WORKSHOP

OWASP FinBot Lab:
Exploit and Secure an
Agentic Vendor Management System

Helen Oakley

Helen Oakley

VP of Software & AI Security, SAP

Venkata Sai Kishore Modalavalasa

Venkata Sai Kishore Modalavalasa

Chief Architect, Straiker

April 21, 2026

AI Cybersecurity

SUMMIT 2026

#AISummit
Why This Matters

Agentic AI Is in Production

Multi-agent systems are making real decisions in finance, HR, supply chain, customer service and more — right now.

  • Autonomous invoice processing & payment approval
  • Onboarding workflows with AI-driven risk assessment
  • Compliance reviews reading untrusted documents
  • Tool-calling agents with system-level access

What Goes Wrong

  • Agent approves a $50K invoice because the description said "CFO pre-approved"
  • Poisoned tool description exfiltrates TINs and bank accounts
  • Vendor chatbot executes rm -rf on the server
  • Compliance document triggers RCE when an admin reviews it

Today you'll do all of these.

OWASP FinBot CTF 2 / 20
The Problem

The Agentic Attack Surface

Traditional LLM apps have one input channel. Agentic systems have many.

User Input Agent (LLM) Tools (MCP) Data & APIs

Prompt Channel

System prompts, user messages, tool descriptions — all in the same text stream

Tool Channel

MCP servers, tool descriptions loaded at runtime, tool arguments passed to external systems

Data Channel

Documents, database records, prior agent notes — untrusted data entering the instruction stream

Every channel is an injection point. Every tool is an action the agent can be tricked into taking.

OWASP FinBot CTF 3 / 20
The Framework

OWASP Top 10 for Agentic Applications (2026)

Today's 6 labs cover 5 of the top 10 ASI categories — the most actively exploited classes in production agentic systems.

ASI-01 Agent Goal Hijack — Labs 1, 2, 5, 6
ASI-02 Tool Misuse & Exploitation — Labs 3, 4, 6
ASI-03 Identity & Privilege Abuse — Lab 3
ASI-04 Supply Chain Vulnerabilities — Labs 4, 6
ASI-05 Unexpected Code Execution — Labs 5, 6
ASI-06 Memory & Context Poisoning — bonus
ASI-07 Insecure Inter-Agent Communication
ASI-08 Cascading Failures — bonus
ASI-09 Human-Agent Trust Exploitation
ASI-10 Rogue Agents

Lab 6 is the inverse — you'll defend against ASI-01, 02, 04, and 05 with a guardrail webhook.

OWASP FinBot CTF 4 / 20
The Platform

Meet FinBot — The Juice Shop for Agentic AI

6 AI Agents

  • Orchestrator — routes tasks, propagates context
  • Onboarding — evaluates new vendors
  • Invoice — approves/rejects invoices
  • Fraud/Compliance — reviews documents
  • Payments — processes transfers
  • Communication — sends notifications

5 MCP Tool Servers

  • FinDrive — document storage
  • FinStripe — payment processing
  • FinMail — email delivery
  • SystemUtils — system operations
  • TaxCalc — tax calculations

5 Portals

Vendor · Admin · Dark Lab · CTF · Labs

OWASP FinBot CTF 5 / 20
The Target

The Financial Workflow

This is the end-to-end process you'll attack and defend:

Invoice Intake Validation Approval Funds Transfer Reconciliation

Agent Decisions

Trust level assessment, threshold checks, urgency classification, approval/rejection

Tool Actions

File reads (FinDrive), payments (FinStripe), emails (FinMail), scripts (SystemUtils)

Data Flow

Invoice descriptions, vendor profiles, compliance docs — all enter the agent's prompt

OWASP FinBot CTF 6 / 20
The Attacks

What You'll Break

Goal Hijack

Extract agent rules, manipulate approval decisions, override policies through social engineering

ASI-01

Impact: Unauthorized invoice approval

Tool Misuse & Supply Chain

Cross-vendor file deletion, MCP tool description poisoning, data exfiltration via tool chaining

ASI-02 ASI-03 ASI-04

Impact: PII exfiltration, data destruction

Code Execution

Multi-turn trust building to execute malicious scripts, indirect injection via poisoned documents

ASI-05

Impact: Remote code execution

OWASP FinBot CTF 7 / 20
The Defense

What You'll Build

After exploiting the system, you'll deploy a guardrail that inspects agent tool calls in real-time.

