Insecure MCP Demo
Overview
This project demonstrates a vulnerable MCP server and multiple clients, including a proof-of-concept attack client and also a good client. It is designed for educational purposes to showcase potential security vulnerabilities in MCP server.
Project Structure
vuln-mcp.py: Vulnerable MCP server exposing insecure tools.good-mcp-client.py: Regular good client for normal interactions (insert/query records).attack-mcp-client.py: Automated attack client that demonstrates exploitation of server vulnerabilities.requirements.txt: Python dependencies for the project.
Features & Vulnerabilities
Exposed Server Tools
- insert_record
- Inserts a name/address record into the database.
- Vulnerability: Prone to SQL injection due to direct string interpolation of user input into SQL queries.
- query_records
- Lists all records in the database.
- Vulnerability: Exposes all data without authentication or access control.
- execute_sql
- Executes arbitrary SQL queries provided by the client.
- Vulnerability: Allows any SQL command, including destructive ones (e.g., data exfiltration, schema changes).
- get_env_variable
- Returns the value of any environment variable requested.
- Vulnerability: Leaks sensitive environment variables (e.g., secrets, API keys).
How to Run
1. Install Dependencies
2. Start the Server and Good Client
In one terminal:
Follow the prompts to insert/query records interactively.
3. Run the Attack Client
In another terminal:
This will automatically:
- Attempt SQL injection attacks
- Execute arbitrary SQL queries
- Attempt to read several common environment variables
Example Output
- Attack client will show which payloads succeed or fail, and print out database contents and environment variable values if accessible.
Vulnerabilities Demonstrated
- SQL Injection: User input is unsanitized, allowing attackers to manipulate SQL logic and insert arbitrary data.
- Arbitrary Code Execution: The
execute_sqltool allows attackers to run any SQL command, including data theft or destruction. - Sensitive Data Exposure: The
get_env_variabletool allows attackers to read secrets and configuration values. - Lack of Access Control: Anyone can run all tools and access all data without authentication.
Mitigation Strategies
To secure a real-world MCP server, you should:
- Use Parameterized Queries:
- Always use parameter substitution instead of string interpolation for SQL queries to prevent injection.
- Example (secure):Copy
- Restrict Dangerous Tools:
- Remove or strictly limit tools like
execute_sqlandget_env_variable. - Only expose necessary functionality.
- Remove or strictly limit tools like
- Implement Authentication & Authorization:
- Require users to authenticate and check permissions before allowing access to sensitive tools or data.
- Validate and Sanitize Input:
- Check and sanitize all user inputs, especially those that interact with the database or system.
- Limit Environment Variable Access:
- Only allow access to non-sensitive variables, or remove this tool entirely.
- Audit and Monitor Usage:
- Log all tool invocations and monitor for suspicious or abusive behavior.
- Principle of Least Privilege:
- Run the server with minimal privileges and restrict database and OS access as much as possible.
Disclaimer
This project is for educational and demonstration purposes only. Do not deploy this code in production environments.
For questions or further improvements, please open an issue or contact the project maintainer.
This server cannot be installed
A deliberately vulnerable MCP server that allows clients to interact with a database for educational purposes, demonstrating security vulnerabilities including SQL injection, arbitrary code execution, and sensitive data exposure.