Skip to content
/ SecureMCP Public

SecureMCP is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction). It proactively identifies threats like OAuth token leakage, prompt injection vulnerabilities, rogue MCP servers, and tool poisoning attacks.

License

MIT license
116 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

makalin/SecureMCP

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
cmd/securemcp
cmd/securemcp
Β 
Β 
config
config
Β 
Β 
internal
internal
Β 
Β 
.gitignore
.gitignore
Β 
Β 
Dockerfile
Dockerfile
Β 
Β 
LICENSE
LICENSE
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
go.mod
go.mod
Β 
Β 

Repository files navigation

SecureMCP

SecureMCP is a comprehensive security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the Model Context Protocol (MCP). It proactively identifies threats like OAuth token leakage, prompt injection vulnerabilities, rogue MCP servers, and tool poisoning attacks.

πŸ›‘οΈ Features

OAuth Token Scanner

  • Token format validation and security checks
  • Expiration and scope analysis
  • Storage security assessment
  • Token endpoint validation
  • JWT token analysis

Prompt Injection Tester

  • Multiple injection payload types
  • Various injection positions testing
  • Response analysis
  • System prompt override detection
  • Role confusion attack detection

Authentication & Server Integrity Check

  • SSL/TLS configuration validation
  • Authentication method testing
  • Security header verification
  • Server security assessment
  • HSTS and CSP validation

Report Generation

  • HTML and JSON report formats
  • Vulnerability classification
  • Severity assessment
  • Remediation suggestions
  • Summary statistics

πŸ‘¨β€πŸ’» Who Should Use SecureMCP?

  • AI Developers integrating MCP in applications
  • Security teams securing AI model interactions
  • DevSecOps engineers embedding MCP in CI/CD pipelines
  • Researchers studying AI model vulnerabilities
  • Security auditors assessing MCP implementations

πŸš€ Getting Started

Prerequisites

  • Go 1.21+
  • Docker (optional, for containerized deployment)
  • Node.js (for dashboard UI)

Installation

From Source

git clone https://github.com/makalin/SecureMCP.git
cd SecureMCP
make build

Using Docker

docker pull makalin/SecureMCP

Basic Usage

Command Line

# Basic scan
./securemcp scan --target https://your-mcp-server.com

# Scan with specific options
./securemcp scan --target https://your-mcp-server.com \
    --scan-oauth \
    --scan-prompt-injection \
    --scan-authentication \
    --timeout 30s

# Generate HTML report
./securemcp scan --target https://your-mcp-server.com --report html

# Generate JSON report
./securemcp scan --target https://your-mcp-server.com --report json

Programmatic Usage

import "github.com/makalin/SecureMCP/internal/scanner"

// Create scanner instance
scanner := scanner.NewScanner()

// Basic scan
results, err := scanner.Scan("https://your-mcp-server.com")

// Scan with options
options := &scanner.ScanOptions{
    ScanOAuth:           true,
    ScanPromptInjection: true,
    ScanAuthentication:  true,
    TestPrompt:          "your test prompt",
    Timeout:             30 * time.Second,
}
results, err := scanner.ScanWithOptions(target, options)

Report Generation

import "github.com/makalin/SecureMCP/internal/report"

// Create report generator
generator := report.NewReportGenerator("reports")

// Generate report
report, err := generator.GenerateReport(target, results)

// Save as HTML
err = generator.SaveReport(report, "html")

// Save as JSON
err = generator.SaveReport(report, "json")

πŸ“Š Example Output

Command Line

$ ./securemcp scan --target https://example-mcp-server.com
[+] Scanning Target: https://example-mcp-server.com
[!] Token storage vulnerability detected
[!] Prompt Injection vulnerability found in tool 'AutoSummary'
[!] Insecure authentication method detected
[+] Report saved to /reports/scan_2024_03_14_15_30_45.html

HTML Report

The HTML report includes:

  • Summary statistics
  • Vulnerability details
  • Severity levels
  • Remediation suggestions
  • Scan metadata

JSON Report

{
  "target": "https://example-mcp-server.com",
  "scan_time": "2024-03-14T15:30:45Z",
  "vulnerabilities": [
    {
      "type": "OAuth Token Vulnerability",
      "severity": "high",
      "description": "Token storage vulnerability detected",
      "location": "https://example-mcp-server.com",
      "remediation": "Implement secure token storage and proper token validation"
    }
  ],
  "summary": {
    "total_vulnerabilities": 3,
    "critical_count": 0,
    "high_count": 1,
    "medium_count": 1,
    "low_count": 1
  }
}

πŸ› οΈ Development

Project Structure

SecureMCP/
β”œβ”€β”€ cmd/
β”‚   └── securemcp/        # Command-line interface
β”œβ”€β”€ internal/
β”‚   β”œβ”€β”€ scanner/          # Core scanning functionality
β”‚   β”‚   β”œβ”€β”€ oauth.go      # OAuth token scanning
β”‚   β”‚   β”œβ”€β”€ prompt.go     # Prompt injection testing
β”‚   β”‚   β”œβ”€β”€ auth.go       # Authentication checks
β”‚   β”‚   └── scanner.go    # Main scanner implementation
β”‚   └── report/           # Report generation
β”œβ”€β”€ config/               # Configuration management
β”œβ”€β”€ Dockerfile           # Container configuration
└── Makefile            # Build and development tasks

Building

# Build binary
make build

# Run tests
make test

# Build Docker image
make docker-build

# Run in Docker
make docker-run

πŸ“’ Contributing

Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

πŸš€ License

MIT License

🌐 Links

Protect your MCP applications before they get exploited. πŸ’ͺ Use SecureMCP!

About

SecureMCP is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction). It proactively identifies threats like OAuth token leakage, prompt injection vulnerabilities, rogue MCP servers, and tool poisoning attacks.

Resources

Readme

License

MIT license
Activity

Stars

116 stars

Watchers

0 watching

Forks

11 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages