VulneraMCP

Instructions

Implementation Reference

• src/tools/security.ts:31-121 (handler)

  The main execution handler for the security.test_xss tool. It injects XSS payloads into HTTP requests (GET/POST) to the target URL, checks if payloads are reflected in the response body or headers, assesses vulnerability, saves findings to database if detected, and returns formatted results.
  async ({ url, params = {}, method = 'GET' }: any): Promise<ToolResult> => { try { const payloads = [ '<script>alert(1)</script>', '"><img src=x onerror=alert(1)>', "'><svg onload=alert(1)>", 'javascript:alert(1)', '<iframe src=javascript:alert(1)>', ]; const results: SecurityTestResult[] = []; for (const payload of payloads) { try { let response: AxiosResponse; const testParams = { ...params, test: payload }; if (method === 'GET') { response = await axios.get(url, { params: testParams, validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', }, }); } else { response = await axios.post(url, testParams, { validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/x-www-form-urlencoded', }, }); } const body = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); const reflected = body.includes(payload); const inHeaders = JSON.stringify(response.headers).includes(payload); const result: SecurityTestResult = { payload, response: { status: response.status, reflected, inHeaders, bodyLength: body.length, }, }; if (reflected || inHeaders) { result.vulnerability = 'XSS'; result.severity = 'high'; await saveFinding({ target: url, type: 'XSS', severity: 'high', description: `Potential XSS vulnerability - payload reflected: ${payload}`, payload, response: body.substring(0, 1000), timestamp: new Date(), score: 8, }); } results.push(result); } catch (error: any) { results.push({ payload, error: error.message, }); } } const xssScore = results.some((r: any) => r.vulnerable) ? 7 : 3; await saveTestResult(url, 'xss_test', true, { results }, undefined, xssScore, JSON.stringify(params), JSON.stringify(results)); return formatToolResult(true, { results, summary: { totalTests: payloads.length, potentialVulns: results.filter((r) => r.vulnerability).length, }, }); } catch (error: any) { await saveTestResult(url, 'xss_test', false, null, error.message, 0, undefined, undefined); return formatToolResult(false, null, error.message); } }
• src/tools/security.ts:13-29 (schema)

  Input schema for the tool defining parameters: url (required string), params (optional object for query/body params), method (string enum GET/POST/PUT, default GET).
  inputSchema: { type: 'object', properties: { url: { type: 'string', description: 'Target URL' }, params: { type: 'object', description: 'Parameters to test (key-value pairs)', }, method: { type: 'string', description: 'HTTP method', enum: ['GET', 'POST', 'PUT'], default: 'GET', }, }, required: ['url'], },
• src/tools/security.ts:9-122 (registration)

  MCP server.tool registration call for 'security.test_xss', specifying description, inputSchema, and inline handler function within registerSecurityTools.
  server.tool( 'security.test_xss', { description: 'Test for XSS vulnerabilities (non-destructive payloads)', inputSchema: { type: 'object', properties: { url: { type: 'string', description: 'Target URL' }, params: { type: 'object', description: 'Parameters to test (key-value pairs)', }, method: { type: 'string', description: 'HTTP method', enum: ['GET', 'POST', 'PUT'], default: 'GET', }, }, required: ['url'], }, }, async ({ url, params = {}, method = 'GET' }: any): Promise<ToolResult> => { try { const payloads = [ '<script>alert(1)</script>', '"><img src=x onerror=alert(1)>', "'><svg onload=alert(1)>", 'javascript:alert(1)', '<iframe src=javascript:alert(1)>', ]; const results: SecurityTestResult[] = []; for (const payload of payloads) { try { let response: AxiosResponse; const testParams = { ...params, test: payload }; if (method === 'GET') { response = await axios.get(url, { params: testParams, validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', }, }); } else { response = await axios.post(url, testParams, { validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/x-www-form-urlencoded', }, }); } const body = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); const reflected = body.includes(payload); const inHeaders = JSON.stringify(response.headers).includes(payload); const result: SecurityTestResult = { payload, response: { status: response.status, reflected, inHeaders, bodyLength: body.length, }, }; if (reflected || inHeaders) { result.vulnerability = 'XSS'; result.severity = 'high'; await saveFinding({ target: url, type: 'XSS', severity: 'high', description: `Potential XSS vulnerability - payload reflected: ${payload}`, payload, response: body.substring(0, 1000), timestamp: new Date(), score: 8, }); } results.push(result); } catch (error: any) { results.push({ payload, error: error.message, }); } } const xssScore = results.some((r: any) => r.vulnerable) ? 7 : 3; await saveTestResult(url, 'xss_test', true, { results }, undefined, xssScore, JSON.stringify(params), JSON.stringify(results)); return formatToolResult(true, { results, summary: { totalTests: payloads.length, potentialVulns: results.filter((r) => r.vulnerability).length, }, }); } catch (error: any) { await saveTestResult(url, 'xss_test', false, null, error.message, 0, undefined, undefined); return formatToolResult(false, null, error.message); } } );
• src/index.ts:37-37 (registration)

  Invocation of registerSecurityTools(server) in main server initialization, which registers the security.test_xss tool among others.
  registerSecurityTools(server);