<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>Agentic Security on Crusader Research</title>
		<link>https://crusaderproxy.com/research/en/series/agentic-security/</link>
		<description>Recent content in Agentic Security on Crusader Research</description>
		<generator>Hugo</generator>
		<language>en-US</language>
		
		
		
		
			<lastBuildDate>Sun, 05 Jul 2026 00:00:00 +0000</lastBuildDate>
		
			<atom:link href="https://crusaderproxy.com/research/en/series/agentic-security/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>Line jumping: how a poisoned MCP tool hijacks a model that was never called</title>
				<link>https://crusaderproxy.com/research/en/posts/mcp-security-auditing-your-ai-tools/</link>
				<pubDate>Sun, 05 Jul 2026 00:00:00 +0000</pubDate>
				<guid>https://crusaderproxy.com/research/en/posts/mcp-security-auditing-your-ai-tools/</guid>
				<description>&lt;p&gt;Most MCP security write-ups tell you each server is &amp;ldquo;a new trust boundary.&amp;rdquo; True, and useless — because it makes you picture a door you choose to walk through. The real problem is that you don&amp;rsquo;t. The dangerous instruction runs the instant you &lt;em&gt;connect&lt;/em&gt; the server, before you invoke anything. &lt;strong&gt;The attack fires at handshake time, not at call time.&lt;/strong&gt;&lt;/p&gt;&#xA;&lt;p&gt;Here is the protocol detail that makes MCP different from every integration you&amp;rsquo;ve audited before. When a client connects, it calls &lt;code&gt;tools/list&lt;/code&gt; and the server returns each tool&amp;rsquo;s name, input schema, and a natural-language &lt;code&gt;description&lt;/code&gt;. That description is not shown to the model when the tool is called — it&amp;rsquo;s loaded into the model&amp;rsquo;s context &lt;strong&gt;immediately&lt;/strong&gt;, at &lt;code&gt;tools/list&lt;/code&gt; time, so the model knows which tools exist and when to reach for them. The description is in the prompt from the first token of the conversation onward.&lt;/p&gt;</description>
			</item>
			<item>
				<title>Indirect prompt injection is SSRF for the agent era</title>
				<link>https://crusaderproxy.com/research/en/posts/prompt-injection-is-the-new-ssrf/</link>
				<pubDate>Fri, 03 Jul 2026 00:00:00 +0000</pubDate>
				<guid>https://crusaderproxy.com/research/en/posts/prompt-injection-is-the-new-ssrf/</guid>
				<description>&lt;p&gt;Most write-ups tell you prompt injection is &amp;ldquo;when the model follows instructions in its input.&amp;rdquo; True, and useless — because that framing makes it sound like a chatbot quirk you patch with a better system prompt. It isn&amp;rsquo;t. It&amp;rsquo;s an architecture bug you already know by another name.&lt;/p&gt;&#xA;&lt;p&gt;SSRF happened because a server would fetch a URL &lt;em&gt;you&lt;/em&gt; controlled and trust the &lt;strong&gt;response&lt;/strong&gt;. Indirect prompt injection happens because an agent reads content &lt;em&gt;you&lt;/em&gt; control — a web page, a PDF, an email, a calendar invite — and trusts it as &lt;strong&gt;instructions&lt;/strong&gt;. Same defect, new medium. The server-side fetch became a model-side read; the trusted response became a trusted command.&lt;/p&gt;</description>
			</item>
	</channel>
</rss>
