mcp-vulnerable-server-demo

mcp-vulnerable-server-demo

4
security

This project is an educational demonstration of a vulnerable MCP server, showcasing security risks like SQL injection and unauthorized access. It includes a good client and an attack client to demonstrate potential exploits.

Overview

This project demonstrates a vulnerable MCP server and multiple clients, including a proof-of-concept attack client and a good client, designed for educational purposes to showcase potential security vulnerabilities.

Features & Vulnerabilities

  • Vulnerable MCP server exposing insecure tools:
    • insert_record: Prone to SQL injection.
    • query_records: Exposes all data without authentication.
    • execute_sql: Allows any SQL command.
    • get_env_variable: Leaks sensitive environment variables.

How to Run

  1. Install Dependencies.
  2. Start the Server and Good Client.
  3. Run the Attack Client.

Vulnerabilities Demonstrated

  • SQL Injection
  • Arbitrary Code Execution
  • Sensitive Data Exposure
  • Lack of Access Control

Mitigation Strategies

  • Use Parameterized Queries
  • Restrict Dangerous Tools
  • Implement Authentication & Authorization
  • Validate and Sanitize Input
  • Limit Environment Variable Access
  • Audit and Monitor Usage
  • Principle of Least Privilege

Disclaimer

This project is for educational and demonstration purposes only.