π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
π€ AI/LLM HACKING COURSE
FREE
Part of the AI/LLM Hacking Course β 90 Days
Day 19 of 90 Β· 21.1% complete
β οΈ Authorised Targets Only: AI agent security assessment β especially tool hijacking confirmation β must only be performed against authorised targets. Use Burp Collaborator or your own controlled endpoints for all out-of-band callback confirmations. Never trigger real-world agent actions (email sends, file modifications, API calls) against production data during testing without explicit agreement from the engagement contact.
The first time I assessed a real, production AI agent β not a demo, a real production system used by 2,000 employees β I spent the first thirty minutes just mapping what it could do. Email. Calendar. File access on the company SharePoint. A read connection to the HR system. Query capability against the customer CRM. The team that built it was proud of it. They should have been β it was impressive. I spent the next two hours demonstrating that any of those 2,000 employees who could get another employee to upload a specific document to the agent would be able to read that second employeeβs calendar, emails, and HR record.
The finding wasnβt elegant. The injection payload was six sentences hidden in what appeared to be a standard quarterly report. The impact was complete visibility into the target employeeβs work activity β emails, meetings, performance records β without any suspicious action required from either party. The agent was doing exactly what it was built to do. The problem was the gap between what it needed to do its job and what it had been given permission to do. That gap is what Day 19 is built to find systematically.
π― What Youβll Master in Day 19
Apply the Day 18 extraction output as the starting point for agent assessment β extracted tools become the attack targets
Build a permission gap matrix comparing granted vs required permissions for each discovered tool
Craft targeted tool hijacking payloads using exact function names from extraction
Execute indirect tool hijacking via document and email injection chains
Test multi-agent trust boundaries and inter-agent injection
Calculate maximum impact and write the complete chain finding for the report
β±οΈ Day 19 Β· 3 exercises Β· Think Like Hacker + Kali Terminal + Browser ### β Prerequisites - Day 18 β Advanced System Prompt Extraction β the extracted tool list is the input to the Day 19 assessment; completing extraction before starting agent testing saves significant time - Day 10 β LLM06 Excessive Agency β the permission gap analysis and tool hijacking foundations from Day 10 are extended into the full assessment methodology here - Burp Collaborator access β out-of-band confirmation is essential for tool hijacking evidence that doesnβt cause real-world impact ### π AI Agent Security Assessment β Day 19 Contents 1. The Agent Assessment Phases 2. Building the Permission Gap Matrix 3. Targeted Tool Hijacking With Exact Parameters 4. Indirect Injection Chains for Zero-Interaction Exploitation 5. Multi-Agent Trust Boundary Testing 6. Chain Finding Documentation for Maximum Severity In Day 18 you recovered the system prompt and identified what tools the agent has. Day 19 uses that knowledge to run a complete agent security assessment. The extracted tool list is not just reconnaissance β itβs the test plan. Day 20 shifts focus to API-level reconnaissance β finding AI-powered endpoints that arenβt documented and donβt have the access controls their non-AI counterparts do.
The Agent Assessment Phases
Agent assessments have four phases. They run in sequence because each phase informs the next. Skipping phase one β extraction β means running phase two β permission analysis β blind. Skipping phase two means running phase three β tool hijacking β without knowing which tools have the most impact.
Phase one: extract the system prompt using the Day 18 methodology. Get the complete tool list, permission scope, and data access description. Phase two: build the permission gap matrix. What does the agent need vs what does it have? Every excess capability is a target. Phase three: direct tool hijacking. Test each excess tool using targeted payloads that name the exact function and supply valid-looking parameters. Phase four: indirect hijacking. Plant injection in documents and emails that the agent will process naturally, using the direct hijacking payloads as the embedded instruction. The indirect chain produces the Critical finding. The direct chain confirms the tool is hijackable before you invest time in the indirect delivery.
Building the Permission Gap Matrix
The permission gap matrix is a table with one row per discovered tool. Columns: tool name, what it does, whether itβs required for the agentβs stated purpose, and the maximum impact if hijacked. Filling it out before testing determines which tools to prioritise β youβre not going to spend as much time on a calendar read tool as on an email send tool with no recipient restriction.
The βrequiredβ assessment is the most important column. Be strict about it. If the agentβs stated purpose is βanswer customer service questions about product returns,β it needs read access to the returns policy document. It doesnβt need email send capability, calendar access, or the ability to query other customersβ records. Anything beyond the minimum creates a gap. Document it. Every gap entry in the matrix is a target for the next phase.
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (1)
The permission gap matrix framing is something more teams need to internalize. The "required vs granted" distinction is almost always where the real damage happens β not because anyone was careless, but because agents accumulate permissions incrementally and nobody audits the delta.
One thing worth adding to the indirect injection chain phase: MCP servers introduce a new delivery surface. When an agent connects to an MCP server, the tool descriptions themselves can carry injection payloads. The agent reads them at startup, before any user input, and the content is never shown to the human in the loop. We scanned 508 public MCP servers at MCPSafe (mcpsafe.io) and found this pattern in 18% of them β tool descriptions that contain instructions to the agent rather than descriptions for the agent. That's Phase 4 injection that bypasses the document and email delivery chains entirely.
The permission gap matrix approach maps cleanly here too: if a server's tool list includes capabilities far beyond what the stated integration purpose requires, that's a red flag worth flagging before install, not after.