MCP Pentest

Instructions

Implementation Reference

• src/tools/fuzzing.ts:103-154 (handler)

  Main execution logic for the fuzzing_directories tool. Configures ffuf/wfuzz for directory bruteforcing, runs the scan, analyzes results for interesting directories/files, and returns structured ScanResult.
  async fuzzDirectories(baseUrl: string, config: Partial<FuzzingConfiguration> = {}): Promise<ScanResult> { try { const defaultConfig: FuzzingConfiguration = { tool: 'ffuf', threads: 20, timeout: 10, delay: 50, wordlist: this.getDefaultWordlist('directories'), extensions: ['php', 'asp', 'aspx', 'jsp', 'html', 'txt', 'xml', 'json'], filter_codes: [404], ...config }; console.error(`🔍 Directory fuzzing on ${baseUrl}`); let results: FuzzingResult[] = []; if (defaultConfig.tool === 'ffuf') { results = await this.runFFUFDirectories(baseUrl, defaultConfig); } else if (defaultConfig.tool === 'wfuzz') { results = await this.runWfuzzDirectories(baseUrl, defaultConfig); } const analyzedResults = this.analyzeDirectoryResults(results); const interestingFindings = analyzedResults.filter(r => r.vulnerability_detected || r.response_code === 200); return { target: baseUrl, timestamp: new Date().toISOString(), tool: 'directory_fuzzing', results: { total_requests: results.length, found_directories: interestingFindings.length, accessible_paths: interestingFindings.filter(r => r.response_code === 200).length, sensitive_files: interestingFindings.filter(r => this.isSensitiveFile(r.url)).length, fuzzing_results: results, interesting_findings: interestingFindings }, status: 'success' }; } catch (error) { return { target: baseUrl, timestamp: new Date().toISOString(), tool: 'directory_fuzzing', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } }
• src/index.ts:555-559 (registration)

  Tool dispatch in the main server handler switch statement, calling the FuzzingEngine.fuzzDirectories method.
  case "fuzzing_directories": return respond(await this.fuzzingEngine.fuzzDirectories(args.target, { tool: args.tool || 'ffuf', extensions: args.extensions }));
• src/index.ts:302-322 (schema)

  Input schema definition for the fuzzing_directories tool, listed in the tools array returned by ListToolsRequest.
  { name: "fuzzing_directories", description: "Fuzz directories and files using ffuf/wfuzz", inputSchema: { type: "object", properties: { target: { type: "string", description: "Target base URL" }, tool: { type: "string", enum: ["ffuf", "wfuzz"], description: "Fuzzing tool to use" }, extensions: { type: "array", items: { type: "string" }, description: "File extensions to test" } }, required: ["target"] } },
• src/tools/fuzzing.ts:345-385 (helper)

  Core helper executing ffuf commands for both directory and file extension fuzzing, parsing output into results.
  private async runFFUFDirectories(baseUrl: string, config: FuzzingConfiguration): Promise<FuzzingResult[]> { try { const results: FuzzingResult[] = []; // Directory fuzzing const dirCommand = `ffuf -u ${baseUrl}/FUZZ -w ${config.wordlist} -t ${config.threads} -timeout ${config.timeout} -fc ${config.filter_codes?.join(',')} -o /dev/null -s`; const { stdout: dirOutput } = await execAsync(dirCommand, { timeout: 120000, maxBuffer: 1024 * 1024 * 5 }); // Parse directory results this.parseFFUFOutput(dirOutput, baseUrl, results); // File extension fuzzing if (config.extensions) { for (const ext of config.extensions) { const extCommand = `ffuf -u ${baseUrl}/FUZZ.${ext} -w ${config.wordlist} -t ${config.threads} -timeout ${config.timeout} -fc ${config.filter_codes?.join(',')} -o /dev/null -s`; try { const { stdout: extOutput } = await execAsync(extCommand, { timeout: 60000, maxBuffer: 1024 * 1024 }); this.parseFFUFOutput(extOutput, baseUrl, results, ext); } catch { // Continue with other extensions } } } return results; } catch (error) { console.error('FFuf directory fuzzing error:', error); return []; } }