2025-12-13 –, Workshop Room 1
Model Context Protocol (MCP) servers are an emerging integration point between LLMs and external tools - and they’re increasingly attractive targets for attackers. This four-hour, hands-on workshop teaches penetration testers practical methods to discover, enumerate, and exploit MCP servers safely and effectively. Through short demos and guided lab exercises you’ll learn how to intercept and audit MCP traffic, identify mismatches between advertised and actual tools, weaponize tool-response manipulation, and validate guardrails and authentication.
Drawing from real-world penetration tests, participants will learn to intercept and analyze MCP traffic, build custom testing tools, and develop reproducible attack workflows. We'll cover traffic capture techniques, protocol manipulation, authentication bypass methods, and injection attacks specific to MCP architectures. Attendees will work through hands-on labs targeting common implementation flaws, misconfigurations, and trust boundary violations.
Intensive workshop transforms penetration testers into MCP security specialists through practical exploitation techniques from real-world assessments. As the Model Context Protocol becomes fundamental to AI application infrastructure, security professionals must understand its unique attack surface.
Participants will master comprehensive MCP security testing methodologies covering twelve critical areas: tool enumeration, discovery techniques to map attack surfaces; identification of dangerous functions and code features that enable exploitation; authentication scheme weaknesses and bypasses; detection of vulnerable libraries and outdated packages; automated reputation analysis using VirusTotal; discovery of hidden tools and undocumented functionality; extraction of embedded secrets and hardcoded credentials; enumeration of embedded email addresses for social engineering vectors; local process spawning vulnerability analysis; temporary file creation exploitation; cross-tool data leakage assessment; and insecure protocol usage identification.
Perpetuities:
Hardware
1 A laptop with wireless access / Internet access
Software
1 Cursor
2 Claude Desktop
a Mac and Windows users use the official sources
b Linux users can use https://github.com/aaddrick/claude-desktop-debian
3 Ability to generate an API key for Anthropic/ChatGPT etc.
4 A user account on https://n8n.io/
5 A free/paid account on https://box.com
6 Python 3.8+
7 Burp Suite (paid or community)
Riyaz Walikar is the Chief Hacker at Appsecco, a boutique security consulting company specializing in SaaS products and their AI implementations. He has over a decade of experience in offensive security, hacking his way into web applications, mobile apps, wireless networks, thick clients, and cloud and container-based infrastructure. As part of his professional career, he has led security testing teams at Microland, PwC, Citrix, and Appsecco. He likes to evangelize cybersecurity and has been a speaker/trainer and multiple hacker conferences around the world including BlackHat, DefCON, OWASP AppsecUSA, Nullcon, and c0c0n. He has co-authored 2 books and loves teaching cybersecurity which he does through various online blogs and publications, in-person and online training programs, community talks, conference presentations, and beer sessions.
When he is not writing/breaking code, you can find him dabbling in photography, playing video games, googling for weight loss solutions, stargazing, or laughing at his own jokes.