Integration for security testing via GitHub Copilot in VS Code, allowing automated vulnerability testing and exploitation through pre-configured MCP tools.
Built on Node.js as the runtime environment for the vulnerable MCP server implementation.
Integration with Salesforce demonstrated through a vulnerable 'Salesforce Connector' that can be exploited through server name collision attacks.
Framework built with TypeScript, exposing type-safe vulnerability demonstrations for educational purposes.
Uses Zod for schema validation with intentionally bypassable validation to demonstrate security vulnerabilities.
🔓 IMCP - Insecure Model Context Protocol
The DVWA for AI MCP Security!
⚠️ WARNING: This is a deliberately vulnerable application. DO NOT deploy in production!
Welcome to IMCP – a deliberately vulnerable framework that exposes 14 critical security weaknesses in MCP Servers. Whether you're a security researcher, developer, or educator, IMCP is your playground for hands-on learning about real-world AI MCP vulnerabilities.
🎯 What is IMCP?
IMCP (Insecure Model Context Protocol) specifically designed for the emerging world of AI Model Context Protocol (MCP) security.
IMCP provides a safe, legal environment to explore, understand, and learn how to exploit and defend against MCP vulnerabilities.
🔍 Why IMCP?
- 🏫 Educational Focus: Learn MCP security in a controlled environment
- 💼 Business Realistic: Vulnerabilities presented in real-world business contexts
- 🎓 Progressive Learning: From basic concepts to advanced attack techniques
- 🛡️ Defensive Mindset: Every vulnerability includes prevention strategies
- 🤝 Community Driven: Open source and continuously updated by security researchers
🚨 Vulnerability Catalog
IMCP exposes 14 critical MCP security vulnerabilities across 5 major categories:
🎯 Prompt & Injection Attacks
- Direct Prompt Injection - Corporate Knowledge Base Data Exposure
- Jailbreak Prompt Injection - AI Executive Assistant Social Engineering
- Tool Response Injection - Marketing Intelligence Platform Manipulation
🔧 Tool Security Flaws
- Tool Poisoning - Software Development Hidden Backdoor
- Rug Pull Attack - HR Benefits Manager Betrayal
- Tool Shadowing - Enterprise Security Vault Impersonation
🌐 Context & Session Vulnerabilities
- Context Leakage - Customer Service Cross-Tenant Data Breach
- Boundary Confusion - Customer Data Processing Context Mixing
- Session ID Exposure - Corporate SSO Portal Data Leakage
⚙️ Configuration & Infrastructure
- Server Name Collision - Salesforce Connector Deception
- Configuration Drift - Enterprise Config Manager Settings Exposure
- Metadata Manipulation - Enterprise Document Manager Access Escalation
🧠 Human Factor Exploitation
- Consent Fatigue Exploitation - Progressive Permission Escalation
- Instruction Override - Security Compliance Scanner Privilege Escalation
🚀 Quick Start
Prerequisites
- Node.js 18+
- TypeScript
- VS Code with GitHub Copilot (recommended)
Installation
Connect to GitHub Copilot
IMCP is designed to work seamlessly with GitHub Copilot in VS Code:
- Open VS Code in the project directory
- Ensure GitHub Copilot is enabled
- MCP Configuration is automatically loaded from
.vscode/mcp.json
- Start testing: Ask Copilot to
"Use the vulnerability-summary tool"
🧪 Testing Vulnerabilities
📋 Quick Vulnerability Overview
🎯 Example Attack Tests
Corporate Data Exposure:
AI Social Engineering:
Tool Backdoor Exploitation:
📚 Comprehensive Testing Guide
For detailed step-by-step testing instructions, see: GITHUB_COPILOT_TESTING_GUIDE.md
🎓 Learning Objectives
After using IMCP, you will understand:
🔐 Security Fundamentals
- How MCP vulnerabilities are exploited in real business contexts
- Progressive attack techniques that build trust before exploitation
- Human psychology factors in AI security (consent fatigue, authority claims)
💼 Business Impact
- Financial consequences of MCP security failures
- Regulatory compliance violations (GDPR, HIPAA, SOX)
- Competitive intelligence and corporate espionage risks
🛡️ Defensive Strategies
- Input validation and sanitization best practices
- Proper authorization and access control implementation
- Secure MCP server development patterns
🧠 Security Mindset
