Skip to content

MCP

Analyze and exploit Model Context Protocol (MCP) servers.

Overview

The mcp module covers both local MCP configuration analysis and remote MCP server exploitation. It supports local config parsing (Claude Desktop, VS Code, Cursor), remote enumeration over HTTP/SSE, and guarded poison probes across multiple attack modes.

The HTTP transport handles both standard JSON responses and streamable-HTTP servers that return Server-Sent Events (SSE) on POST. Requests include Accept: application/json, text/event-stream, and text/event-stream responses are automatically parsed to extract the embedded JSON-RPC payload from data: lines. Mixed-case URL suffixes (e.g., /SSE, /Sse) are correctly normalized during transport detection.

Subcommands

Read-Only (no --force-exploit required)

Subcommand Description
analyze Analyze a local MCP configuration file
enum Enumerate a remote MCP HTTP/SSE endpoint
env-extract Extract environment variables from MCP server processes via tool reflection and error leakage

Gated (requires --force-exploit)

Subcommand Description
poison Send exploit probes to an MCP server (9 modes)
chain Automated multi-step credential exfiltration kill chain

Flags

Common

Flag Required Description
--target For enum, poison MCP server URL (e.g., http://127.0.0.1:3000)
--header No Custom HTTP headers. Repeatable.
--config For analyze Path to MCP config file

Poison Flags

Flag Required Description
--mode Yes Attack mode: generic, ssrf-cloud, cmd-inject, path-traversal, type-field, default-value, example-inject, error-message, enum-poison
--tool For generic Tool name to target
--payload For generic Payload string
--attempts No Number of payload attempts
--target-alias For ssrf-cloud Cloud provider: aws-imds, gcp-metadata, azure-imds. Mutually exclusive with --url.
--url For ssrf-cloud Custom SSRF target URL instead of a built-in cloud alias
--command For cmd-inject Command to inject
--path For path-traversal Path traversal string

Poison Modes

generic

Sends arbitrary payload to a specified tool. Tests prompt injection and tool manipulation.

ssrf-cloud

Probes fetch-like tools for SSRF access to cloud metadata endpoints (AWS IMDS, GCP metadata, Azure IMDS).

cmd-inject

Targets shell/process-like tools with command injection payloads.

path-traversal

Targets file-read/write tools with path traversal sequences.

type-field (Full-Schema Poisoning)

Injects instruction text into JSON Schema type field definitions. Based on CyberArk's Full-Schema Poisoning research.

default-value (Full-Schema Poisoning)

Sets parameter default values to trigger unintended behavior (e.g., default path pointing to sensitive file).

example-inject (Full-Schema Poisoning)

Places prompt injection payloads in the examples array of parameter definitions.

error-message (Full-Schema Poisoning)

Crafts tool responses with error messages containing instructions for the LLM.

enum-poison (Full-Schema Poisoning)

Adds values to enum arrays that contain embedded instructions.

Environment Extraction

The env-extract subcommand (read-only) attempts to extract environment variables from MCP server processes through:

  1. Tool reflection -- asking exec-capable tools to print their environment
  2. Error message leakage -- sending malformed requests to trigger verbose errors containing env vars
  3. Known env var patterns -- scanning for OPENAI_API_KEY, ANTHROPIC_API_KEY, HF_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AZURE_OPENAI_KEY, GOOGLE_API_KEY, LANGCHAIN_API_KEY, WANDB_API_KEY

Chain (Kill Chain Automation)

The chain subcommand (gated) automates the multi-step credential exfiltration kill chain:

  1. Enumerate -- discover available tools and schemas
  2. Score tools -- identify high-value tools (file, exec, fetch, cloud)
  3. Environment probe -- run env-extract against discovered tools
  4. Cloud metadata probe -- attempt SSRF to AWS/GCP/Azure metadata endpoints via fetch-capable tools
  5. Report -- generate chain summary with full attack path documentation

Flags: --cloud (aws/gcp/azure/all), --skip-metadata

Examples

# Analyze local config
./aipostex mcp analyze --config ~/.config/Claude/claude_desktop_config.json

# Enumerate remote endpoint
./aipostex mcp --target http://127.0.0.1:3000 enum

# Generic poison probe (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
  --mode generic --tool fetch \
  --payload "Ignore previous instructions." \
  --attempts 2 --force-exploit

# SSRF cloud metadata (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
  --mode ssrf-cloud --target-alias aws-imds --force-exploit

# Command injection (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
  --mode cmd-inject --command id --force-exploit

