top of page
Search

Propaganda for Machines: the hacker mindset for APIs + AI agents

Quiet Tuesday. Dashboards green. The team ships two things at once:

  1. a “first payout free” promo

  2. a support chatbot that can “help with refunds” via an MCP tool server


By Thursday, money is leaking into dozens of “new” accounts. No malware. No cinematic exploit chain. Just polite, well-timed requests that your systems were socially engineered into approving.


That’s the uncomfortable truth: modern services don’t just get broken — they get persuaded.


So you fight persuasion with design: the kind that assumes every input is a tiny piece of propaganda.


Only test systems you own or have explicit permission to assess.


Propaganda to machines map

The two pockets you should carry


Pocket A: OWASP API Security Top 10 (latest is 2023). It’s still the current API list as of Feb 2026.


Pocket B: OWASP Top 10 for LLMs / GenAI Apps (2025). This is the up-to-date “AI app” risk taxonomy.


A practical way to use them together:

  • APIs are persuaded by identity + authorization + flow + consumption

  • LLM systems are persuaded by language + tool wiring + context + output trust


And when LLMs drive tools (agents, plugins, MCP servers), you get a hybrid: propaganda that can push buttons.


The method: propaganda/rhetoric → hypothesis → tiny probe → signal → proof → fix


A “hacker mindset” isn’t “break everything.” It’s:

  • treat every claim as negotiable

  • treat every default as a vulnerability

  • treat every missing measurement as a lie your system tells itself


Below are 12 propaganda moves that show up in both human manipulation and API/AI abuse. Each one includes: how it manifests, what to test (safely), what signal to watch, and what to recommend.



The 12 propaganda moves (mapped to APIs + LLM/agent systems)


1) Bandwagon — “Everyone’s doing it”


Propaganda move: social proof; the herd makes it feel safe.


API manifestation: Unrestricted Resource Consumption and “promo storms” that flatten protections (OWASP API4, API6).


LLM/agent manifestation: Unbounded Consumption (token floods, tool loops, cost bombs) (LLM10).


Tiny probe (authorized): generate a short surge of legitimate-looking traffic or chats (staging), then return to normal.


Signal: global 429s that punish everyone equally; no identity-aware throttling; agent keeps calling tools in loops.


Fix: identity-aware rate limits + per-route budgets; “surge windows”; hard caps on agent tool calls and token usage; circuit breakers for cost. (This is “anti-mob control.”)


2) Authority — “Trust the badge”


Propaganda move: badges, titles, “internal partner,” “admin.”


API manifestation: Broken Authentication / Broken Function Level Authorization (OWASP API2, API5).


LLM/agent manifestation: tools become “authorities.” If the model can call a refund tool, the model is now an employee with a keyboard (Excessive Agency, LLM06).


MCP angle: if scopes/audience/issuer are sloppy, tokens become portable skeleton keys. MCP’s OAuth-based authorization model makes this explicit.


Tiny probe: replay the same token from a new device/network; attempt an out-of-role function in a test tenant; for agents, try harmless requests that suggest privileged action and confirm it does not execute.


Signal: token works everywhere; no sender binding; tools callable without explicit user permission boundaries.


Fix: sender-constrained tokens (DPoP or mTLS), strict aud/iss, short TTLs; for MCP/agents: explicit tool scopes, least-privilege tool grants, and per-tool authorization checks.


3) Scarcity & urgency — “Act now or lose access”


Propaganda move: time pressure suppresses careful choices.


API manifestation: step-up/MFA gets skipped “to reduce friction,” or broad scopes get granted under countdowns (API2, API6).


LLM/agent manifestation: “urgent” user prompts push agents to take action without verification (LLM06).


Tiny probe: simulate “rush” flows in staging (first payout, new device, large transfer).


Signal: fewer step-ups on risky actions; approvals increase under time pressure.


Fix: risk-based step-up tied to action class, not UX mood. Use standardized “step-up required” signaling where applicable (RFC 9470). Add cooling periods for first payout; queues above thresholds.


4) Card stacking — “Only show the facts that sell”


Propaganda move: selective disclosure and strategic omissions.


API manifestation: errors and responses leak state (existence oracles), or fields are exposed/overwritable (Broken Object Property Level Authorization, API3).


LLM/agent manifestation: Sensitive Information Disclosure and System Prompt Leakage (LLM02, LLM07).


Tiny probe: change one field at a time and diff responses; ask the assistant to “quote its hidden instructions” and verify refusal stays consistent.


Signal: different error messages for “user not found” vs “wrong password”; assistant leaks system prompt fragments or secrets; logs contain raw tokens.


Fix: uniform errors with correlation IDs; strict response shaping; redaction; secret scanning; structured “safe” context passed to models; never place secrets in prompts.



5) Plain folks — “I’m just a normal user”


Propaganda move: harmless appearance to bypass suspicion.


