MCP Vulnerable Server Demo

🚀 Insecure MCP Demonstration Project

This project showcases a vulnerable MCP server and multiple clients, including a proof - of - concept attack client and a normal client. It is designed for educational purposes to demonstrate potential security vulnerabilities in MCP servers.

🚀 Quick Start

📦 Installation

pip install -r requirements.txt

💻 Usage

Start the server and standard client

In one terminal:

python good-mcp-client.py vuln-mcp.py

Interactively insert/query records as prompted.

Run the attack client

In another terminal:

python attack-mcp-client.py vuln-mcp.py

This will automatically perform the following actions:

• Attempt SQL injection attacks
• Execute arbitrary SQL queries
• Try to read several common environment variables

✨ Features

Project Structure

• vuln-mcp.py: A vulnerable MCP server exposing insecure tools.
• good-mcp-client.py: A standard client for normal interaction (insert/query records).
• attack-mcp-client.py: An automated attack client demonstrating the exploitation of server vulnerabilities.
• requirements.txt: Python dependencies required for the project.

Exposed Server Tools and Vulnerabilities

1. insert_record
   • Insert user - provided name and address records into the database.
   • Vulnerability: Directly interpolates user input into SQL queries, making it vulnerable to SQL injection attacks.
2. query_records
   • List all records in the database.
   • Vulnerability: Exposes all data without authentication or access control.
3. execute_sql
   • Execute any SQL query provided by the client.
   • Vulnerability: Allows the execution of any SQL command, including destructive operations (e.g., data theft, table structure modification).
4. get_env_variable
   • Return the value of any environment variable requested by the user.
   • Vulnerability: Leaks sensitive environment variables (e.g., secrets, API keys).

Example Output

The attack client will show which payloads succeed or fail and print out the database contents and environment variable values (if accessible).

Demonstrated Vulnerabilities

• SQL Injection: User input is not sanitized, allowing attackers to manipulate SQL logic and insert arbitrary data.
• Arbitrary Code Execution: The execute_sql tool allows attackers to run any SQL command, including data theft or destruction.
• Sensitive Data Leakage: The get_env_variable tool allows attackers to read confidential information and configuration values.
• Lack of Access Control: All tools can be run and all data can be accessed without authentication.

🔧 Technical Details

Mitigation Strategies

To protect a real - world MCP server, the following steps should be taken:

1. Use Parameterized Queries:
   • Always use parameter substitution instead of string interpolation for SQL queries to prevent injection.
   • Example (secure):

     cursor.execute("INSERT INTO records (name, address) VALUES (?, ?)", (name, address))
     

2. Restrict Dangerous Tools:
   • Remove or strictly limit tools such as execute_sql and get_env_variable.
   • Only expose necessary functionality.
3. Implement Authentication and Authorization:
   • Require users to authenticate and check permissions before allowing access to sensitive tools or data.
4. Validate and Sanitize Input:
   • Check and sanitize all user input, especially when interacting with the database or the system.
5. Limit Access to Environment Variables:
   • Only allow access to non - confidential variables or disable this function entirely.
6. Conduct Regular Security Audits:
   • Regularly review the code and configuration to identify potential security vulnerabilities.

📄 License

Disclaimer

This project is for educational purposes only. Do not deploy or use similar configurations in a production environment, as it may lead to serious security risks.