface maps onto OWASP-style agent threats: poisoned tool descriptions, silent rug pulls, and confused-deputy auth. Defenses are vetting, signing, re-approval, and scoped least-privilege tokens.
Imagine hiring a contractor who hands you a list of jobs they can do. You read the list and decide what to let them do. Tool poisoning is when the contractor writes secret instructions in the fine print that trick you into approving more than you meant. A rug pull is when they show you a safe job list, you sign off, then they swap it for a dangerous one without telling you. A confused deputy is when the contractor uses your master key to open rooms you never said they could enter. The fixes are common sense: read the whole list, re-check it after any change, give the contractor only the keys to the rooms they actually need, and only hire contractors you trust.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: name three distinct categories, the MCP mechanism each exploits, one defense per category, then the through-line that the host owns trust enforcement because the protocol does not sandbox.
| OWASP MCP risk | MCP mechanism exploited | Primary defense |
|---|---|---|
| Tool poisoning | Tool description field read at selection | Full-description approval UI, sanitization, vetting |
| Rug pull | Silent post-approval definition change | Signed definitions, re-approval on change |
| Confused deputy | OAuth scope, missing PKCE | PKCE enforcement, per-user scoped tokens |
| Cross-server shadowing | Malicious server overrides a trusted tool | Tool namespacing, server allowlisting |
| Excessive agency | Tool granted more capability than the task | Least privilege, human approval on side effects |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Listing generic web vulnerabilities like SQL injection instead of MCP-specific risks. The auditor wants attack vectors that exploit MCP primitives such as tool descriptions, the approval flow, or the OAuth layer.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.