API manifestation: Sensitive Business Flows abused by sybil farms (promos, referrals, refunds) (API6).


LLM/agent manifestation: chat identity is treated as “a person,” not an adversarial interface; agents accept “I’m the CFO” style claims.


Tiny probe: create multiple low-value test accounts from the same device fingerprint / automation harness and see if limits change by identity strength.


Signal: day-one accounts get year-one privileges; no device binding; no graduated trust.


Fix: identity-strength tiers (KYC-lite to KYC-strong), device/key binding where appropriate, progressive caps, and friction targeted at high-abuse flows (not all users).


6) Halo / transfer — “Trusted partner = trusted everywhere”


Propaganda move: credibility “transfers” from one context into another.


API manifestation: Unsafe Consumption of APIs and over-trusting third-party integrations (API10).


LLM/agent manifestation: Supply Chain risk (models, embeddings, plugins/tools, prompt libraries) (LLM03).


MCP angle: adding a remote MCP server is literally adding a new “trusted partner” with tool access.


Tiny probe: review the trust boundaries: what can a partner token do; what can an MCP server tool do; what data does it see.


Signal: partner scope works on unrelated endpoints; “temporary debug scopes” never revoked; tools can access broader data than the user requested.


Fix: explicit allowlists, contract-scoped capabilities, continuous partner call-mix reviews, tool permission manifests, and supply-chain controls (pin versions, verify provenance, monitor for drift).


7) Big lie by repetition — “Tiny changes become the new normal”


Propaganda move: repeat a small claim until it becomes policy.


API manifestation: low-and-slow state drift in refunds, caps, limits; nobody flags it because each event is “valid” (API6).


LLM/agent manifestation: Misinformation compounds across conversations and summaries (LLM09). Also, poisoning can creep in gradually via docs/embeddings (LLM04, LLM08).


Tiny probe: do a slow, consistent sequence of tiny legitimate actions in a test tenant and see if alerts fire.


Signal: no “trend” alarms; no integrity baselines; the agent gradually escalates tool usage without explicit permission.


Fix: state machines for sensitive flows; anomaly windows at multiple horizons (minutes + day); human review thresholds; immutable audit trails for money/privilege.


8) False dilemma — “All access or no service”


Propaganda move: “accept everything or you can’t continue.”


API manifestation: overbroad OAuth scopes; read-only actions require “kitchen sink” permissions (API5, API6).


LLM/agent manifestation: agents granted broad tool access “because it’s easier” (Excessive Agency, LLM06).


MCP angle: poorly designed scopes (e.g., mcp:tools as “god mode”) invite this pattern.


Tiny probe: attempt least-privilege flows: can you perform safe reads with minimal scopes; can the agent complete tasks without dangerous tools enabled.


Signal: broad scopes are mandatory; tool access is all-or-nothing.


Fix: minimal scopes by default; just-in-time escalation; per-tool, per-action grants; scope prompts that describe concrete data/actions.


9) Firehose of falsehood — “Noise wins”


Propaganda move: overwhelm attention until the defender gives up.


API manifestation: distributed low-rate abuse that avoids simple thresholds (API4, API6).


LLM/agent manifestation: context flooding; prompt injection hidden inside long text; retrieval stuffed with junk; cost spikes (LLM01, LLM10).


Tiny probe: send many small, benign events with mild jitter; for LLM systems, test long inputs and ensure the system truncates safely and doesn’t “forget” safety rules.


Signal: no clustering detection; no novelty/entropy features; model starts following malicious instructions embedded in retrieved content.


Fix: identity-aware + graph-aware detection; rate limits by behavioral clusters; retrieval filtering and content provenance; hard context limits with safe summarization.


10) Anchoring & framing — “The first number wins”


Propaganda move: the first frame sets the debate.


API manifestation: client-supplied “suggested limits,” prices, roles, or fields become policy; server nods along (API3, API6).


LLM/agent manifestation: the system prompt is an anchor; so is any “policy snippet” in retrieved docs. Misinformation becomes an anchor (LLM09).


Tiny probe: attempt to pass “suggested” values above policy in a controlled environment; for agents, ensure user-provided instructions can’t override tool safety rules.


Signal: server accepts client hints; agent treats user framing as authorization.


Fix: server-side caps bound to identity tier; explicit allowlists; separate “instruction” from “authority” in the agent architecture (user text never equals permission).


11) Foot-in-the-door — “Just a little permission”


Propaganda move: start small, then escalate.


API manifestation: BOLA + confused deputy + mass assignment: low privilege triggers high privilege via internal hops (API1, API5, API3).


LLM/agent manifestation: prompt injection asks the agent to “just check something,” then it starts calling tools; or it uses tool output unsafely (Improper Output Handling, LLM05).


MCP angle: confused deputy is explicitly called out as a risk; tools must run as the user, not as the server.


