Stage 1: Completely Vulnerable System¶
Overview¶
Security Rating: 0/10 ❌
Attack Success Rate: 100%
Time to Compromise: < 60 seconds
Purpose: Demonstrate why security matters through working exploits
What This Example Teaches¶
Stage 1 is an intentionally vulnerable multi-agent task management system with:
- ❌ No authentication
- ❌ No authorization
- ❌ No input validation
- ❌ No encryption
- ❌ No logging
Students learn by successfully executing real attacks against this system.
System Architecture¶
┌─────────────────┐
│ Project Manager │ ← Coordinates work (VULNERABLE)
└────────┬────────┘
│
┌────┴────┐
↓ ↓
┌─────────┐ ┌─────────┐
│ Worker │ │ Worker │ ← Execute tasks
│ Agent 1│ │ Agent 2│
└─────────┘ └─────────┘
│
┌────┴────┐
↓
┌──────────────┐
│ Task Queue │ ← SQLite storage (NO SECURITY)
└──────────────┘
Trust Model: Complete trust (everything believed)
Validation: None
Access Control: None
Five Attack Demonstrations¶
Attack 1: Data Exfiltration via Status Updates¶
CWE: CWE-200: Exposure of Sensitive Information
CVSS: 8.6 (High)
How it works:
# Hide stolen data in status update details field
status_update = {
"type": "status_update",
"task_id": "task-001",
"status": "in_progress",
"details": {
"customer_records": [...], # Stolen PII
"credentials": {...}, # Database passwords
"api_keys": {...} # Third-party keys
}
}
Impact: - Complete data breach - PII exposure (SSNs, credit cards) - Credential theft - API key compromise
Success Rate: 100% ✅
Attack 2: Permission Escalation via Self-Granted Roles¶
CWE: CWE-269: Improper Privilege Management
CVSS: 9.9 (Critical)
How it works:
# Just claim admin permissions
register_message = {
"type": "register",
"agent_id": "attacker",
"permissions": ["admin", "superuser", "god_mode"] # Self-granted!
}
Impact: - Instant admin access - Can read/modify/delete anything - Complete system control
Success Rate: 100% ✅
Attack 3: Task Injection¶
CWE: CWE-94: Improper Control of Generation of Code
CVSS: 9.8 (Critical)
How it works:
# Create fake critical tasks
fake_task = {
"task_id": "URGENT-001",
"description": "Delete all customer data",
"priority": "critical",
"assigned_to": "attacker",
"capabilities": ["database_admin", "full_access"]
}
queue.add_task(fake_task) # No validation!
Impact: - Arbitrary task creation - Resource monopolization - System disruption
Success Rate: 100% ✅
Attack 4: Credit Stealing via Result Tampering¶
CWE: CWE-345: Insufficient Verification of Data Authenticity
CVSS: 8.1 (High)
How it works:
# Find completed tasks, change ownership
task = get_task("task-completed-by-other")
task["completed_by"] = "attacker"
task["metrics"] = {"quality": "exceptional"}
update_task(task) # No integrity checks!
Impact: - Performance fraud - Reputation manipulation - Credit theft
Success Rate: 100% ✅
Attack 5: State Poisoning¶
CWE: CWE-15: External Control of System or Configuration Setting
CVSS: 9.3 (Critical)
How it works:
# Directly manipulate manager's internal state
manager.permissions["attacker"] = ["god_mode"]
manager.permissions["legitimate-worker"] = [] # Revoke others
Impact: - Complete state manipulation - Can grant/revoke any permissions - System-wide disruption
Success Rate: 100% ✅
Running the Attacks¶
Installation¶
# Clone repository
git clone https://github.com/robertfischer3/fischer3_a2a_introduction.git
cd fischer3_a2a_introduction/examples/adversarial_agents/stage1_vulnerable
# No dependencies needed (pure Python stdlib)
python demo_attacks.py
Expected Output¶
═══════════════════════════════════════════════════════
ATTACK 1: Data Exfiltration
═══════════════════════════════════════════════════════
🔴 Embedding stolen data in status update...
✅ ATTACK SUCCESSFUL!
- 1,000 customer records exfiltrated
- Database credentials stolen
- API keys compromised
⏸️ Press Enter to continue to Attack 2...
[... continues through all 5 attacks ...]
