A2A Customer Service Agent Chain Attack - Security POC

⚠️ DISCLAIMER

This proof-of-concept is designed for AUTHORIZED SECURITY TESTING ONLY.

• Only use on systems you own or have explicit permission to test
• Educational purposes for security research
• Not for malicious use
• Follow responsible disclosure practices

🎯 Purpose

Demonstrates security vulnerabilities in Agent-to-Agent (A2A) communication systems, specifically:

1. Direct Prompt Injection - Injecting malicious instructions in user input
2. Context Poisoning - Poisoning agent handoff context
3. Privilege Escalation - Attempting to access unauthorized data
4. Lateral Movement - Impersonating other users

🏗️ Scenario

Customer Service Agent Chain:

User Request → Customer Service Agent → Database Agent → Email Agent → Response

Attack Goal:

• Authenticated user tries to access other users' data
• Inject instructions to exfiltrate entire customer database
• Bypass authentication and authorization controls

🚀 Quick Start

1. Install Dependencies

python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate
pip install -r requirements.txt

2. Configure API Key

cp .env.example .env
# Edit .env and add your Anthropic API key

3. Run Demonstration

# Run complete demonstration
python run.py

# Run individual attacks
python -m demos.demo_baseline
python -m attacks.attack_1_direct_injection

📊 What Gets Tested

Baseline (Normal Behavior)

• User authenticates as john@example.com
• Requests their account balance
• Receives ONLY their data ($5000 balance)

Attack Scenarios

Attack 1: Direct Prompt Injection

• Inject system-level commands in user input
• Attempt to override agent behavior
• Goal: Retrieve all customer data instead of just user's data

Attack 2: Context Poisoning

• Poison the context passed between agents
• Instructions persist across multiple requests
• Goal: Establish persistent backdoor in agent chain

Attack 3: Privilege Escalation

• Start with limited user permissions
• Attempt to escalate to admin-level access
• Goal: Access data beyond authenticated scope

Attack 4: Lateral Movement

• Authenticated as attacker@example.com
• Attempt to access john@example.com's data
• Goal: Bypass user isolation

📈 Expected Results

Expected Attack Results:

• Agents follow injected instructions
• Retrieve data beyond authorized scope
• Return sensitive information from other users
• Execute unauthorized actions
• Demonstrate vulnerabilities in A2A communication systems

📄 Generated Reports

After running, check reports/ directory for:

• poc_report.html - Detailed HTML report
• attack_log.json - JSON log of all attempts
• vulnerability_summary.txt - Text summary

🔧 Customization

Edit config.py to customize:

• Attack payloads
• Simulated database
• Agent system prompts
• Model configuration

🐳 Docker Usage

Build Docker Image

docker build -t a2a-security-poc .

Run with Docker

# Run full demonstration
docker run --rm -v $(pwd)/reports:/app/reports -v $(pwd)/.env:/app/.env a2a-security-poc

# Run specific attack
docker run --rm -v $(pwd)/reports:/app/reports -v $(pwd)/.env:/app/.env a2a-security-poc python -m attacks.attack_1_direct_injection

Docker Compose (Optional)

Create docker-compose.yml:

version: '3.8'
services:
  a2a-poc:
    build: .
    volumes:
      - ./reports:/app/reports
      - ./.env:/app/.env
    environment:
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}

Run with:

docker-compose up

📚 References

• Solo.io - MCP and A2A Attack Vectors
• Invariant Labs - Tool Poisoning Attacks
• Palo Alto Unit 42 - Agent Session Smuggling

🏗️ Project Structure

a2a-security-poc/
├── README.md
├── requirements.txt
├── .env.example
├── .gitignore
├── config.py
├── Dockerfile
├── run.py
├── src/
│   ├── __init__.py
│   ├── agents.py
│   ├── auth.py
│   ├── database.py
│   └── utils.py
├── attacks/
│   ├── __init__.py
│   ├── attack_1_direct_injection.py
│   ├── attack_2_context_poisoning.py
│   ├── attack_3_privilege_escalation.py
│   └── attack_4_lateral_movement.py
├── defenses/
│   ├── __init__.py
│   └── secure_agents.py
├── demos/
│   ├── __init__.py
│   ├── demo_baseline.py
│   └── demo_full.py
└── reports/
    └── .gitkeep

🔍 Usage Examples

Run Full Demonstration

python run.py --full

Run Baseline Only

python run.py --baseline

Run Specific Attack

python run.py --attack 1  # Direct injection
python run.py --attack 2  # Context poisoning
python run.py --attack 3  # Privilege escalation
python run.py --attack 4  # Lateral movement

Run All Attacks

python run.py --attack all

🔐 Security Configuration

Edit .env to configure security settings:

# Enable/disable actual API calls (for testing without API)
ENABLE_ACTUAL_API_CALLS=true

# Enable verbose logging
VERBOSE_LOGGING=true

# Log all interactions
LOG_ALL_INTERACTIONS=true

🧪 Testing

The POC includes:

• Mock database with 4 test users
• Simulated agent interactions
• Attack detection mechanisms
• Comprehensive logging

📧 Contact

For questions about this POC or responsible disclosure, contact: [your-email]

📜 License

MIT License - For educational and research purposes only

🙏 Acknowledgments

This POC is based on research into Agent-to-Agent communication security vulnerabilities. It is intended to help security researchers and developers understand and mitigate these risks.