< NULLCON 2025 - BERLIN />

About the Speaker

GO BACK
img
Simcha Kosman
Senior Security Researcher CyberArk

< Talk Title />

Your MCP Server Executes Commands - But From Whom?

< Talk Category />

Technical Speakers

< Talk Abstract />

Static prompt-sanitizing is yesterday’s defense. We show how every byte an MCP server sends can be weaponized.
 
First, we revisit the classic Tool-Poisoning Attack (TPA) and prove why policing the description field is security theatre.
By fuzzing the auto-generated JSON schema, we unlock Full-Schema Poisoning (FSP): payloads hidden in parameter names, types, defaults, and required arrays that silently steer LLM reasoning.
Next, we unveil Advanced Tool-Poisoning Attacks (ATPA), a post-execution twist that tucks prompts into runtime error strings, coercing agents to leak data and chain remote MCP calls-completely evading static analysis.
We finish by sketching a realistic zero-trust roadmap, schema, allowing listing, runtime differential auditing, and LLM self-critique, while stressing that these are starting points, not silver bullets.
 
If you think your agent is safe because the prompt looks clean, this talk will ruin your day… then help you begin to fix it.
 

< Speaker Bio />

Simcha is a Senior Security Researcher at CyberArk Labs, with over seven years of experience in vulnerability research. He discovered his first vulnerability at the age of 15 - and even earned a reward for it. Since then, Simcha has uncovered security flaws across a wide range of targets, including processors, embedded systems, and large-scale open-source projects, during his time at Rockwell Automation and Intel. His current work focuses on developing novel methods for vulnerability detection by combining static analysis, AI, and automation. Simcha is especially passionate about using techniques like fuzzing and LLM-guided reasoning to push the boundaries of modern security research.