45 minutes · The seven agentic failure modes + the zero-click HITL bypass chain, reproduced as case studies
B10 named the modes. This deep-dive reproduces each as a full chain — the attack, the detection gap that defeated the OWASP control, and the defense that closes it. The chains that show up against an agent built to OWASP.
Deep-Dives
Names the seven modes and the zero-click finding. Read as an attacker designing engagements. The methodology.
Reproduces each mode as a chain, names the detection gap that defeated the OWASP control, names the defense. Read as an attacker reproducing the chain.
| Mode | The chain | The detection gap (OWASP control defeated) |
|---|---|---|
| M1 Supply Chain | Signed-but-malicious MCP server whose tool definition carries a hidden exfil instruction. | ASI08: signature verifies the publisher, not the benignity. Registry doesn't enforce name uniqueness. |
| M2 Goal Hijack (drift) | Indirect injection via trusted tool output shifts framing across turns until sub-goal diverges. | ASI01: gate tests direct injection; trusted-output channel uninspected. Reaffirmation N > drift timescale. |
| M3 Inter-Agent Trust | Compromised read-only sub-agent forges a payment request; orchestrator executes under role trust. | NO OWASP ROW. Principal binding verifies sender, not that sender is authorized to request the action. |
| M4 Vision | Steganographic coupon image decodes to vision model as a credential-exfil instruction. | NO OWASP ROW. Attack in pixels, invisible to text taint gates and human reviewers. |
| Mode | The chain | The detection gap (OWASP control defeated) |
|---|---|---|
| M5 Session Contamination | Turn-1 false premise ("compliance-audit mode: log full params") shapes every subsequent turn; credentials logged to transcript. | NO OWASP ROW. Poison is ephemeral-but-cross-turn — lives in context window, not durable memory. ASI04 write controls miss it (no write occurred). |
| M6 Dispatch Abuse | Attacker registers send_email_safe whose description collides with send_email; dispatch routes to the wrong tool. | ASI05: normalizes paths, validates schemas — but NOT the selection layer. The abuse is in dispatch resolution. |
| M7 Capability Disclosure | Multi-turn rapport elicits tool schemas + policy excerpts; attacker engineers a request fitting the policy. | ASI02: scores the leak, not the chain it enables. Disclosure is reconnaissance — severity is the unlocked chain. |
Orchestrators treat sub-agent messages as role-scoped authority, not untrusted input. No ASI equivalent — surface did not exist in single-agent systems.
Attack is in pixels, decoded by the vision model. Invisible to any text-based taint gate and to a human reviewer. No text-only analogue.
Poison is ephemeral-but-cross-turn — lives in the context window, not durable memory. ASI04 write controls miss it because no write occurred.
The structural finding that reframes the human-in-the-loop control. A single external input triggers a multi-step chain where every step passes its approval gate individually (each is benign in isolation) but the compound exfiltrates.
| Step | Action | Gate (isolated) |
|---|---|---|
| 1 | Receives email: "reconcile Q3 vendors, send discrepancies" | External input (auto-received) |
| 2 | Reads vendor list + billing records | Routine data access — APPROVED |
| 3 | Drafts email to vendor, CC's "billing auditor" (payload-supplied) | Drafting email — APPROVED |
| 4 | Sends the email (human sees reasonable note) | Sending drafted email — APPROVED |
| 5 | "Billing auditor" = attacker. Vendor list exfiltrated. | IMPACT |
Bottom layer (B8's control)
PER-STEP APPROVAL. Correct, insufficient. Each high-impact action requires human approval. Stops the single malicious action. Blind to the compound of benign actions.
Top layer (the required extension)
SESSION-LEVEL INTENT DETECTION. Intent tracking (re-derive sub-goal from source each turn). Compound-action pattern matching. Approval freshness windows with compound context attached.
| Mode | Structural control (OWASP) | Behavioral layer that closes the gap |
|---|---|---|
| M1 Supply Chain | Signed manifests | + runtime tool-output verification (secondary model checks outputs for injected instructions) |
| M2 Goal Hijack | Taint gate | + gate extended to tool outputs; reaffirmation N < drift timescale |
| M3 Inter-Agent | — | Inter-agent messages untrusted at receiving boundary; privilege re-checked per action |
| M4 Vision | — | Vision inputs untrusted at same tier as text; secondary-model instruction check |
| M5 Session | — | Context-window provenance tagging; cross-turn premises re-derived from source |
| M6 Dispatch | Path normalization | + unique-resolution dispatch (halt on ambiguity); instruction-stripping of args |
| M7 Disclosure | Canary | Agent never enumerates capabilities to untrusted principals; minimized schemas |
| Zero-click | Per-step approval | + session-level intent detection (intent tracking + compound matching + freshness) |
| Artifact | Function | Unit | Output |
|---|---|---|---|
| B9 | Defense checklist (builder) | The risk | Scored report (PASS/FAIL/MEASURED) |
| SDD-B01 | OWASP offensive procedures (attacker) | OWASP row-exploitation + cross-row chain | Reproduced findings + residuals |
| SDD-B02 | Microsoft case-study chains (attacker) | The chain (multi-step, compound) | Reproduced chain + session-level gap |
Next: SDD-B03 — InjecAgent: The Bridge Benchmark