Toxy Insecure MCP Lab
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Toxy Insecure MCP Lablist users"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
⚠️ Read this first
Rule | Detail |
Purpose | Offline classrooms, CTF prep, and authorized security research |
Forbidden | Production, staging, shared hosting, or any internet-facing deployment |
Expectation | Every weakness here is intentional — do not treat this as a template |
Related MCP server: Insecure MCP Demo
Overview
Modern AI agents call external MCP tools the same way apps call APIs. When those tools skip authentication, trust user input, or run with too much power, attackers inherit that access.
Toxy Insecure MCP Lab models those failures in a single Python service you can drive from any MCP client, curl, or the MCP Inspector.
flowchart LR
A[MCP Client] -->|STDIO / SSE / HTTP| B[Toxy Lab]
B --> C[Open Tools]
B --> D[Weak Auth Tools]
B --> E[File Tools]
B --> F[SSRF Tools]
B --> G[SQLi Tools]
C --> H[(Mock Data)]
D --> H
E --> I[Container FS]
F --> J[Outbound HTTP]
G --> K[(SQLite DB)]Lab snapshot
Item | Value |
Repository | |
HTTP endpoint |
|
Default creds |
|
Database file |
|
Python package |
|
Maintainer |
Requirements
Python 3.11+ or Docker with Compose v2
An MCP client, MCP Inspector, or
curlAn isolated network (VM, WSL, or local machine — not a shared server)
Installation paths
git clone https://github.com/toxicaj/vuln_mcp_server.git
cd vuln_mcp_server
docker compose up --buildThe service listens on port 8000. Connect your client to http://localhost:8000/mcp.
git clone https://github.com/toxicaj/vuln_mcp_server.git
cd vuln_mcp_server
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txtPick a transport:
Mode | Command |
STDIO |
|
SSE |
|
HTTP |
|
Note: Local HTTP/SSE runs need a writable database path. Example:
DATABASE_PATH=/tmp/toxy_vulnerable_mcp.sqlite
Attack surface
Five independent modules. Each one teaches a different mistake teams make when shipping MCP integrations.
Module 01 — Identity not required
File: toxy_vulnerable_mcp/tools/unauth_tools.py
Tool | What it leaks |
| Internal memos |
| Employee roster ( |
| Host paths, env vars, runtime fingerprint |
Try it
{ "name": "system_info", "arguments": {} }Lesson: If a tool returns sensitive data without a session, every connected agent becomes an insider threat.
Module 02 — Password everyone knows
File: toxy_vulnerable_mcp/tools/auth_tools.py
Tool | Gate |
| Basic Auth |
| Basic Auth |
Credentials are hardcoded: admin:admin
Try it (HTTP)
curl http://localhost:8000/mcp \
-u admin:admin \
-H 'Content-Type: application/json' \
-H 'Mcp-Method: tools/call' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"get_sensitive_logs","arguments":{}}}'Lesson: Default passwords turn a thin auth layer into theater.
Module 03 — Filesystem god mode
File: toxy_vulnerable_mcp/tools/file_tools.py
Tool | Capability |
| Read any path the container can open |
| Create or overwrite files |
| Map directory contents |
Writable mounts: /lab-data · /app/secrets · /data
Try it
{
"name": "write_file",
"arguments": {
"path": "/lab-data/proof.txt",
"content": "MCP tool wrote this with root privileges"
}
}Lesson: File tools without jails hand agents the keys to the kingdom.
Module 04 — Server-side fetching
File: toxy_vulnerable_mcp/tools/ssrf_tools.py
Tool | Behavior |
| GET any URL, follow redirects |
| Same engine, RSS disguise |
| Blind callback testing |
Try it
{ "name": "fetch_url", "arguments": { "url": "http://127.0.0.1:8000/mcp" } }{ "name": "fetch_url", "arguments": { "url": "http://169.254.169.254/latest/meta-data/" } }Lesson: Unrestricted egress lets callers scan localhost and cloud metadata from inside your network.
Module 05 — String-built SQL
File: toxy_vulnerable_mcp/tools/sqli_tools.py
Tool | Injection point |
|
|
|
|
|
|
Try it — auth bypass
{
"name": "login_user",
"arguments": { "username": "admin' --", "password": "x" }
}Try it — UNION extraction
{
"name": "get_order",
"arguments": {
"order_id": "1 UNION SELECT id, record_type, secret_value, 0, 'leak' FROM admin_records"
}
}Lesson: Concatenating user input into SQL is an open invitation to dump tables you never meant to expose.
HTTP cheat sheet
Three calls cover most manual testing:
1. Initialize
curl -i http://localhost:8000/mcp \
-H 'Content-Type: application/json' \
-H 'Mcp-Method: initialize' \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"lab","version":"1.0"}}}'2. List tools
curl http://localhost:8000/mcp \
-H 'Content-Type: application/json' \
-H 'Mcp-Method: tools/list' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'3. Call a tool
curl http://localhost:8000/mcp \
-H 'Content-Type: application/json' \
-H 'Mcp-Method: tools/call' \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"list_users","arguments":{}}}'Directory map
vuln_mcp_server/
│
├─ docker-compose.yml # One-command lab spin-up
├─ Dockerfile # Root-user image (intentional)
├─ lab-data/ # Writable practice files
├─ secrets/ # Fake credentials for file-read labs
│
└─ toxy_vulnerable_mcp/
├─ server.py # MCP entry + transport launcher
├─ http_app.py # HTTP wrapper + Basic Auth middleware
├─ auth.py # admin:admin validator
├─ database.py # SQLite seed data
├─ data.py # Mock notes, users, logs
└─ tools/
├─ unauth_tools.py
├─ auth_tools.py
├─ file_tools.py
├─ ssrf_tools.py
└─ sqli_tools.pyLogging & debugging
Everything runs at DEBUG by default. Watch for:
Open * invocation— unauthenticated tool hitsBasic Auth gate triggered— credential checks on protected toolsOutbound request issued to— SSRF attemptsRunning unsafe SQL statement— full query text before executionread_file/write_file/list_directory— filesystem operations
docker compose logs -fFAQ
Q: Can I rename the repo folder after cloning?
A: Yes. The folder name does not affect runtime behavior.
Q: Why does local setup fail on /data?
A: The default DB path targets the Docker layout. Set DATABASE_PATH=/tmp/toxy_vulnerable_mcp.sqlite when running natively.
Q: Do I need to wipe Docker volumes between runs?
A: Only if you changed the database filename or seed schema. docker compose down -v resets state.
Q: Are the employee names and API keys real?
A: No. All records are synthetic classroom material.
Hardening checklist
Use this after completing each module:
Require authentication before any data-bearing tool executes
Eliminate default credentials; integrate a real identity provider
Remove open-ended file primitives or jail them to a single directory
Block private IP ranges and metadata hosts on outbound fetches
Parameterize every SQL statement; hash passwords at rest
Run containers as non-root with read-only root filesystems
Log security events without printing secrets or full queries in production
Legal & ethics
Deploy only on systems you own or have explicit written permission to test. The maintainer provides this software as-is for education — misuse against third parties is your responsibility.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/toxicaj/vuln_mcp_server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server