VulneraMCP
VulneraMCP is an AI-powered MCP server for bug bounty hunting and security testing, accessible via MCP-compatible clients like Cursor or Claude Desktop. Here's what you can do:
Reconnaissance
Discover subdomains (Subfinder, Amass), check live hosts (HTTPx), resolve DNS records, find URLs (gau), fuzz endpoints (ffuf), and run full automated recon workflows.
JavaScript Analysis
Download, beautify, and analyze JS files; extract API endpoints, URLs, and secrets (API keys, tokens).
Security Testing
Test for XSS, SQL injection, IDOR, CSRF, CSP misconfigurations, and authentication bypass.
API Testing
GraphQL introspection, rate limit testing, BOLA/IDOR, mass assignment detection, and Swagger/OpenAPI enumeration.
Authentication Testing
JWT none algorithm/confusion attacks, OAuth misconfigurations, session fixation, password reset host header poisoning, and MFA bypass.
Cloud Security
Enumerate S3/Azure/GCP buckets, scan for exposed secrets in JS/HTML/env files, and detect Terraform state file leaks.
Browser Rendering
Take screenshots, extract DOM structure and HTML forms, and execute custom JavaScript in page context via Puppeteer.
OWASP ZAP Integration
Start spider and active scans, retrieve/filter alerts, send custom requests, proxy through AI-enhanced layer, and manage scanning contexts.
Caido Integration
Query HTTPQL and discover endpoints.
Scanner Orchestration & Graph Analysis
Normalize targets, orchestrate coordinated scans, correlate findings, build knowledge graphs in PostgreSQL, detect patterns, and generate/rank attack paths (JSON/GraphML).
Database Management
Save and retrieve findings and test results in PostgreSQL; view aggregated statistics.
AI Training & Pattern Matching
Import training data from HackTheBox and PortSwigger Academy, extract patterns from bug bounty writeups, match current tests against learned patterns, and retrieve CSRF exploitation techniques.
Reporting & Wordlists
Generate Markdown reports from findings and create custom wordlists for directories, files, and parameters.
Web Dashboard
Access real-time statistics, manage findings, and track testing progress visually.
Integrates with Burp Suite for security testing and traffic analysis as part of the bug bounty hunting platform.
Provides comprehensive integration with OWASP ZAP for automated web crawling (spider scans), active vulnerability scanning, proxy integration, alert management, and security context configuration.
Supports importing training data from PortSwigger labs to enhance AI-powered pattern matching and exploit detection capabilities.
Uses PostgreSQL for persistent storage of vulnerability findings, security test results, statistics, and bug bounty research data.
Leverages Puppeteer for webpage rendering capabilities including screenshots, DOM extraction, form analysis, and JavaScript execution in page context.
Provides optional Redis integration for caching and working memory to improve performance of security testing operations.
Offers full integration with OWASP ZAP proxy for processing requests, conducting spider scans, performing active security scanning, and managing vulnerability alerts.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@VulneraMCPrun a full security scan on example.com and show me the top vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
VulneraMCP
An AI-Powered Bug Bounty MCP Server — recon, vulnerability testing, API/auth/cloud scanning, graph analysis, and reporting for security researchers and bug bounty hunters.
VulneraMCP is a Model Context Protocol (MCP) server for bug bounty hunting and security testing. It integrates OWASP ZAP, optional Caido/Burp Suite, and CLI tools (subfinder, httpx, gau, ffuf) for reconnaissance, JavaScript analysis, XSS/SQLi/IDOR/CSRF testing, API and auth misconfiguration checks, cloud bucket and secret scanning, orchestrated scan flows, knowledge-graph analysis, wordlist generation, and Markdown reporting — with PostgreSQL storage for findings and test results.
🎬 Demo
Watch the VulneraMCP demonstration on YouTube: https://youtu.be/wlUvBVNyh74
Related MCP server: Bug Bounty MCP Server
🌟 Features
🔍 Reconnaissance Tools
Subdomain Discovery: Subfinder, Amass integration
Live Host Detection: HTTPx for checking active endpoints
DNS Resolution: DNS record enumeration (A, AAAA, CNAME, MX, TXT)
URL Discovery: Gau (Get All URLs) from archives and crawlers
Fuzzing: ffuf for directory, file, and parameter discovery
Full Recon Workflow: Automated multi-tool reconnaissance
🔐 Security Testing
XSS Testing: Automated cross-site scripting detection
SQL Injection: SQLi vulnerability testing with sqlmap fallback
IDOR Detection: Insecure Direct Object Reference testing
CSP Analysis: Content Security Policy misconfiguration detection
Auth Bypass: Authentication bypass attempt testing
CSRF Testing: Cross-Site Request Forgery detection with advanced techniques
🌐 API Testing
GraphQL: Introspection and misconfiguration checks
Rate Limiting: Endpoint rate limit testing
BOLA / IDOR: Broken object level authorization tests
Mass Assignment: Unsafe field assignment detection
Swagger/OpenAPI: API documentation enumeration
🔑 Authentication Testing
JWT: None algorithm and algorithm confusion attacks
OAuth: Misconfiguration detection
Session: Fixation and cookie flag analysis
Password Reset: Host header poisoning tests
MFA: Bypass signal detection and testing
☁️ Cloud Security
Storage: S3/Azure/GCP bucket enumeration and permission probes
Secrets: Exposed key scanning in JS, HTML, and env files
Terraform: State file leak detection
🎯 Scanner Orchestration
Target Normalization: Standardize targets for multi-tool flows
Run Flow: Orchestrated scanning across API, auth, and cloud tools
Finding Correlation: Link and correlate results across tests
📈 Graph Analysis
Knowledge Graph: Store targets, findings, and relationships in PostgreSQL
Pattern Detection: Extract patterns and find similar findings
Attack Graphs: Generate, rank, and export attack paths (JSON, GraphML)
📝 Reporting & Wordlists
Report Generation: Markdown reports from findings
Wordlist Generation: Directories, files, parameters, and combined lists
📜 JavaScript Analysis
JS Download: Download and analyze JavaScript files
Code Beautification: Format and beautify minified JS
Endpoint Extraction: Find API endpoints and URLs in JS
Secret Detection: Heuristic API key and token extraction
Full Analysis: Combined download, beautify, and analyze workflow
🕷️ Integration
Spider Scans: Automated web crawling
Active Scanning: Vulnerability scanning
Proxy Integration: Process requests through ZAP proxy
Alert Management: Retrieve and analyze security alerts
Context Management: Define scanning contexts
💾 Database Integration
PostgreSQL: Store findings, test results, and scores
Redis: Working memory and caching (optional)
Finding Management: Save and retrieve bug findings
Test Result Storage: Track all security tests with statistics
🖼️ Rendering Tools
Screenshots: Capture webpage screenshots with Puppeteer
DOM Extraction: Extract and analyze page structure
Form Extraction: Find and analyze web forms
JavaScript Execution: Execute JS in page context
🤖 AI Training & Pattern Matching
Training Data Import: Import from HTB, PortSwigger labs
Pattern Matching: Learn from successful exploits
Writeup Analysis: Extract patterns from bug bounty writeups
CSRF Patterns: Pre-loaded CSRF exploitation patterns
📊 Web Dashboard
Real-time Statistics: View test results and findings
Finding Management: Browse and analyze discovered vulnerabilities
Visual Analytics: Track testing progress and success rates
🚀 Quick Start
Prerequisites
Node.js 20+ and npm
PostgreSQL 18+ (or Docker)
Redis (optional, for caching)
ZAP (optional, for active scanning)
Caido (optional, for traffic analysis)
Installation
# Clone the repository
git clone https://github.com/telmon95/VulneraMCP.git
cd VulneraMCP
# Install dependencies
npm install
# Build the project
npm run buildConfiguration
Copy environment template:
cp mcp.json.example mcp.jsonConfigure your environment variables:
Set up PostgreSQL connection details
Configure Caido API token (if using)
Set ZAP API URL (default: http://localhost:8081)
Initialize the database:
node init-db.js
Running the Server
# Start the MCP server
npm start
# Start the dashboard (in another terminal)
npm run dashboard
# Access dashboard at http://localhost:3000Docker Setup
# Start all services with Docker Compose
docker-compose up -d
# Or use the startup script
./start-services.sh📖 Usage
Via MCP Client (Cursor, Claude Desktop, etc.)
The server provides MCP tools that can be called through any MCP-compatible client:
Reconnaissance:
recon.subfinder domain: example.com
recon.httpx input: example.com,subdomain.example.com
recon.full domain: example.comSecurity Testing:
security.test_xss url: https://example.com/search?q=<script>
security.test_sqli url: https://example.com/user?id=1
security.test_csrf url: https://example.com/profile/updateJavaScript Analysis:
js.analyze url: https://example.com/static/app.js
js.extract_secrets source: <javascript_code>ZAP Integration:
zap.start_spider url: https://example.com
zap.start_active_scan url: https://example.com
zap.get_alerts baseURL: https://example.comCaido Integration:
caido.query httpql: "req.host.cont:\"example.com\" AND req.path.cont:\"api\""
caido.agent_discover_endpoints host: example.comRate Limiting & Best Practices
When testing bug bounty programs, always respect rate limits:
// Example: 2 requests/second limit
const rateLimiter = require('./hunting/rate-limiter');
const limiter = rateLimiter(2); // 2 req/sec
await limiter();
// Make your request🏗️ Project Structure
VulneraMCP/
├── src/
│ ├── integrations/ # External service integrations
│ │ ├── zap.ts # OWASP ZAP integration
│ │ ├── caido.ts # Caido integration
│ │ ├── postgres.ts # PostgreSQL database
│ │ └── redis.ts # Redis caching
│ ├── tools/ # MCP tools (recon, security, etc.)
│ ├── mcp/ # MCP server implementation
│ └── index.ts # Main entry point
├── public/ # Dashboard frontend
├── hunting/ # Bug bounty hunting scripts
├── dist/ # Compiled TypeScript output
└── dashboard-server.js # Dashboard API server🔧 Configuration
MCP Server Configuration (mcp.json)
{
"name": "vulneramcp",
"command": "node",
"args": ["dist/index.js"],
"env": {
"POSTGRES_HOST": "localhost",
"POSTGRES_PORT": "5433",
"POSTGRES_USER": "postgres",
"POSTGRES_DB": "bugbounty"
}
}Environment Variables
# PostgreSQL
POSTGRES_HOST=localhost
POSTGRES_PORT=5433
POSTGRES_USER=postgres
POSTGRES_PASSWORD=your_password
POSTGRES_DB=bugbounty
# ZAP
ZAP_API_URL=http://localhost:8081
# Caido
CAIDO_API_TOKEN=your_token
# Redis (optional)
REDIS_HOST=localhost
REDIS_PORT=6379📊 Dashboard
The web dashboard provides:
Statistics: Test results, success rates, vulnerability distribution
Findings: Detailed view of discovered vulnerabilities
Search & Filter: Find specific findings by target, type, severity
Access at: http://localhost:3000
💖 Sponsor
If VulneraMCP helps your bug bounty or security research workflow, consider sponsoring development on GitHub Sponsors.
Your support helps fund new features, documentation, security testing, and long-term maintenance of this open source project.
🤝 Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Fork the repository
Create your feature branch (
git checkout -b feature/AmazingFeature)Commit your changes (
git commit -m 'Add some AmazingFeature')Push to the branch (
git push origin feature/AmazingFeature)Open a Pull Request
📝 License
This project is licensed under the MIT License - see the LICENSE file for details.
⚠️ Disclaimer
This tool is for authorized security testing only. Always:
Get proper authorization before testing
Respect rate limits and terms of service
Follow responsible disclosure practices
Never use on systems you don't own or have explicit permission to test
🙏 Acknowledgments
ZAP for vulnerability scanning
The bug bounty community for inspiration and feedback
📚 Documentation
🐛 Issues
Found a bug? Have a feature request? Please open an issue on GitHub.
📧 Contact
GitHub: @telmon95
Sponsors: GitHub Sponsors
Issues: GitHub Issues
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/telmon95/VulneraMCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server