# Path traversal (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
  --mode path-traversal --path ../../etc/passwd --force-exploit

# Full-schema poisoning: type field injection (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
  --mode type-field --force-exploit

# Full-schema poisoning: default value injection (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
  --mode default-value --payload /etc/passwd --force-exploit

# Environment variable extraction (read-only)
./aipostex mcp --target http://127.0.0.1:3000 env-extract

# Automated credential chain (gated)
./aipostex mcp --target http://127.0.0.1:3000 chain --force-exploit

# Chain targeting only AWS metadata
./aipostex mcp --target http://127.0.0.1:3000 chain \
  --cloud aws --force-exploit

Transport Compatibility

The MCP client supports three transport modes:

Transport How It Works
HTTP (JSON) POST JSON-RPC to target URL, receive JSON response
HTTP (SSE) POST JSON-RPC to target URL, receive text/event-stream with JSON-RPC in data: lines
stdio Spawn local process, exchange NDJSON over stdin/stdout

When targeting an endpoint that ends in /sse (case-insensitive), the client automatically rewrites the POST target to /message on the same base URL. This handles the common pattern where SSE MCP servers expose an SSE event stream at /sse and accept commands at /message.

Analyze Capabilities

The analyze command parses local MCP config files and identifies:

  • Transport choices -- stdio vs HTTP/SSE per server
  • Command execution -- local commands configured to run (npx, uvx, python, node)
  • Plaintext credentials -- API keys and tokens in environment variables (redacted in console)
  • Non-loopback exposure -- servers binding to non-localhost addresses
  • Inspector/debug exposure -- MCP Inspector or debug tooling configured
  • Tool shadowing -- tool name collisions across configured servers
  • Remote URL correlation -- remote MCP URLs that suggest follow-on enum or poison commands

Enum Capabilities

The enum command classifies discovered tools into capability buckets:

  • fetch -- HTTP fetch tools (SSRF potential)
  • file -- file read/write tools (traversal potential)
  • exec / process -- command execution tools
  • inspector -- MCP Inspector or debug tooling

Each classification includes a confidence score and suggested exploit modes.

Proof Strength Classification

The poison command classifies results by proof strength:

Mode Possible Strengths
generic generic payload accepted
ssrf-cloud provider-marker cloud metadata detected
cmd-inject likely-executed vs possible-echo
path-traversal file-read-confirmed vs path-disclosure
type-field schema-poisoned
default-value schema-poisoned
example-inject schema-poisoned
error-message schema-poisoned
enum-poison schema-poisoned

Vulnerability Templates

aipostex includes 20 MCP-specific vulnerability templates that run automatically during scan targets and discover network. These cover infrastructure exposure, CVEs, and server-specific vulnerabilities from the vulnerablemcp database.

Infrastructure Exposure

Template What It Detects
mcp-auth-001 / 002 Unauthenticated SSE and HTTP transports
mcp-auth-003 / 005 MCP Inspector UI and API exposed without auth
mcp-auth-004 DNS rebinding via Host header trust
mcp-session-001 Session IDs leaked in SSE endpoint URL query parameters

CVEs and Server-Specific

Template CVE What It Detects
cve-2025-65513 CVE-2025-65513 Fetch MCP Server SSRF via IP validation bypass
cve-2025-49596 CVE-2025-49596 MCP Inspector RCE (versions < 0.14.1)
cve-2025-66414 CVE-2025-66414/66416 Official MCP SDK DNS rebinding (TS < 1.24.0, Python < 1.23.0)
cve-2025-53355 CVE-2025-53355 Kubernetes MCP server command injection via kubectl tools
cve-2025-53967 CVE-2025-53967 Framelink Figma MCP server RCE via curl fallback
cve-2025-59163 CVE-2025-59163 Vet MCP server DNS rebinding
tra-2025-36 TRA-2025-36 Microsoft Learn MCP server SSRF via docs_fetch tool
mcp-enum-006 CVE-2025-10193 Neo4j MCP Cypher server exposure and DNS rebinding

Run templates against an MCP endpoint:

./aipostex scan targets http://127.0.0.1:3000 --tags mcp

See Built-in Templates for the full template reference.

Workflow Progression

discover network / discover files (discovers MCP config or endpoint)
  → scan targets --tags mcp (run vulnerability templates)
  → mcp analyze --config <path> (local config analysis)
  → mcp enum --target <url> (remote tool enumeration)
    → mcp env-extract (credential probing, read-only)
    → mcp poison --mode <mode> (exploit validation, gated)
    → mcp chain (automated credential exfiltration, gated)