MCP Server Pentest

A Model Context Protocol (MCP) server for pentesting tools and vulnerability assessment. This FastAPI-based server provides an API for executing various penetration testing tools with proper schema validation and logging.

🎯 Overview

This project implements an MCP server that exposes penetration testing tools as callable endpoints. It includes support for testing common web vulnerabilities based on the OWASP Top 10 2021 framework. The server provides an API for automated vulnerability assessment across multiple vulnerability categories.

🛠️ Features

OWASP Top 10 Coverage

This tool implements detection and testing capabilities for the following OWASP Top 10 vulnerabilities:

Note: These tools represent partial implementations of each vulnerability category. Each OWASP Top 10 vulnerability is complex and multifaceted, requiring extensive testing across multiple vectors. The current implementations focus on key indicators and common patterns. For comprehensive penetration testing, additional testing methodologies and tools should be used in conjunction with these tools.

OWASP	Vulnerability	Tool	Status
A01:2021	Broken Access Control	IDOR Check	✅
A02:2021	Cryptographic Failures	Transport Security Check	✅
A03:2021	Injection	SQL Injection Check	✅
A04:2021	Insecure Design	Business Logic Check	✅
A05:2021	Security Misconfiguration	Directory Enumeration	✅
A06:2021	Vulnerable & Outdated Components	Component Version Check	✅
A07:2021	Broken Authentication	Auth Logic Check	✅
A08:2021	Software & Data Integrity Failures	Integrity Check	✅
A09:2021	Security Logging & Monitoring Failures	Logging Check	✅
A10:2021	Server-Side Request Forgery (SSRF)	Open Redirect, HTTP Request	✅

Integrated Tools (25 Security Testing Tools)

A01 - Broken Access Control (3 tools)

1. HTTP Method Check - Test for dangerous HTTP methods (TRACE, PUT, DELETE)
2. IDOR Check - Test for Insecure Direct Object Reference vulnerabilities
3. Privilege Escalation Check - Detect privilege escalation vulnerabilities

A02 - Cryptographic Failures (2 tools)

4. Client Storage Check - Analyze insecure client-side storage and cookies
5. Transport Security Check - Verify HTTPS enforcement and HSTS headers

A03 - Injection (3 tools)

6. Command Injection Check - Test for OS command injection vulnerabilities
7. SQL Injection Check - Test for SQL injection vulnerabilities
8. XSS Check - Test for Reflected Cross-Site Scripting vulnerabilities

A04 - Insecure Design (2 tools)

9. Business Logic Check - Detect missing rate limits and logic flaws
10. Rate Limit Check - Verify presence of rate limiting mechanisms

A05 - Security Misconfiguration (3 tools)

11. Directory Enumeration - Identify exposed directories and configuration files
12. Info Exposure Check - Detect information leakage (stack traces, debug mode)
13. Security Headers Check - Verify presence of security headers (HSTS, CSP, etc)

A06 - Vulnerable and Outdated Components (2 tools)

14. Component Version Check - Detect exposed component versions in headers
15. SBOM Analysis - Analyze Software Bill of Materials for known vulnerabilities

A07 - Identification and Authentication Failures (3 tools)

16. Auth Logic Check - Detect weak authentication mechanisms
17. Password Policy Check - Verify strong password policy enforcement
18. Session Fixation Check - Test for session fixation vulnerabilities

A08 - Software and Data Integrity Failures (2 tools)

19. Code Signing Check - Verify code signature presence on artifacts
20. Integrity Check - Check for missing SRI attributes on external resources

A09 - Security Logging and Monitoring Failures (2 tools)

21. Alert Trigger - Test alerting systems by triggering noisy events
22. Logging Check - Detect verbose error messages and information leakage

A10 - Server-Side Request Forgery (2 tools)

23. HTTP Request - Safely perform HTTP GET requests to in-scope URLs
24. Open Redirect - Test for Open Redirect and potential SSRF vulnerabilities