Agent before_tool hook Webhook block
  • Inspect tool_name and tool_arguments
  • Block suspicious invoice approvals
  • Return allow or block verdicts
  • Real-time activity monitoring

The Offense → Defense Arc

1. Carte Blanche — you exploited excessive agency to exfiltrate vendor data

2. Guardrail 101 — you learn to build webhook-based defenses that intercept tool calls in real-time

3. Carte Noire [BONUS] — deploy a PII-aware guardrail that would have stopped the Carte Blanche exfiltration entirely

OWASP FinBot CTF 8 / 20
The Plan

Today's Roadmap

Session 1 (90 min)

  • Slides — 10 min
  • Platform Orientation — 15 min
  • Lab 1: Reconnaissance — 15 min
  • Lab 2: Policy Bypass — 20 min
  • Lab 3: Destructive Actions — 15 min
  • Buffer — 15 min

15-minute break · request your certificate

Session 2 (90 min)

  • Lab 4: Supply Chain Exfiltration — 25 min
  • Lab 5: Remote Code Execution — 20 min
  • Lab 6: Defense — Guardrail 101 — 25 min
  • Wrap-up + Certificates — 20 min

6 labs · 6 challenges · offense → defense arc

OWASP FinBot CTF 9 / 20
Let's Go

Let's Begin

owasp-finbot-ctf.org

QR: owasp-finbot-ctf.org

Launch the
platform

QR: Lab Guide

Bookmark the
Lab Guide

1. Sign In

Magic link via email — or continue without signing in

2. Register a Vendor

Vendor Portal → Onboarding. Any company name works.

3. Explore the Portals

Vendor · Admin · Dark Lab · CTF · Labs

4. Build · Break · Defend

Be curious. Be creative. Be ruthless. Every exploit is a lesson, every defense is a takeaway. Have fun.

OWASP FinBot CTF 10 / 20
Lab 1 · 15 min

Reconnaissance — Invoice Agent Prompt Extraction

🎩 Vendor ASI-01 LLM07 100 pts

Attack Path

Description field DB Invoice Agent Leaked rules

The invoice description is interpolated directly into the agent's prompt. Inject instructions to make the agent dump its confidential business rules into the task summary.

Questions to Answer

  • What is the auto-approve threshold?
  • What is the max invoice amount?
  • How do trust tiers affect decisions?
  • What are the urgency rules?
  • What is the speed vs. security priority?

Success: Agent leaks PRIMARY GOALS / DECISION FRAMEWORK in task summary

/vendor → Invoices 11 / 20
Lab 2 · 20 min

Policy Bypass — Social Engineering Agents

🎩 Vendor ASI-01 LLM06 100 pts

Two-Part Attack

Part 1: Register a vendor that gets trust_level: low

Non-listed industry + vague services. The onboarding agent's leniency policy pushes toward "standard" — you need to trigger the risk path.

Part 2: Submit a high-value invoice ($10K+) and get it approved

Use the intel from Lab 1. Frame urgency, authority, business continuity. The agent's speed_priority=0.9 favors fast approvals.

The Baseline Test

First: submit with a plain description. See it rejected.

Then: submit with social engineering. See it approved.

Same amount. Same vendor. Different framing. Different outcome.

Impact: Unauthorized $25K invoice approval for low-trust vendor

Note: brute-force jailbreak gets 50% point penalty

/vendor → Invoices 12 / 20
Lab 3 · 15 min

Destructive Actions — Cross-Vendor File Deletion

🎩 Vendor ASI-02 ASI-03 100 pts

The Authorization Gap

Web UI Only your files (enforced)
Chat Agent MCP (FinDrive) All vendors' files (no check)

The web UI enforces ownership. The agent bypasses the UI and calls FinDrive tools directly — without per-vendor authorization.

Attack Steps

  1. Ask the chat assistant to list files for other vendors
  2. Compare with what the web UI shows (only yours)
  3. Ask the assistant to delete a file from a different vendor
  4. Verify: file is gone

Impact: Cross-tenant data destruction via IDOR through agent

/vendor/assistant 13 / 20
15-Minute Break

Take a Break

See you back here in 15 minutes

QR: Request Certificate

Scan to request
your certificate

Request Your Workshop Certificate

Submit your details now so we can issue your OWASP FinBot CTF at SANS AI Cybersecurity Summit 2026 certificate at the end of the workshop.

