Break this server

You're the attacker. A support-desk AI agent reads customer tickets over MCP, and somewhere behind it sits a live API key. Your job: file a poisoned ticket that makes the agent leak that key where you can read it.

The catch is the same one I keep making: some defenses live in the prompt and some live in the server. Climb the ladder and watch which is which. This runs entirely in your browser — there's no real model and no API key, just a scripted stand-in for one.

// L0 · no control

support-agent@mcp — session

		

This is a single-tool toy. The full thing — ten boxes, three victim models, real containers, scored by whether a canary actually leaves — is mcploitable, and here's how I built it. The ladder here is the same one, compressed: at the wall it held 0 for 105. See every OWASP class mapped to its control on the attack-surface page.