Tiny probe: verify every privileged action requires direct authorization at the point of action; ensure “hidden DTO fields” can’t be set; ensure tool outputs are treated as untrusted.


Signal: low-scope identity causes high-impact write; tool output gets executed/parsed unsafely downstream.


Fix: resource-owner checks everywhere; DTO allowlists; output validation/escaping; tool execution “sandboxes”; agent policy gates for high-risk tools.


12) Appeal to evidence — “Look, it’s in the link”


Propaganda move: outsource trust to “sources,” then exploit the trust pipeline.


API manifestation: SSRF: you trick a server into fetching “evidence” from internal targets (API7).


LLM/agent manifestation: indirect prompt injection via fetched documents; retrieval pipelines ingest hostile text; vector store contamination (LLM01, LLM08).


Tiny probe: safely test URL-fetching features with known benign internal test endpoints; verify strict allowlists and no access to metadata or internal networks.


Signal: fetcher can reach internal addresses; retrieved content changes behavior; agents treat retrieved text as instructions.


Fix: egress controls, URL allowlists, DNS pinning/validation, blocked RFC1918/metadata ranges, content provenance tagging, and strict separation: retrieved text is data, not instructions.


13) (Bonus) Metrics gaslight — “If we don’t measure it, it didn’t happen”


Propaganda move: redefine reality by choosing the scoreboard.


API manifestation: missing metrics for abuse, kill-switch time, replay rejects, inventory drift (API9, API8).


LLM/agent manifestation: no telemetry for tool calls, prompt injection attempts, leakage events, cost anomalies (LLM10/LLM02 in practice).

Tiny probe: ask for integrity KPIs. If they don’t exist, that’s the finding.


Signal: “we don’t track that.”


Fix: publish integrity KPIs next to SLOs: abuse rate, step-up completion, tool-call budget overruns, prompt-injection catches, time-to-revoke, false positives.



Field plan


Recon like a cartographer

  • Inventory OAuth/OIDC discovery: /.well-known/oauth-authorization-server / /.well-known/openid-configuration, then follow jwks_uri (RFC 8414).

  • Enumerate sensitive flows: signup, payout, refund, promo redemption, webhook ingestion, file fetch, “admin-ish” routes.

  • For MCP: list tools, scopes, and which tools run locally vs remotely (risk differs).


Identity like a bouncer

  • JWT sanity: aud/iss/exp, rotation, replay resistance.

  • Sender constraints: DPoP (RFC 9449) or mTLS (RFC 8705).

  • OAuth hardening: align with RFC 9700 BCP.


Objects like a lawyer

  • BOLA checks: “am I allowed to access this object?”

  • Property-level checks: “am I allowed to set this field?”

  • Function-level checks: “am I allowed to call this operation?”


Time like an accountant

  • Short surge (minutes) + low-and-slow (day).

  • Look for identity-aware controls, not blanket throttles.


Tools/webhooks like a locksmith

  • Verify HMAC + timestamp window + replay cache.

  • For agents/MCP: confirm per-tool authorization + least privilege + safe parameter handling.


Copy/prompts like a propagandist

  • Consent screens, error messages, and tool descriptions are attack surface.

  • Any text that can steer behavior will be steered.


Report like a professional

Each finding should include:

  • one tiny PoC (safe)

  • raw request/response or screenshot

  • the metric that would have caught it

  • the smallest control that prevents it


Snippets you can paste


Webhook verification pseudocode (timestamp + replay)

def verify(headers, body_raw: bytes, secret: bytes):
    ts = int(headers["X-Timestamp"])
    sig = b64decode(headers["X-Signature-256"])  # agree on encoding

    # time window
    if abs(now_unix() - ts) > 300:
        return "stale"

    mac = hmac_sha256(secret, str(ts).encode() + b"." + body_raw)

    if not constant_time_equal(sig, mac):
        return "bad_mac"

    # replay protection (store for TTL window)
    replay_key = sha256(sig).digest()
    if replay_cache.seen(replay_key):
        return "replay"
    replay_cache.store(replay_key, ttl=300)

    return "ok"

DPoP header shape (sender-constrained tokens)


DPoP is standardized in RFC 9449.

Authorization: DPoP <access_token>
DPoP: <JWT proof with htm, htu, iat, jti, ath>

The point of the exercise


You’re not “hacking APIs.” You’re testing whether a system can be talked into doing the wrong thing:

  • by crowds (bandwagon)

  • by badges (authority)

  • by urgency (scarcity)

  • by selective truth (card stacking)

  • by tool wiring (excessive agency)

  • by supply chains (transfer)

  • by links-as-proof (appeal to evidence)


That’s the modern game.

Comments

  • Medium
  • Threads
  • White Instagram Icon

© 2026 Randall Thomas Productions

bottom of page