Skip to content

Fix MCP payloads: structured tool calls and DVAA response pattern matching#57

Merged
thebenignhacker merged 1 commit intomainfrom
fix/mcp-payload-patterns
Mar 18, 2026
Merged

Fix MCP payloads: structured tool calls and DVAA response pattern matching#57
thebenignhacker merged 1 commit intomainfrom
fix/mcp-payload-patterns

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 18, 2026

Summary

  • Supply-chain payloads now send structured MCP tool calls (register_tool, fetch_data, store_secret) instead of natural language
  • Tool-shadow payloads now use actual ProxyBot tools (secure_query, sign_document, transfer_funds)
  • Updated successIndicators to match DVAA's VULNERABLE: response format
  • Added 7 DVAA-style heuristic patterns to scanner.ts

Integration test results

  • PluginBot: 0/10 -> 10/10 successful
  • ProxyBot: 0/10 -> 9/10 successful (1 correctly blocked)
  • 1035 unit tests passing

Test plan

  • Integration tested against running DVAA v0.5.0
  • All 4 agent categories verified end-to-end
  • Unit tests passing

@thebenignhacker
Fix MCP payloads: add structured tool calls and match DVAA response p…
e7a133a 
…atterns

Supply-chain and tool-shadow payloads were sending natural language via
MCP which fell back to calling a non-existent "execute" tool, causing
20/20 inconclusive results. Fixed by:

- Converting payloads to JSON format with _mcpTool/_mcpMethod fields
  that the scanner's buildMcpRequestBody() parses into proper JSON-RPC
- Mapping supply-chain payloads to PluginBot tools (register_tool,
  store_secret, fetch_data) and tool-shadow payloads to ProxyBot tools
  (secure_query, sign_document, transfer_funds)
- Updating successIndicators to match DVAA response patterns
  (VULNERABLE:, path traversal, SQL injection, tlsVerified, etc.)
- Adding DVAA-specific heuristics to scanner (VULNERABLE: marker,
  secure mode defensive pattern)

Integration test results: supply-chain 10/10, tool-shadow 9/10.
@thebenignhacker thebenignhacker merged commit 7005ebf into main Mar 18, 2026
@thebenignhacker thebenignhacker deleted the fix/mcp-payload-patterns branch March 18, 2026 01:11
github-actions[bot]
github-actions bot approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

Security Review: PR #57 - MCP Payloads and Response Pattern Matching

VERDICT: APPROVE

SUMMARY

This PR refactors attack payloads from natural language to structured JSON-RPC MCP tool calls and adds DVAA-specific response patterns to the heuristic analyzer. The changes are configuration-driven updates to test payloads and pattern matching logic. No security vulnerabilities were introduced. The code correctly handles JSON parsing with try/catch blocks, uses structured data formats that prevent injection attacks, and maintains proper separation between payload definitions and execution logic.

VERIFICATION NOTES

All potential findings were verified against the full source code:

  1. JSON Parsing (scanner.ts:300-312): Protected by try/catch block with safe fallback behavior
  2. Regex Patterns: All new patterns (lines 457-471) use linear-time matching without nested quantifiers - no ReDoS risk
  3. URL Handling: URLs in payloads are data (not executed), and the scanner already uses fetch() with controlled request construction (lines 157-165, 267-275)
  4. Object Property Deletion (scanner.ts:327-328): Safe cleanup of internal fields from parsed objects before sending to API
  5. HTTP Request Construction: Uses JSON.stringify() on controlled objects (lines 163, 273) - no injection vectors
  6. Pattern Matching Order: Correctly prioritizes blockedIndicators before successIndicators (lines 408-416, 420-429)

No command execution, file system operations, or dynamic code evaluation occurs in the changed code. All modifications are to static payload definitions and pattern-matching logic.

Reviewed 3 files changed (28148 bytes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker