Summary

This repository provides a collection of intentionally vulnerable Model Context Protocol (MCP) servers designed for security training and research. It targets pentesters and AI Red Teamers, offering hands-on experience with common MCP server and tool-integration failure modes to understand risks like data exposure, instruction injection, supply-chain compromise, and code execution.

How It Works

The project offers distinct, self-contained MCP server implementations, each housed in its own directory with detailed READMEs. These servers are deliberately crafted with specific vulnerabilities, such as path traversal, indirect prompt injection, unsafe eval usage, namespace typosquatting, outdated dependencies, and secrets leakage, enabling practical demonstration of attack vectors.

Quick Start & Requirements

Users select a server from the index, then follow its per-server README for setup and execution instructions. A disposable VM or container within an isolated network is strongly recommended. Some servers may include claude_config.json snippets for integration with Claude Desktop.

Highlighted Details

• Demonstrates path traversal and code execution via filesystem workspace actions.
• Illustrates indirect prompt injection through local stdio and remote HTTP+SSE MCP endpoints.
• Features eval-based Remote Code Execution (RCE) using unsafe JavaScript formatting.
• Includes examples of namespace typosquatting for supply-chain risk simulation.
• Highlights risks from outdated packages and embedded secrets/PII exposure.
• Showcases prompt injection risks from unsanitized remote content (e.g., Wikipedia).

Maintenance & Community

This lab is maintained by Appsecco, a cybersecurity company specializing in product security testing. Further contact and company information are available via their website (https://appsecco.com) and LinkedIn (https://linkedin.com/company/appsecco).

Licensing & Compatibility

The specific license is indicated by a LICENSE file within the repository; its type and compatibility for commercial use are not detailed in the README. The lab's nature suggests it is for educational purposes and requires careful isolation.

Limitations & Caveats

Crucially, these servers are intentionally vulnerable and must only be run within a controlled, isolated lab environment (e.g., disposable VMs/containers on isolated networks). All tool outputs and retrieved content should be treated as untrusted. Exposed HTTP servers are assumed to be vulnerable unless explicitly secured.