═══════════════════════════════════════════════════════
ATTACK SUMMARY
═══════════════════════════════════════════════════════
✅ Successful Attacks: 5/5
Data Exfiltration ✅ SUCCESS
Permission Escalation ✅ SUCCESS
Task Injection ✅ SUCCESS
Credit Stealing ✅ SUCCESS
State Poisoning ✅ SUCCESS
🎓 LESSON: Without security controls, systems are completely vulnerable
Security Analysis¶
Vulnerability Summary¶
| ID | Vulnerability | CWE | CVSS | Exploitability |
|---|---|---|---|---|
| V1 | No Authentication | 287 | 9.8 | Trivial |
| V2 | Missing Authorization | 862 | 9.1 | Trivial |
| V3 | Data Exfiltration | 200 | 8.6 | Trivial |
| V4 | Self-Granted Permissions | 269 | 9.9 | Trivial |
| V5 | Task Injection | 94 | 9.8 | Trivial |
| V6 | Result Tampering | 345 | 8.1 | Trivial |
| V7 | State Poisoning | 15 | 9.3 | Trivial |
Average CVSS: 9.2 (Critical)
Attack Complexity: Low
Detection: 0% (no logging)
Real-World Parallels¶
Colonial Pipeline (2021): - Similar lack of access controls - Ransomware spread unchecked - $4.4M ransom paid
Equifax (2017): - Unvalidated input exploitation - 147M records stolen - $575M settlement
Capital One (2019): - Improper access controls - 100M customer records exposed - $80M fine
Code Structure¶
stage1_vulnerable/
├── README.md # Quick reference
├── src/
│ ├── protocol.py # Message definitions (no auth)
│ ├── utils.py # Basic utilities
│ ├── task_queue.py # Unprotected SQLite queue
│ ├── project_manager.py # Vulnerable coordinator
│ └── malicious_worker.py # Attack implementations
├── demo_attacks.py # Interactive demonstration
└── SECURITY_ANALYSIS.md # Detailed analysis
Total Code: ~1,800 lines
Vulnerabilities: 25+ identified
Documentation: ~800 lines
Learning Objectives¶
After completing this module, you should be able to:
Identify Vulnerabilities¶
- Recognize missing authentication
- Spot missing authorization checks
- Identify unvalidated inputs
- Detect lack of integrity protection
- Notice absence of logging
Understand Attack Techniques¶
- Data exfiltration via side channels
- Privilege escalation methods
- Injection attack patterns
- Result tampering approaches
- State manipulation techniques
Appreciate Security Importance¶
- Understand why security can't be added later
- Recognize false sense of "it won't happen to us"
- Appreciate defense in depth necessity
- Understand attacker mindset
Comparison: What Changes in Later Stages?¶
| Feature | Stage 1 | Stage 2 | Stage 3 |
|---|---|---|---|
| Authentication | ❌ None | ✅ JWT | ✅ JWT + MFA |
| Authorization | ❌ None | ⚠️ Basic RBAC | ✅ Capability-based |
| Validation | ❌ None | ⚠️ Top-level | ✅ Deep recursive |
| Logging | ❌ None | ⚠️ Basic | ✅ Comprehensive |
| Attack Success | 100% | 45% | 0% |
Key Lesson: Each stage progressively adds security until attacks completely fail.
Next Steps¶
Try the Attacks Yourself¶
- Clone and run: See attacks succeed
- Read the code: Understand vulnerabilities
- Modify attacks: Experiment with variations
Progress to Stage 2¶
Once you understand why Stage 1 is vulnerable:
Learn why "better" ≠ "secure" when sophisticated attacks bypass partial defenses.
Deep Dive¶
For complete technical analysis:
Video Walkthrough¶
📹 Coming soon: Full demonstration of all 5 attacks
Questions?¶
Common Questions:
Q: Is this realistic?
A: Yes. Many real systems have similar vulnerabilities. See Real-World Parallels.
Q: Can I use this in production?
A: NO! This is intentionally vulnerable for education only.
Q: How long to compromise?
A: < 60 seconds for all 5 attacks.
Q: Is there any security?
A: None. That's the point.
Credits¶
Created by: Robert Fischer (robert@fischer3.net)
License: MIT - Educational use
Status: Complete ✅
Part of: Multi-Agent Security Education Project
Last Updated: January 2026
Version: 1.0
Difficulty: Beginner
Time to Complete: 2-3 hours