Describe three categories from the OWASP MCP Top 10 and what risks they codify
Name and explain three distinct categories from the OWASP MCP Top 10 (2025). For each, describe the specific MCP attack vector and one mitigation.
MCP's risk surface maps onto OWASP-style agent threats: poisoned tool descriptions, silent rug pulls, and confused-deputy auth. Defenses are vetting, signing, re-approval, and scoped least-privilege tokens.
Imagine hiring a contractor who hands you a list of jobs they can do. You read the list and decide what to let them do. Tool poisoning is when the contractor writes secret instructions in the fine print that trick you into approving more than you meant. A rug pull is when they show you a safe job list, you sign off, then they swap it for a dangerous one without telling you. A confused deputy is when the contractor uses your master key to open rooms you never said they could enter. The fixes are common sense: read the whole list, re-check it after any change, give the contractor only the keys to the rooms they actually need, and only hire contractors you trust.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: name three distinct categories, the MCP mechanism each exploits, one defense per category, then the through-line that the host owns trust enforcement because the protocol does not sandbox.
| OWASP MCP risk | MCP mechanism exploited | Primary defense |
|---|---|---|
| Tool poisoning | Tool description field read at selection | Full-description approval UI, sanitization, vetting |
| Rug pull | Silent post-approval definition change | Signed definitions, re-approval on change |
| Confused deputy | OAuth scope, missing PKCE | PKCE enforcement, per-user scoped tokens |
| Cross-server shadowing | Malicious server overrides a trusted tool | Tool namespacing, server allowlisting |
| Excessive agency | Tool granted more capability than the task | Least privilege, human approval on side effects |
Real products, models, and research that use this idea.
- Anthropic's MCP authorization spec adopted OAuth 2.1 with mandatory PKCE in 2025 to close confused-deputy gaps on remote servers.
- The ETDI (Enhanced Tool Definition Interface) proposal adds cryptographic signing of tool definitions to defeat rug-pull mutations.
- mcp-inspector and host approval UIs in Claude Desktop and Cursor surface full tool descriptions so poisoned metadata is visible before approval.
- The OWASP GenAI project published the MCP Top 10 in 2025 alongside its OWASP Top 10 for LLM Applications taxonomy.
What an interviewer would ask next. Try answering before peeking at the approach.
QWhy is full-description display in the approval UI not a complete defense against tool poisoning?
QHow does cryptographic signing actually stop a rug pull, and what does it not stop?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Listing generic web vulnerabilities like SQL injection instead of MCP-specific risks. The auditor wants attack vectors that exploit MCP primitives such as tool descriptions, the approval flow, or the OAuth layer.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.