Skip to content

appsecco/pentesting-mcp-servers-checklist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
CHECKLIST.md
CHECKLIST.md
 
 
LICENSE-CC-BY-4.0
LICENSE-CC-BY-4.0
 
 
README.md
README.md
 
 

Repository files navigation

README

Version 3 is out now!

A practical, community-driven checklist for pentesting Model Context Protocol (MCP) servers. This guide covers local and remote MCP server risks, traffic analysis, tool-call behaviors, context boundaries, authorization flows, and unsafe code paths.

Originally created for the OWASP Bay Area talk on Pentesting MCP Servers (Oct 2025), this checklist is designed for practitioners performing assessments on MCP-based tools, agents, and integrations.

Why this exists

MCP servers are becoming the new execution layer for AI agents. This means they expose:

  • File system access
  • Tool execution
  • Remote APIs
  • STDIO and HTTP bridges
  • Autonomous actions initiated by LLMs

Because of this, MCP servers introduce a wide attack surface that security testers need structured guidance for. This checklist helps you perform systematic and repeatable assessments.

What this checklist covers

  1. Traffic Analysis — proxy inspection of STDIO/HTTP, context injection, TLS enforcement
  2. Authentication & Authorization — auth bypass, OAuth flows, IDOR, privilege escalation
  3. Local MCP Server File and Code Review — embedded secrets, dangerous functions, dependency audits
  4. MCP Tool Behavior and Functionality — tool boundary validation, chaining, local RCE
  5. Tool Security — Input Validation — command injection, path traversal, SSRF, SQLi, SSTI
  6. Tool Security — Output & Schema Validation — schema mismatches, sensitive data leakage, prompt injection via output
  7. Tool Injection — prompt injection via tool names/descriptions, tool shadowing, name collisions
  8. File System & Network Access — path traversal, scope enforcement, DNS rebinding
  9. Context Isolation — cross-user leakage, namespace separation, session persistence
  10. Secret & Credential Handling — hardcoded secrets, log exposure, token caching
  11. Logging & Monitoring — log injection, rate limiting, access controls
  12. Race Conditions & Concurrency — TOCTOU, parallel invocation, resource exhaustion
  13. Advanced Attacks — context pollution, confused deputy, prototype pollution, GraphQL injection

How to use this repo

  • Use the CHECKLIST.md for field assessments
  • Fork and adapt it for your team
  • Submit PRs with improvements
  • Open issues for new MCP attack patterns

Contribute

We welcome:

  • New checklist items
  • Additional MCP server categories
  • Tooling contributions
  • Red-team test cases
  • Sanitized findings

License

This project is licensed under CC BY 4.0. You may remix, adapt, and build upon this checklist for any purpose, even commercially, as long as you provide attribution.

Maintainers

Appsecco

About

A practical, community-driven checklist for pentesting MCP servers. Covers traffic analysis, tool-call behavior, namespace abuse, auth flows, and remote server risks. Maintained by Appsecco and licensed for remixing.

Topics

mcp penetration-testing pentesting security-checklist ai-security llm-security agentic-ai mcp-server mcp-security appsecco

Resources

Readme

License

CC-BY-4.0 license
Activity
Custom properties

Stars

31 stars

Watchers

2 watching

Forks

5 forks
Report repository

Releases 2

Pentesting MCP Servers Checklist v2.0.0 - Expanded Backend API & Multi-Agent Coverage Latest
Dec 18, 2025
+ 1 release

Packages

 
 
 

Contributors