Excessive Agency: Turn a Support Ticket into a Privileged Action (Confused Deputy)
Attack a real tool-using ReAct agent end to end. As the low-privilege ticket-ingest account, plant an authorized-looking record correction in a support ticket and make DV-ToolAgent run a privileged billing-payee redirect under its own shared credential (the confused deputy), then reach an internal-only endpoint and exfiltrate its value through the fetch tool (SSRF via tool args). Measure attack-success-rate, then harden the tool boundary, scope the DB tool read-only, carry per-user authorization, and allow-list the fetch tool, and prove your own exploit is dead while normal lookups still work.
Hands-on labs require Pro · $29.99/mo · cancel anytime
What you'll learn
- 1Recon: read the agent and find the holesYou are red-teaming DV-ToolAgent, ACME Cloud's internal operations assistant. It
- 2Foothold: make the agent act on the ticket bodyYou cannot talk to the agent directly. But you can file an inbound support ticket,
- 3Redirect the payee through the record-correction toolNow weaponize the ticket. The agent's job description includes "applying routine
- 4SSRF reach: pull an internal-only endpoint and forward itThe second hole is http_fetch. It has no scheme or host allow-list, so it follows
- 5Measure: attack-success-rate of the confused-deputy writeA one-off exploit is a demo. A finding needs a number: how reliably does the payee
- 6Harden 1: scope the write path (read-only + per-user authZ)You proved the agent will run a privileged payee write for a low-privilege caller,
- 7Harden 2: allow-list the fetch tool (deny loopback / internal)The write path is scoped, but http_fetch will still follow any URL to any host,
- 8Verify and resist: prove the full stack holdsOne blocked payload is not proof. With all three controls on, the hardened tool boundary
Prerequisites
- Comfortable reading Python
- Know what a SQL UPDATE and an HTTP GET are
- No ML background required
Exam domains covered
Skills & technologies you'll practice
This advanced-level ai/ml lab gives you real-world reps across:
What you'll do in this lab
This is a hands-on offensive-security lab built on a real tool-using agent: a ReAct loop with native tool-calling against an in-cluster model, a write-capable SQLite tool, and an HTTP fetch tool with no allow-list. You attack DV-ToolAgent, ACME Cloud's internal operations assistant, as ticket-bot, the low-privilege account that ingests support tickets. You never jailbreak the model. You plant an authorized-looking record correction in a ticket the agent ingests, and the agent runs a privileged billing-payee redirect under its own shared credential. This is the confused deputy (OWASP LLM06 Excessive Agency, Agentic ASI03), where the system is broken even when the model behaves, because authorization is assumed at the model's decision layer and never enforced at the tool.
You then exploit the fetch tool: a ticket frames a routine entitlement check with audit logging, and the agent fetches an internal-only endpoint and forwards its value to an attacker-controlled audit pixel (server-side request forgery via tool arguments, Agentic ASI02). You measure attack-success-rate over a paced battery, then switch to defense and harden the tool boundary: scope the SQL tool read-only, carry the requesting user's identity so a low-privilege caller's write is rejected at the tool, and allow-list the fetch tool so loopback and internal hosts are denied. You re-run both exploits to prove they are dead while benign lookups still work.