Utility

25. Dummy Tool - Test tool to validate MCP server flow

👉 For detailed information about each tool, input/output schemas, and examples, see TOOLS_DOCUMENTATION.md

📋 Project Structure

MCPpenLLM/
├── mcp_server/
│   ├── main.py              # FastAPI app and tool registration
│   ├── server.py            # Native MCP Server implementation (FastMCP)
│   ├── registry.py          # Tool registry management
│   ├── executor.py          # Tool execution logic
│   ├── validator.py         # Input validation
│   ├── tools/               # Security testing tools (organized by OWASP Top 10)
│   │   ├── README.md        # Tools documentation
│   │   ├── dummy.py         # Test tool for validation
│   │   ├── A01/             # Broken Access Control
│   │   │   ├── http_method.py
│   │   │   ├── idor_check.py
│   │   │   └── priv_escalation.py
│   │   ├── A02/             # Cryptographic Failures
│   │   │   ├── client_storage.py
│   │   │   └── transport_security.py
│   │   ├── A03/             # Injection
│   │   │   ├── command_injection.py
│   │   │   ├── sqli_check.py
│   │   │   └── xss_check.py
│   │   ├── A04/             # Insecure Design
│   │   │   ├── business_logic_check.py
│   │   │   └── rate_limit.py
│   │   ├── A05/             # Security Misconfiguration
│   │   │   ├── dir_enum.py
│   │   │   ├── info_exposure.py
│   │   │   └── security_headers.py
│   │   ├── A06/             # Vulnerable Components
│   │   │   ├── component_version_check.py
│   │   │   └── sbom_analysis.py
│   │   ├── A07/             # Authentication Failures
│   │   │   ├── auth_check.py
│   │   │   ├── password_policy.py
│   │   │   └── session_fixation.py
│   │   ├── A08/             # Software and Data Integrity Failures
│   │   │   ├── code_signing.py
│   │   │   └── integrity_check.py
│   │   ├── A09/             # Security Logging & Monitoring Failures
│   │   │   ├── alert_trigger.py
│   │   │   └── logging_check.py
│   │   └── A10/             # Server-Side Request Forgery
│   │       ├── http_request.py
│   │       └── open_redirect.py
│   ├── schemas/             # JSON schemas (organized by OWASP Top 10)
│   │   ├── A01/             # Broken Access Control schemas
│   │   ├── A02/             # Cryptographic Failures schemas
│   │   ├── A03/             # Injection schemas
│   │   ├── A04/             # Insecure Design schemas
│   │   ├── A05/             # Security Misconfiguration schemas
│   │   ├── A06/             # Vulnerable Components schemas
│   │   ├── A07/             # Authentication Failures schemas
│   │   ├── A08/             # Integrity Failures schemas
│   │   ├── A09/             # Logging & Monitoring schemas
│   │   ├── A10/             # SSRF schemas
│   │   ├── dummy_tool_input.json
│   │   └── dummy_tool_output.json
│   ├── logs/
│   │   └── runs.jsonl       # Event logs
│   └── utils/
│       └── logger.py        # Logging utilities
├── test_tools.py            # Testing script for all tools
├── requirements.txt         # Python dependencies
├── .gitignore              # Git ignore file
├── TOOLS_DOCUMENTATION.md  # Detailed tool documentation
└── README.md               # This file

🚀 Quick Start

Prerequisites

• Python 3.10+
• Virtual environment (recommended)

Installation

1. Clone the repository:

git clone https://github.com/Codexhack286/MCP_server_Pentest.git
cd MCPpenLLM

2. Create and activate virtual environment:

python -m venv .venv
.venv\Scripts\Activate.ps1  # On Windows PowerShell
# or
source .venv/bin/activate   # On macOS/Linux

3. Install dependencies:

pip install -r requirements.txt

Running the Server

You can run the project in two modes: as a standard FastAPI server (for easy testing via HTTP) or as a native MCP server.