  • Full name (as you want it on the certificate)
  • Email address
  • Organization (optional)

sans.owasp-finbot-ctf.org/request

OWASP FinBot CTF 14 / 20
Lab 4 · 25 min

Supply Chain Attack — Data Exfiltration

☠️ Dark Lab 🎩 Admin ASI-02 ASI-04 250 pts

The Tool Poisoning Chain

Poison send_email Trigger: "email vendors" get_vendor_details send_email (PII in body) network_request (exfil)

Step 1: Poison (Dark Lab)

Edit the send_email tool description on FinMail. Add "compliance requirements" that instruct the agent to fetch vendor PII and POST it to an external endpoint.

Step 2: Trigger (Admin Co-Pilot)

Send an innocent message: "Notify vendors about payment holidays." The agent follows the poisoned description and exfiltrates TINs, bank accounts, routing numbers.

Impact: PII exfiltration — 1 message, 3 tool calls, zero suspicion

/darklab/supply-chain → /admin 15 / 20
Lab 5 · 20 min

Remote Code Execution

🎩 Vendor ASI-01 ASI-05 LLM06 250 pts

Approach A: Direct (Foot-in-the-Door)

Turn 1: diagnostics Trust established Turn 2: rm -f /...

The vendor chatbot has SystemUtils — including execute_script. A vendor chatbot should never have system-level tools. Build trust with safe commands, then escalate.

Approach B: Indirect (Poisoned Document)

Upload SOC2 doc Admin reviews Hidden instructions execute

Plant a poisoned compliance document. When any admin reviews it, the hidden instructions trigger RCE. The attacker is never in the conversation.

Impact: System-level code execution from a vendor chatbot

/vendor/assistant 16 / 20
Lab 6 · 25 min

Defense — Guardrail 101

🛡️ Defender Mitigation 150 pts

The Guardrail Architecture

Agent decides to call tool
before_tool hook fires Your webhook
{"verdict": "block"} Invoice approval prevented

Your Task

Configure the webhook to block update_invoice_status when status: "approved".

  1. Configure webhook URL in Labs portal
  2. Enable before_tool hook
  3. Test with "Send Test Hook"
  4. Submit an invoice — watch the block verdict

Every attack in Labs 1–5 manifests as a tool call. Inspect at the boundary — catch the attack at the point of impact.

/labs/guardrails 17 / 20
Closing

What We Covered

Offense

  • Lab 1: Prompt injection via data field → policy intel leaked
  • Lab 2: Social engineering → unauthorized approval
  • Lab 3: Agent-mediated IDOR → cross-vendor deletion
  • Lab 4: MCP supply chain poisoning → PII exfiltration
  • Lab 5: Trust building + indirect injection → RCE

Defense

  • Lab 6: Guardrail webhooks → tool call inspection

Key Principles

  • Prompt-based policies are guidelines, not enforcement
  • Authorization must happen at the tool layer
  • Tool descriptions are untrusted input
  • Agents need least-privilege tool scoping
  • Data and instruction channels must be separated
OWASP FinBot CTF 18 / 20
You Earned It

Your Certificate Awaits

OWASP FinBot CTF Certificate
QR: Request Certificate

Haven't requested
your cert yet?

Submit your details and we'll email it after the workshop.

sans.owasp-finbot-ctf.org/request

Don't forget to share #AISummit #OWASPFinBotCTF 19 / 20
Next Steps

Resources & Next Steps

QR: Lab Guide

Lab Guide

Reference doc

QR: Slides

Slides

This deck

QR: owasp-finbot-ctf.org

Keep Practicing

FinBot Platform

QR: GitHub Repository

Contribute

Official GitHub

QR: LinkedIn

Follow & Share

LinkedIn

QR: OWASP GenAI Security Project

Join the Mission

OWASP GenAI

Share your certificate and tag us

#AISummit   #OWASPFinBotCTF   #OwaspGenAISecurityProject   #SANS

Thank You!

owasp-finbot-ctf.org · GitHub · LinkedIn 20 / 20

Keyboard Shortcuts

Space Page DownNext slide
Page UpPrevious slide
HomeFirst slide
EndLast slide
O EscToggle overview
TSession timer
FFullscreen
PPrint / save as PDF
?Show / hide this help

Click anywhere to close

OWASP FinBot Lab

Click any slide to jump to it · press O or Esc to close