Developer builds runtime MCP security scanner after static tools missed his own access-control bug

·1 views

A developer discovered a critical access-control flaw in Warden, his own role-based governance layer for MCP servers, where support-role users could infer hidden billing data by using restricted fields as query filters. Standard MCP security scanners failed to detect the vulnerability because they only analyze static tool manifests, not live server behavior. To address this gap, he built Siege, a runtime scanner that connects to a live MCP server as different user identities and compares what each role can access. Siege uses a differential approach, learning the full schema from the most-permissive identity and probing restricted roles for discrepancies, without relying on hardcoded field names or roles. The tool independently surfaced four classes of authorization vulnerabilities, including filter leaks, row-scope escalation, ID enumeration, and forbidden-resource reads.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

csh Shell Incompatibility Bug Fixed Across SSH Codebase With Unified Helper

A user reported that WordPress auto-detect via SSH always failed while the WP-CLI path test on the same connection succeeded, pointing to an asymmetric bug. Investigation revealed the root cause was csh, the default login shell on some hosts like Sakura Internet, which cannot interpret Bash/POSIX idioms such as 2>/dev/null passed through Python's paramiko SSH library. An earlier fix had wrapped commands in /bin/sh -c for one endpoint only, leaving all other SSH-command APIs still broken on csh hosts. Developers resolved this by introducing a _safe_run helper function that automatically wraps every SSH command in /bin/sh -c, ensuring POSIX shell interpretation regardless of the user's login shell. A static analysis test was also added to the codebase to prevent raw SSH command calls from being introduced again in the future.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Builds Aegis Pulse to Automate GitHub Analytics Tracking for OSS Projects

A developer behind the open-source tool Aegis Stack publicly launched the project on Reddit on December 3rd and began manually tracking GitHub clone metrics daily due to the platform's 14-day rolling data window. To extract insights, they routinely pasted the collected data into three separate AI chats — ChatGPT, Claude Opus, and Google Gemini — preloaded with project context. Over time, growing context sizes caused the AI chats to lose coherence, forcing repeated and time-consuming chat migrations. This frustration ultimately led the developer to automate the entire workflow, giving rise to Aegis Pulse. Aegis Pulse is a free, no-signup tool that provides real human-versus-bot download analytics for open-source packages.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Mobile-Originated iMessage 2FA Could Eliminate SMS Pumping Fraud and Cut Costs

SMS pumping, also known as Artificially Inflated Traffic fraud, is a scheme where bad actors submit thousands of phone numbers to a company's verification endpoint, triggering paid SMS codes that generate revenue for fraudsters through carrier termination fees. The scam exploits the fact that companies pay for every outgoing one-time password, creating a direct financial incentive for abuse at scale. Elon Musk cited this fraud as costing Twitter approximately $60 million per year before the platform removed free SMS two-factor authentication, with around 390 telecom operators allegedly implicated. A proposed alternative flips the model: instead of companies sending codes to users, users send a pre-filled one-time code from their own iMessage to the service, eliminating any outbound per-message cost that fraudsters could exploit. Because the message originates from the user's Apple ID over end-to-end-encrypted iMessage, the approach is also more resistant to spoofing than traditional SMS-based verification.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Free CLI Tool Validates Shopify Product CSVs Before Import to Catch Silent Errors

A command-line tool called Shopify CSV Preflight Validator allows merchants and developers to check product CSV files for errors before uploading them to Shopify. The tool runs locally without requiring any login or third-party data upload, scanning for common issues such as UTF-8 BOM characters, incorrect header casing, missing parent handles, duplicate handles, and invalid pricing. It produces three outputs: a corrected CSV file, a machine-readable errors list, and a human-readable markdown report. Two categories of unambiguous errors — BOM at file start and header case mismatches — are automatically fixed, while all other issues are flagged for the user to resolve manually. The tool is aimed at solo merchants handling bulk product updates as well as agencies managing client store imports.

0 comments Read more at DEV Community