AutoJack How a Single Page Can RCE the Host Running Your AI ...#2405
Open
carlospolop wants to merge 1 commit into
Open
AutoJack How a Single Page Can RCE the Host Running Your AI ...#2405carlospolop wants to merge 1 commit into
carlospolop wants to merge 1 commit into
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent Content Categories: Based on the analysis, this content was categorized under "AI Security -> AI MCP Security; optionally cross-reference Pentesting Web -> WebSocket Attacks and Command Injection". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
AutoJack is a research exploit chain found by Microsoft in a development build of AutoGen Studio, the developer UI for AutoGen multi-agent systems. The chain shows how attacker-controlled web content rendered by a local browsing agent can cross the localhost trust boundary, connect to AutoGen Studio's local Model Context Protocol (MCP) WebSocket, and cause the AutoGen Studio process to spawn arbitrary commands on the host.🔧 Technical Details
Agent-assisted localhost WebSocket hijacking: Localhost-only Origin checks are insufficient when a browser-capable AI agent runs on the same machine as a privileged local service. If the agent renders attacker-controlled HTML or JavaScript, that content can attempt WebSocket or HTTP requests to
localhostand abuse the agent as a confused deputy. The reusable pattern is to identify local control planes protected mainly by loopback assumptions, then steer a local browsing agent into loading content that reaches those services.WebSocket authentication bypass through middleware exclusions: If an application's global authentication middleware skips WebSocket-like paths such as
/api/wsor/api/mcp, the WebSocket handler must perform its own authentication during handshake or accept time. If the handler does not do so, the route remains unauthenticated even when the rest of the REST API is protected by OAu...🤖 Agent Actions
Using the repo directly; I’ll inspect AI/MCP-related docs first, then place the new technique where it best fits.
Done — I updated:
src/AI/AI-MCP-Servers.mdAdded a new subsection covering the reusable agent-assisted localhost MCP hijacking / AutoJack pattern, including:
StdioServerParams-style process spawn abuseAlso added the Microsoft blog URL to the file’s
## Referencessection.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.