Skillget

pentesting-mcp-servers-checklist

mcp
Guvenlik Denetimi
Uyari
Health Gecti
  • License — License: CC-BY-4.0
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 31 GitHub stars
Code Uyari
  • Code scan incomplete — No supported source files were scanned during light audit
Permissions Gecti
  • Permissions — No dangerous permissions requested
Purpose
This project is a community-driven reference document and checklist designed for security practitioners. It provides structured guidance for pentesting and assessing the security of Model Context Protocol (MCP) servers.

Security Assessment
Because this is a documentation repository rather than an executable software package or active server, it does not access sensitive data, execute shell commands, or make external network requests. The automated code scan did not find any dangerous permissions or hardcoded secrets. Overall risk: Low.

Quality Assessment
The project is highly active, with its most recent updates pushed just today. It is cleanly licensed under CC-BY-4.0, which explicitly permits forking, remixing, and commercial use with attribution. Community trust is solid for a niche technical resource, supported by 31 GitHub stars. It was originally developed for an OWASP Bay Area presentation, which lends it additional professional credibility.

Verdict
Safe to use.
SUMMARY

A practical, community-driven checklist for pentesting MCP servers. Covers traffic analysis, tool-call behavior, namespace abuse, auth flows, and remote server risks. Maintained by Appsecco and licensed for remixing.

README.md

README

Version 3 is out now!

A practical, community-driven checklist for pentesting Model Context Protocol (MCP) servers. This guide covers local and remote MCP server risks, traffic analysis, tool-call behaviors, context boundaries, authorization flows, and unsafe code paths.

Originally created for the OWASP Bay Area talk on Pentesting MCP Servers (Oct 2025), this checklist is designed for practitioners performing assessments on MCP-based tools, agents, and integrations.

Why this exists

MCP servers are becoming the new execution layer for AI agents. This means they expose:

  • File system access
  • Tool execution
  • Remote APIs
  • STDIO and HTTP bridges
  • Autonomous actions initiated by LLMs

Because of this, MCP servers introduce a wide attack surface that security testers need structured guidance for. This checklist helps you perform systematic and repeatable assessments.

What this checklist covers

  1. Traffic Analysis — proxy inspection of STDIO/HTTP, context injection, TLS enforcement
  2. Authentication & Authorization — auth bypass, OAuth flows, IDOR, privilege escalation
  3. Local MCP Server File and Code Review — embedded secrets, dangerous functions, dependency audits
  4. MCP Tool Behavior and Functionality — tool boundary validation, chaining, local RCE
  5. Tool Security — Input Validation — command injection, path traversal, SSRF, SQLi, SSTI
  6. Tool Security — Output & Schema Validation — schema mismatches, sensitive data leakage, prompt injection via output
  7. Tool Injection — prompt injection via tool names/descriptions, tool shadowing, name collisions
  8. File System & Network Access — path traversal, scope enforcement, DNS rebinding
  9. Context Isolation — cross-user leakage, namespace separation, session persistence
  10. Secret & Credential Handling — hardcoded secrets, log exposure, token caching
  11. Logging & Monitoring — log injection, rate limiting, access controls
  12. Race Conditions & Concurrency — TOCTOU, parallel invocation, resource exhaustion
  13. Advanced Attacks — context pollution, confused deputy, prototype pollution, GraphQL injection

How to use this repo

  • Use the CHECKLIST.md for field assessments
  • Fork and adapt it for your team
  • Submit PRs with improvements
  • Open issues for new MCP attack patterns

Contribute

We welcome:

  • New checklist items
  • Additional MCP server categories
  • Tooling contributions
  • Red-team test cases
  • Sanitized findings

License

This project is licensed under CC BY 4.0. You may remix, adapt, and build upon this checklist for any purpose, even commercially, as long as you provide attribution.

Maintainers

Appsecco

Yorumlar (0)

Sonuc bulunamadi