Skip to content

feat(SAFE-T1804): add API Data Harvest technique documentation#131

Open
geekysatbir wants to merge 10 commits intosafe-agentic-framework:mainfrom
geekysatbir:feat/add-safe-t1804-api-data-harvest
Open

feat(SAFE-T1804): add API Data Harvest technique documentation#131
geekysatbir wants to merge 10 commits intosafe-agentic-framework:mainfrom
geekysatbir:feat/add-safe-t1804-api-data-harvest

Conversation

@geekysatbir
Copy link
Contributor

@geekysatbir geekysatbir commented Nov 17, 2025

Summary

This PR adds comprehensive documentation for SAFE-T1804: API Data Harvest, a collection technique where adversaries systematically extract data by manipulating AI agents into making repetitive HTTP requests to REST API endpoints through MCP tools.

What's Included

  • ✅ Complete technique documentation following SAFE-MCP template
  • ✅ Sigma detection rule (UUID: 13A7065E-51D5-42AD-947D-EC746183C739)
  • ✅ Updated main README with link to new technique
  • ✅ Focus on AIOps/observability use cases (Prometheus, Grafana, Datadog, Splunk)

Key Features

  • Attack Vectors: Prompt injection, pagination exploitation, endpoint enumeration
  • Technical Details: Mermaid diagram, attack flow, real-world examples
  • Detection: IoCs, behavioral indicators, Sigma rule
  • Mitigation: Preventive and detective controls with SAFE-M references
  • Impact: High confidentiality risk, medium integrity/availability

Related Techniques

  • Links to SAFE-T1801 (Automated Data Harvesting)
  • Links to SAFE-T1602 (Tool Enumeration)
  • References to SAFE-T1802, SAFE-T1803, SAFE-T1913 (not yet documented)

Testing

  • ✅ Documentation follows template structure
  • ✅ All required sections included
  • ✅ Links verified (only existing techniques linked)
  • ✅ No linting errors

Checklist

  • Follows SAFE-MCP contribution guide
  • Matches format of SAFE-T1103 and SAFE-T1801
  • Includes DCO sign-off
  • Updated main README
  • Detection rule included
  • References and MITRE ATT&CK mapping included

Satbir Singh and others added 10 commits November 15, 2025 11:27
Add beginner-friendly examples section to SAFE-T1106
5b37f87 
Added practical Python code examples demonstrating:
- Simple loop detection using call history tracking
- Basic loop prevention with iteration limits and convergence checks
- Log pattern analysis for identifying loop indicators

This addition helps beginners understand autonomous loop exploits
through hands-on, runnable code examples.

Signed-off-by: Satbir Singh <satbisin@cisco.com>
Update version history author to Satbir Singh
82b64a0 
Signed-off-by: Satbir Singh <satbisin@cisco.com>
docs(SAFE-T1106): fix changelog date and add md5 usage note
c6c45db 
Signed-off-by: Satbir Singh <satbisin@cisco.com>
@geekysatbir
feat(SAFE-T1004): add Server Impersonation / Name-Collision technique…
75778e5 
… documentation

- Added comprehensive documentation for SAFE-T1004 technique
- Includes attack vectors, technical details, detection methods, and mitigations
- Created Sigma-format detection rule for identifying server impersonation attacks
- Updated main README to link to new technique documentation

This technique documents how attackers impersonate trusted MCP servers through
name collision, DNS hijacking, and discovery service manipulation to gain
initial access to MCP environments.

Signed-off-by: Satbir Singh <satbir.taya84@gmail.com>
@geekysatbir
docs(SAFE-T1004): enhance Advanced Attack Techniques and Current Stat…
ebfac79 
…us sections

- Expanded Advanced Attack Techniques with more detailed explanations
- Enhanced Current Status section with specific implementation details
- Improved clarity and alignment with SAFE-T1008 format

Signed-off-by: Satbir Singh <satbir.taya84@gmail.com>
@geekysatbir
fix(SAFE-T1004): correct Related Techniques link paths
1c8e92a 
Fixed relative paths to use absolute paths from repository root to resolve 404 errors in GitHub PR view.

Signed-off-by: Satbir Singh <satbir.taya84@gmail.com>
@geekysatbir
fix(SAFE-T1004): use relative paths for Related Techniques links
2f73911 
Changed from absolute paths (techniques/SAFE-TXXXX/README.md) to relative paths
(../SAFE-TXXXX/README.md) to match the format used by other techniques in the
repository. This ensures links work correctly when viewing files in GitHub's
web interface.

Signed-off-by: Satbir Singh <satbir.taya84@gmail.com>
@geekysatbir
feat(SAFE-T1804): add API Data Harvest technique documentation
efa5889 
- Added comprehensive documentation for SAFE-T1804 technique
- Includes attack vectors, technical details, detection methods, and mitigations
- Created Sigma-format detection rule for identifying API harvesting attacks
- Updated main README to link to new technique documentation
- Focused on AIOps/observability use cases (Prometheus, Grafana, Datadog, etc.)

This technique documents how attackers systematically harvest data from REST APIs
through MCP tools by manipulating AI agents into making repetitive HTTP requests.

Signed-off-by: Satbir Singh <satbir.taya84@gmail.com>
@geekysatbir
fix(SAFE-T1804): fix Mermaid diagram syntax error
adb1ed0 
Fixed Mermaid diagram by replacing curly braces with quotes to avoid
conflict with Mermaid syntax. Changed {id} to ID in node labels to
prevent parse errors.

Signed-off-by: Satbir Singh <satbir.taya84@gmail.com>
@geekysatbir
Merge upstream/main into feat/add-safe-t1804-api-data-harvest
786c64c 
- Resolved conflicts in README.md by accepting upstream version (more up-to-date table format)
- Accepted upstream version for SAFE-T1004 (already merged by another contributor)
- Kept local version for SAFE-T1804 (this PR's contribution)

Signed-off-by: Satbir Singh <satbisin@cisco.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@geekysatbir