MCP Remote Server Security Misconfigurations

This lab teaches security engineers how to assess ISV-hosted remote MCP endpoints used with Agentforce, with a focus on exploitable authorization, transport, session, token, and protocol misconfiguration risks in endpoint-only testing scenarios.

Executive Summary

When source code is unavailable, remote MCP servers must be assessed as API-like attack surfaces. Security reviewers should evaluate Streamable HTTP and HTTP+SSE endpoints with OWASP Top 10 thinking, then raise findings only when misconfigurations are demonstrably exploitable.

This lab emphasizes practical pentest validation over tool-only output. DAST/SAST can assist coverage, but reviewer-driven exploitation and contextual impact analysis remain mandatory.

Salesforce Attack Surface

  • MCP transport endpoints: Streamable HTTP and HTTP+SSE protocol surfaces
  • JSON-RPC message handlers: tools and resources invocation boundaries
  • AuthN/AuthZ layers: OAuth, API keys, token audience validation, and role controls
  • Session lifecycle: session ID generation, binding, replay and resumable stream behavior
  • Server misconfiguration controls: CORS, TLS, cache headers, error handling and logging hygiene

Business Impact

  • Unauthorized tool execution: privileged actions triggered outside intended user scope
  • Data leakage: secrets, tokens, and sensitive records exposed through weak controls
  • Privilege escalation: over-broad connectors and missing segmentation amplify compromise
  • Session compromise: hijacked or replayed sessions drive malicious resumed responses
  • Trust and compliance risk: insecure MCP integrations break AppExchange security expectations

PoC Use Cases

Use controlled tests to verify exploitability in realistic MCP flows:

  • Broken role validation: privileged tools/call request accepted for low-trust caller
  • Resource path abuse: resources/read accepts unsafe file URIs due to missing validation
  • Token leakage: API keys in URLs, logs, or cacheable responses
  • Session hijack chain: stolen session ID used to inject resumed asynchronous payloads
  • CORS + credentials anti-pattern: wildcard origin and credentialed requests allow cross-origin abuse
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "admin_tool",
    "arguments": {
      "action": "create_user",
      "username": "attacker",
      "role": "admin"
    }
  },
  "id": 1
}

Testing Methodology

  • Pre-review baseline: collect endpoint list, protocol versions, auth flow diagrams, and business data classification
  • AuthN/AuthZ validation: verify least privilege, caller scope, token audience, and per-user authorization behavior
  • Transport and protocol checks: enforce HTTPS/TLS posture, Origin validation, and message validation controls
  • Abuse simulation: replay sessions, injection payloads, token passthrough attempts, and confused-deputy scenarios
  • Exploitability gate: raise findings only when practical impact is reproducible and policy-relevant

Secure Engineering Patterns

  • Strict auth context: avoid server-wide trust for sensitive user-specific operations
  • Session hardening: non-deterministic IDs, user-bound session keys, rotation and expiry controls
  • Token hygiene: no tokens in URLs, no passthrough without audience validation, secure storage and expiry
  • Transport hardening: modern TLS-only posture, origin checks, and safe CORS policies
  • Observability controls: generic error responses, sensitive data redaction, and abuse-focused logging
// Example defensive session key strategy
// queue_key = <derived_user_id> + ":" + <secure_random_session_id>
// Reject if caller context does not match bound user identity.

Verification Checklist

  • Endpoint inventory covers both Streamable HTTP and HTTP+SSE routes
  • AuthN/AuthZ behavior validated against data sensitivity and user context
  • No sensitive tokens in URLs, logs, or publicly cacheable responses
  • Session replay and resumable-stream abuse cases are mitigated
  • TLS/CORS/error-handling posture verified against exploitable misconfiguration paths
  • Findings include reproducible evidence and concrete business impact

Lab Exercises

Follow this sequence to execute an endpoint-only MCP security assessment:

  • Exercise 1: Build endpoint and protocol map from ISV documentation and traffic observations
  • Exercise 2: Validate authentication, authorization, and privilege segmentation controls
  • Exercise 3: Test token/session abuse scenarios including replay and resumable stream attacks
  • Exercise 4: Validate injection, sensitive-data, TLS, and CORS misconfiguration exploitability
  • Exercise 5: Produce reviewer-grade report with evidence, severity rationale, and remediation guidance
Start Lab Back to Labs