- Recognition of social engineering patterns in AI interactions
- Critical thinking about AI tool trust and verification
- Risk assessment for AI integration in business environments
🏗️ Architecture
🔧 Technical Stack
- MCP SDK: Model Context Protocol implementation
- TypeScript: Type-safe vulnerability demonstrations
- Zod: Schema validation (intentionally bypassable)
- Node.js: Runtime environment
- VS Code: Integrated development and testing environment
🌟 Features
🎯 Realistic Business Scenarios
- Corporate knowledge bases and document management
- HR systems and employee data processing
- Customer service and CRM integrations
- IT security and infrastructure management
- Financial systems and compliance reporting
📈 Progressive Attack Methodology
- Trust Building - Tools appear helpful and legitimate initially
- Gradual Escalation - Permissions and access increase over time
- Full Exploitation - Complete compromise demonstrated
- Educational Revelation - Attack explanation and defense strategies
🛡️ Security Education Focus
- Red Flags Training - Learn to recognize attack indicators
- Business Impact Analysis - Understand real-world consequences
- Mitigation Strategies - Practical defense implementations
- Compliance Considerations - Regulatory and legal implications
🤝 Contributing
We welcome contributions from the security research community!
🔍 Ways to Contribute
- New Vulnerabilities: Discover and implement new MCP attack vectors
- Enhanced Scenarios: Create more realistic business contexts
- Educational Content: Improve learning materials and documentation
- Testing Tools: Build automated vulnerability testing frameworks
📋 Contribution Guidelines
- Educational Purpose: All contributions must be for educational use only
- Realistic Context: Vulnerabilities should reflect real-world scenarios
- Comprehensive Documentation: Include attack explanation and defense strategies
- Ethical Guidelines: Follow responsible disclosure and educational ethics
See CONTRIBUTING.md
for detailed contribution guidelines.
🔗 Resources & References
📚 MCP Security Documentation
🎓 Security Training Resources
📊 Project Statistics
- 🎯 Vulnerabilities: 14 critical MCP security flaws
- 💼 Business Scenarios: 10+ realistic enterprise contexts
- 🎓 Learning Modules: Progressive difficulty levels
- 🛡️ Defense Strategies: Comprehensive mitigation guidance
- 📱 Platform Support: VS Code + GitHub Copilot integration
📄 License
This project is licensed under the MIT License - see the LICENSE
file for details.
Additional Educational Use Clause: This software is intended for educational and research purposes only. Commercial use requires explicit permission from the maintainers.
🔓 IMCP - Making AI MCP Security Education Accessible to Everyone
Learn. Practice. Secure.
⭐ Star this repository if IMCP helps you learn MCP security!
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
Welcome to IMCP – a deliberately vulnerable framework that exposes 14 critical security weaknesses in MCP Servers. Whether you're a security researcher, developer, or educator, IMCP is your playground for hands-on learning about real-world AI MCP vulnerabilities.
Related MCP Servers
- -securityFlicense-qualityFacilitates interaction and context sharing between AI models using the standardized Model Context Protocol (MCP) with features like interoperability, scalability, security, and flexibility across diverse AI systems.Last updated -1Python
- -securityAlicense-qualityA secure, container-based implementation of the Model Context Protocol (MCP) that provides sandboxed environments for AI systems to safely execute code, run commands, access files, and perform web operations.Last updated -9PythonApache 2.0
- -security-license-qualityIntentionally vulnerable Model Context Protocol (MCP) server designed for security research that processes natural language queries through an LLM to execute SQL queries or shell commands without restrictions.Last updated -Python
- -security-license-qualityAn open-source implementation of the Model Context Protocol (MCP) that bridges AI agents with enterprise systems, enabling secure access to real-world data and capabilities.Last updated -1PythonApache 2.0