Skip to main content

DevSecOps MCP Server

by JesusDavidQuarksoft

Overview Schema Related Servers Score Discussions

MCP_Security

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/JesusDavidQuarksoft/MCP_Security'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

test-vulnerable-server.js•5.16 KiB

const express = require('express'); const app = express(); const port = 3001; app.use(express.json()); app.use(express.urlencoded({ extended: true })); // Root endpoint app.get('/', (req, res) => { res.json({ message: 'Vulnerable Test Server Running', endpoints: [ '/user/:id - SQL Injection', '/search?q= - XSS', '/file?name= - Path Traversal', '/ping?host= - Command Injection', '/document/:id - IDOR', '/debug - Information Disclosure', '/admin/:action - Authorization Bypass', '/eval?code= - Code Injection' ] }); }); // SQL Injection vulnerability - más evidente para ZAP app.get('/user/:id', (req, res) => { const userId = req.params.id; // VULNERABLE: SQL Injection sin validación res.json({ query: `SELECT * FROM users WHERE id = '${userId}'`, vulnerability: 'SQL Injection', example: "Try: /user/1' OR '1'='1", user_input: userId }); }); // XSS vulnerability - más evidente app.get('/search', (req, res) => { const query = req.query.q || ''; // VULNERABLE: XSS reflejado res.send(` <!DOCTYPE html> <html> <head><title>Search Results</title></head> <body> <h1>Search Results for: ${query}</h1> <p>Your search: ${query}</p> <div id="results"> Results would appear here </div> <script> // Vulnerable to XSS var searchTerm = "${query}"; document.getElementById('results').innerHTML = 'Searching for: ' + searchTerm; </script> </body> </html> `); }); // Path Traversal - más obvio app.get('/file', (req, res) => { const filename = req.query.name || 'default.txt'; // VULNERABLE: Path Traversal res.json({ file: filename, path: `/var/www/files/${filename}`, vulnerability: 'Path Traversal', example: 'Try: /file?name=../../../etc/passwd', user_input: filename }); }); // Command Injection endpoint app.get('/ping', (req, res) => { const host = req.query.host || 'localhost'; // VULNERABLE: Command Injection res.json({ command: `ping -c 1 ${host}`, vulnerability: 'Command Injection', example: 'Try: /ping?host=localhost;ls', user_input: host }); }); // Insecure Direct Object Reference app.get('/document/:id', (req, res) => { const docId = req.params.id; // VULNERABLE: IDOR - sin validación de autorización res.json({ document_id: docId, content: 'Sensitive document content', vulnerability: 'Insecure Direct Object Reference (IDOR)', example: 'Try: /document/999', user_input: docId }); }); // Information Disclosure app.get('/debug', (req, res) => { // VULNERABLE: Information Disclosure res.json({ vulnerability: 'Information Disclosure', system_info: { node_version: process.version, platform: process.platform, memory: process.memoryUsage(), env_vars: process.env, cwd: process.cwd() } }); }); // Authorization Bypass app.get('/admin/:action', (req, res) => { const action = req.params.action; // VULNERABLE: No authorization check res.json({ vulnerability: 'Authorization Bypass', action: action, example: 'Try: /admin/delete-users', message: `Admin action '${action}' executed without authentication`, user_input: action }); }); // Code Injection app.get('/eval', (req, res) => { const code = req.query.code || 'console.log("test")'; // VULNERABLE: Code Injection res.json({ vulnerability: 'Code Injection', code: code, example: 'Try: /eval?code=process.exit()', warning: 'This would execute arbitrary code', user_input: code }); }); // Missing Security Headers app.get('/headers', (req, res) => { // VULNERABLE: Missing security headers res.send('<html><body>No security headers set</body></html>'); }); // Unvalidated Redirects app.get('/redirect', (req, res) => { const url = req.query.url || 'http://example.com'; // VULNERABLE: Unvalidated redirect res.redirect(url); }); // Server Start app.listen(port, () => { console.log(`🚨 Vulnerable Test Server running at http://localhost:${port}`); console.log(`⚠️ WARNING: This server contains intentional vulnerabilities for testing purposes`); console.log(`⚠️ DO NOT expose this server to the internet!`); console.log(`\n📋 Available vulnerable endpoints:`); console.log(` GET /user/:id - SQL Injection`); console.log(` GET /search?q= - Cross-Site Scripting (XSS)`); console.log(` GET /file?name= - Path Traversal`); console.log(` GET /ping?host= - Command Injection`); console.log(` GET /document/:id - IDOR`); console.log(` GET /debug - Information Disclosure`); console.log(` GET /admin/:action - Authorization Bypass`); console.log(` GET /eval?code= - Code Injection`); }); module.exports = app;