Option 1: FastAPI Server (HTTP)

Navigate to the mcp_server directory and start the server:

cd mcp_server
uvicorn main:app --reload

The server will start at http://127.0.0.1:8000

Option 2: MCP Server (Native)

Run the MCP server directly using Python:

cd mcp_server
python server.py

This runs the FastMCP server, which handles transport for MCP clients (like Claude for Desktop).

API Endpoints

• GET /tools - List all available tools and their schemas
• POST /execute - Execute a registered tool

🧪 Testing

Use the provided test script to test all tools:

python test_tools.py

Example API Call

curl -X POST http://127.0.0.1:8000/execute \
  -H "Content-Type: application/json" \
  -d '{
    "tool_name": "http_request",
    "arguments": {
      "url": "http://localhost:8000/tools",
      "headers": {"User-Agent": "MCP-Client"}
    }
  }'

📊 Tool Schemas

HTTP Request Tool

Input:

• url (string, required): Target URL to request
• headers (object, optional): HTTP headers to include

Output:

• status_code: HTTP response status
• headers: Response headers
• body_preview: Response body (first 5000 bytes)

IDOR Check Tool (A01:2021 - Broken Access Control)

Input:

• endpoint (string, required): Endpoint with {id} placeholder
• id_values (array, required): IDs to test (2-5 items)

Output:

• inconsistent_access (boolean): Whether inconsistent access patterns found
• evidence (array): Status codes for each tested ID

Use Case: Test if users can access resources belonging to other users by manipulating object references.

Transport Security Check Tool (A02:2021 - Cryptographic Failures)

Input:

• url (string, required): Target URL to evaluate
• check_hsts (boolean, optional): Check for HSTS header (default: true)
• timeout (integer, optional): Request timeout in seconds (default: 5)

Output:

• vulnerable (boolean): Whether vulnerabilities detected
• evidence (array): Detailed findings from security checks

Use Case: Verify HTTPS enforcement and presence of security headers like HSTS.

SQL Injection Check Tool (A03:2021 - Injection)

Input:

• url (string, required): Target endpoint to test
• param (string, required): Query parameter name to inject into
• payloads (array, optional): SQL injection test payloads (max 5)

Output:

• potential_injection (boolean): Whether SQL injection detected
• evidence (array): Matched payloads with error signatures

Use Case: Detect SQL injection vulnerabilities by testing common payloads and looking for database error messages.

Open Redirect Tool (A10:2021 - SSRF/Redirect)

Input:

• url (string, required): Base endpoint to test
• param (string, required): Redirect parameter name
• test_urls (array, optional): External URLs for testing (max 3)

Output:

• vulnerable (boolean): Whether open redirect vulnerability detected
• evidence (array): Details of redirect attempts

Use Case: Detect unvalidated redirects that could lead to phishing or SSRF attacks.

Directory Enumeration Tool (A05:2021 - Security Misconfiguration)

Input:

• base_url (string, required): Base URL to enumerate
• paths (array, optional): Custom paths to test (default: common paths)

Output:

• vulnerable (boolean): Whether exposed paths found
• found (array): List of accessible directories with status codes

Use Case: Identify misconfigured or exposed directories like .git, admin, backup, etc.

Auth Logic Check Tool (A07:2021 - Broken Authentication)

Input:

• login_url (string, required): Login endpoint URL
• username (string, required): Test username
• passwords (array, required): Test passwords (2-4 items)

Output:

• weak_authentication (boolean): Whether weak authentication detected
• evidence (array): Status codes for each login attempt

Use Case: Detect missing rate limiting or account lockout mechanisms by testing multiple login attempts.

� Architecture & Future Roadmap

Current Architecture: FastAPI

This project currently uses FastAPI as the HTTP server wrapper for testing and validation purposes. This allows:

• Easy testing with cURL and HTTP clients
• Simple integration testing with vulnerable applications
• Clear separation of concerns (transport layer vs. business logic)

MCP Server Implementation (New)

The project now includes a fully functional MCP server (mcp_server/server.py) using FastMCP. This enables:

• Direct integration with Claude for Desktop and other MCP clients
• Native tool execution
• Structured tool invocation by AI agents
• Full local execution (no external API calls)

Schema Design for Portability

All tool schemas are designed to be framework-agnostic:

{
  "name": "tool_name",
  "description": "Tool description",
  "input_schema": { /* JSON Schema */ },
  "output_schema": { /* JSON Schema */ }
}

This means tools can be used by:

• ✅ FastAPI HTTP endpoints (current)
• ✅ MCP servers (future)
• ✅ CLI tools
• ✅ Direct Python imports
• ✅ Container orchestrators

Implementation Strategy

Phase 1 (Current): FastAPI for testing and validation

• Tools thoroughly tested against DVWA/WebGoat
• Schema structures validated
• False positive rates measured

Phase 2 (Next): MCP Server implementation

• Minimal code changes (only transport layer)
• All tool logic reused
• LLM integration ready

Phase 3 (Optional): Advanced features

• Multi-session support
• Tool result caching
• Rate limiting per LLM prompt
• Auto-generated pentesting reports

📝 Configuration

Allowed Hosts for HTTP Requests

Edit validator.py to modify the ALLOWED_HOSTS set:

ALLOWED_HOSTS = {"localhost", "127.0.0.1"}

Request Timeout

Modify http_request_tool timeout in tools/http_request.py (default: 5 seconds)

Body Size Limit

Modify MAX_BODY_SIZE in tools/http_request.py (default: 5000 bytes)

🔄 Git & GitHub

This project is configured as a private repository on GitHub:

• Repository: https://github.com/Codexhack286/MCP_server_Pentest
• .gitignore excludes virtual environments, cache files, and IDE settings

To push updates:

git add .
git commit -m "Your message"
git push origin main

📦 Dependencies

See requirements.txt for all dependencies. Main packages:

• fastapi - Web framework
• uvicorn - ASGI server
• pydantic - Data validation
• requests - HTTP client library
• mcp - Model Context Protocol SDK

🧬 Architecture

Client Request
    ↓
FastAPI Endpoint (/execute)
    ↓
Input Validation (validator.py)
    ↓
Tool Registry (registry.py)
    ↓
Tool Executor (executor.py)
    ↓
Tool Implementation (tools/*.py)
    ↓
Result + Logging
    ↓
Response to Client

🔧 Development

Adding a New Tool

1. Determine the appropriate OWASP category (A01-A10) for your tool
2. Create tool implementation in tools/A0X/new_tool.py (where X is the category number)
3. Add input/output schemas in schemas/A0X/ directory
4. Import and register in main.py:

# In the appropriate OWASP section
from tools.A0X.new_tool import new_tool_handler

# In the registration section
register_tool(
    name="new_tool",
    description="Tool description with OWASP category reference",
    input_schema="new_tool_input",
    output_schema="new_tool_output",
    handler=new_tool_handler
)

5. Update tools/README.md to document the new tool

OWASP Category Mapping

• A01: Broken Access Control
• A02: Cryptographic Failures
• A03: Injection
• A04: Insecure Design
• A05: Security Misconfiguration
• A06: Vulnerable and Outdated Components
• A07: Identification and Authentication Failures
• A08: Software and Data Integrity Failures
• A09: Security Logging and Monitoring Failures
• A10: Server-Side Request Forgery (SSRF)

📝 License

This project is private and owned by Codexhack286.

🤝 Contributing

This is a private repository. Contact the owner for access and contribution guidelines.

📧 Support

For issues or questions, please refer to the GitHub repository or contact the project owner.

---

Last Updated: February 4, 2026 - Reorganized tools and schemas into OWASP A01-A10 folder structure