Pentesting MCP Servers Checklist
A practical, community-driven checklist for pentesting MCP servers. Covers traffic analysis, tool-call behavior, namespace abuse, auth flows, and remote server risks. Maintained by Appsecco and licensed for remixing.
Installation
npx pentesting-mcp-servers-checklistAsk AI about Pentesting MCP Servers Checklist
Powered by Claude Β· Grounded in docs
I know everything about Pentesting MCP Servers Checklist. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
README
Version 3 is out now!
A practical, community-driven checklist for pentesting Model Context Protocol (MCP) servers. This guide covers local and remote MCP server risks, traffic analysis, tool-call behaviors, context boundaries, authorization flows, and unsafe code paths.
Originally created for the OWASP Bay Area talk on Pentesting MCP Servers (Oct 2025), this checklist is designed for practitioners performing assessments on MCP-based tools, agents, and integrations.
Why this exists
MCP servers are becoming the new execution layer for AI agents. This means they expose:
- File system access
- Tool execution
- Remote APIs
- STDIO and HTTP bridges
- Autonomous actions initiated by LLMs
Because of this, MCP servers introduce a wide attack surface that security testers need structured guidance for. This checklist helps you perform systematic and repeatable assessments.
What this checklist covers
- Traffic Analysis β proxy inspection of STDIO/HTTP, context injection, TLS enforcement
- Authentication & Authorization β auth bypass, OAuth flows, IDOR, privilege escalation
- Local MCP Server File and Code Review β embedded secrets, dangerous functions, dependency audits
- MCP Tool Behavior and Functionality β tool boundary validation, chaining, local RCE
- Tool Security β Input Validation β command injection, path traversal, SSRF, SQLi, SSTI
- Tool Security β Output & Schema Validation β schema mismatches, sensitive data leakage, prompt injection via output
- Tool Injection β prompt injection via tool names/descriptions, tool shadowing, name collisions
- File System & Network Access β path traversal, scope enforcement, DNS rebinding
- Context Isolation β cross-user leakage, namespace separation, session persistence
- Secret & Credential Handling β hardcoded secrets, log exposure, token caching
- Logging & Monitoring β log injection, rate limiting, access controls
- Race Conditions & Concurrency β TOCTOU, parallel invocation, resource exhaustion
- Advanced Attacks β context pollution, confused deputy, prototype pollution, GraphQL injection
How to use this repo
- Use the CHECKLIST.md for field assessments
- Fork and adapt it for your team
- Submit PRs with improvements
- Open issues for new MCP attack patterns
Contribute
We welcome:
- New checklist items
- Additional MCP server categories
- Tooling contributions
- Red-team test cases
- Sanitized findings
License
This project is licensed under CC BY 4.0. You may remix, adapt, and build upon this checklist for any purpose, even commercially, as long as you provide attribution.
Maintainers
Appsecco