MCP Pentest

Instructions

Input Schema

Input Schema (JSON Schema)

Implementation Reference

• src/tools/fuzzing.ts:37-101 (handler)

  Primary handler function that orchestrates parameter fuzzing using ffuf or wfuzz, groups parameters by endpoint, runs fuzzing, analyzes results, and returns structured ScanResult.
  async fuzzParameters(parameters: ExtractedParameter[], config: Partial<FuzzingConfiguration> = {}): Promise<ScanResult> { try { const defaultConfig: FuzzingConfiguration = { tool: 'ffuf', threads: 10, timeout: 10, delay: 100, wordlist: this.getDefaultWordlist('parameters'), filter_codes: [404, 403], ...config }; console.error(`🔍 Fuzzing ${parameters.length} parameters with ${defaultConfig.tool}`); const allResults: FuzzingResult[] = []; // Group parameters by URL and method for efficient fuzzing const paramGroups = this.groupParametersByEndpoint(parameters); for (const [endpoint, params] of paramGroups.entries()) { console.error(` Fuzzing endpoint: ${endpoint}`); if (defaultConfig.tool === 'ffuf') { const ffufResults = await this.runFFUF(endpoint, params, defaultConfig); allResults.push(...ffufResults); } else if (defaultConfig.tool === 'wfuzz') { const wfuzzResults = await this.runWfuzz(endpoint, params, defaultConfig); allResults.push(...wfuzzResults); } // Rate limiting between endpoints await this.sleep(defaultConfig.delay); } // Analyze results for vulnerabilities const analyzedResults = this.analyzeResults(allResults); const vulnerabilities = analyzedResults.filter(r => r.vulnerability_detected); return { target: 'parameter_fuzzing', timestamp: new Date().toISOString(), tool: 'fuzzing_engine', results: { total_tests: allResults.length, vulnerabilities_found: vulnerabilities.length, critical_findings: vulnerabilities.filter(v => v.severity === 'critical').length, high_findings: vulnerabilities.filter(v => v.severity === 'high').length, fuzzing_results: allResults, vulnerability_summary: this.summarizeVulnerabilities(vulnerabilities), recommendations: this.generateRecommendations(vulnerabilities) }, status: 'success' }; } catch (error) { return { target: 'parameter_fuzzing', timestamp: new Date().toISOString(), tool: 'fuzzing_engine', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } }
• src/index.ts:282-301 (registration)

  Tool registration in the ListToolsRequestSchema handler, defining name, description, and input schema for MCP tool discovery.
  { name: "fuzzing_parameters", description: "Fuzz extracted parameters with various payloads using ffuf/wfuzz", inputSchema: { type: "object", properties: { parameters: { type: "array", items: { type: "object" }, description: "Array of extracted parameters to fuzz" }, tool: { type: "string", enum: ["ffuf", "wfuzz"], description: "Fuzzing tool to use" } }, required: ["parameters"] } },
• src/index.ts:552-553 (handler)

  Dispatch handler in CallToolRequestSchema switch statement that invokes the FuzzingEngine.fuzzParameters method.
  case "fuzzing_parameters": return respond(await this.fuzzingEngine.fuzzParameters(args.parameters, { tool: args.tool || 'ffuf' }));
• src/tools/fuzzing.ts:22-33 (schema)

  TypeScript interface defining the configuration schema for fuzzing operations.
  export interface FuzzingConfiguration { tool: 'ffuf' | 'wfuzz'; threads: number; timeout: number; delay: number; wordlist: string; extensions?: string[]; filter_codes?: number[]; filter_size?: number[]; match_codes?: number[]; custom_headers?: Record<string, string>; }
• src/tools/fuzzing.ts:8-20 (schema)

  TypeScript interface defining the structure of individual fuzzing results.
  export interface FuzzingResult { parameter: string; payload: string; url: string; method: string; response_code: number; response_size: number; response_time: number; vulnerability_detected: boolean; vulnerability_type?: string; evidence?: string; severity: 'info' | 'low' | 'medium' | 'high' | 'critical'; }