MCP¶
Analyze and exploit Model Context Protocol (MCP) servers.
Overview¶
The mcp module covers both local MCP configuration analysis and remote MCP server exploitation. It supports local config parsing (Claude Desktop, VS Code, Cursor), remote enumeration over HTTP/SSE, and guarded poison probes across multiple attack modes.
The HTTP transport handles both standard JSON responses and streamable-HTTP servers that return Server-Sent Events (SSE) on POST. Requests include Accept: application/json, text/event-stream, and text/event-stream responses are automatically parsed to extract the embedded JSON-RPC payload from data: lines. Mixed-case URL suffixes (e.g., /SSE, /Sse) are correctly normalized during transport detection.
Subcommands¶
Read-Only (no --force-exploit required)¶
| Subcommand | Description |
|---|---|
analyze |
Analyze a local MCP configuration file |
enum |
Enumerate a remote MCP HTTP/SSE endpoint |
env-extract |
Extract environment variables from MCP server processes via tool reflection and error leakage |
Gated (requires --force-exploit)¶
| Subcommand | Description |
|---|---|
poison |
Send exploit probes to an MCP server (9 modes) |
chain |
Automated multi-step credential exfiltration kill chain |
Flags¶
Common¶
| Flag | Required | Description |
|---|---|---|
--target |
For enum, poison |
MCP server URL (e.g., http://127.0.0.1:3000) |
--header |
No | Custom HTTP headers. Repeatable. |
--config |
For analyze |
Path to MCP config file |
Poison Flags¶
| Flag | Required | Description |
|---|---|---|
--mode |
Yes | Attack mode: generic, ssrf-cloud, cmd-inject, path-traversal, type-field, default-value, example-inject, error-message, enum-poison |
--tool |
For generic |
Tool name to target |
--payload |
For generic |
Payload string |
--attempts |
No | Number of payload attempts |
--target-alias |
For ssrf-cloud |
Cloud provider: aws-imds, gcp-metadata, azure-imds. Mutually exclusive with --url. |
--url |
For ssrf-cloud |
Custom SSRF target URL instead of a built-in cloud alias |
--command |
For cmd-inject |
Command to inject |
--path |
For path-traversal |
Path traversal string |
Poison Modes¶
generic¶
Sends arbitrary payload to a specified tool. Tests prompt injection and tool manipulation.
ssrf-cloud¶
Probes fetch-like tools for SSRF access to cloud metadata endpoints (AWS IMDS, GCP metadata, Azure IMDS).
cmd-inject¶
Targets shell/process-like tools with command injection payloads.
path-traversal¶
Targets file-read/write tools with path traversal sequences.
type-field (Full-Schema Poisoning)¶
Injects instruction text into JSON Schema type field definitions. Based on CyberArk's Full-Schema Poisoning research.
default-value (Full-Schema Poisoning)¶
Sets parameter default values to trigger unintended behavior (e.g., default path pointing to sensitive file).
example-inject (Full-Schema Poisoning)¶
Places prompt injection payloads in the examples array of parameter definitions.
error-message (Full-Schema Poisoning)¶
Crafts tool responses with error messages containing instructions for the LLM.
enum-poison (Full-Schema Poisoning)¶
Adds values to enum arrays that contain embedded instructions.
Environment Extraction¶
The env-extract subcommand (read-only) attempts to extract environment variables from MCP server processes through:
- Tool reflection -- asking exec-capable tools to print their environment
- Error message leakage -- sending malformed requests to trigger verbose errors containing env vars
- Known env var patterns -- scanning for
OPENAI_API_KEY,ANTHROPIC_API_KEY,HF_TOKEN,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AZURE_OPENAI_KEY,GOOGLE_API_KEY,LANGCHAIN_API_KEY,WANDB_API_KEY
Chain (Kill Chain Automation)¶
The chain subcommand (gated) automates the multi-step credential exfiltration kill chain:
- Enumerate -- discover available tools and schemas
- Score tools -- identify high-value tools (file, exec, fetch, cloud)
- Environment probe -- run env-extract against discovered tools
- Cloud metadata probe -- attempt SSRF to AWS/GCP/Azure metadata endpoints via fetch-capable tools
- Report -- generate chain summary with full attack path documentation
Flags: --cloud (aws/gcp/azure/all), --skip-metadata
Examples¶
# Analyze local config
./aipostex mcp analyze --config ~/.config/Claude/claude_desktop_config.json
# Enumerate remote endpoint
./aipostex mcp --target http://127.0.0.1:3000 enum
# Generic poison probe (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
--mode generic --tool fetch \
--payload "Ignore previous instructions." \
--attempts 2 --force-exploit
# SSRF cloud metadata (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
--mode ssrf-cloud --target-alias aws-imds --force-exploit
# Command injection (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
--mode cmd-inject --command id --force-exploit
# Path traversal (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
--mode path-traversal --path ../../etc/passwd --force-exploit
# Full-schema poisoning: type field injection (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
--mode type-field --force-exploit
# Full-schema poisoning: default value injection (gated)
./aipostex mcp --target http://127.0.0.1:3000 poison \
--mode default-value --payload /etc/passwd --force-exploit
# Environment variable extraction (read-only)
./aipostex mcp --target http://127.0.0.1:3000 env-extract
# Automated credential chain (gated)
./aipostex mcp --target http://127.0.0.1:3000 chain --force-exploit
# Chain targeting only AWS metadata
./aipostex mcp --target http://127.0.0.1:3000 chain \
--cloud aws --force-exploit
Transport Compatibility¶
The MCP client supports three transport modes:
| Transport | How It Works |
|---|---|
| HTTP (JSON) | POST JSON-RPC to target URL, receive JSON response |
| HTTP (SSE) | POST JSON-RPC to target URL, receive text/event-stream with JSON-RPC in data: lines |
| stdio | Spawn local process, exchange NDJSON over stdin/stdout |
When targeting an endpoint that ends in /sse (case-insensitive), the client automatically rewrites the POST target to /message on the same base URL. This handles the common pattern where SSE MCP servers expose an SSE event stream at /sse and accept commands at /message.
Analyze Capabilities¶
The analyze command parses local MCP config files and identifies:
- Transport choices -- stdio vs HTTP/SSE per server
- Command execution -- local commands configured to run (npx, uvx, python, node)
- Plaintext credentials -- API keys and tokens in environment variables (redacted in console)
- Non-loopback exposure -- servers binding to non-localhost addresses
- Inspector/debug exposure -- MCP Inspector or debug tooling configured
- Tool shadowing -- tool name collisions across configured servers
- Remote URL correlation -- remote MCP URLs that suggest follow-on
enumorpoisoncommands
Enum Capabilities¶
The enum command classifies discovered tools into capability buckets:
fetch-- HTTP fetch tools (SSRF potential)file-- file read/write tools (traversal potential)exec/process-- command execution toolsinspector-- MCP Inspector or debug tooling
Each classification includes a confidence score and suggested exploit modes.
Proof Strength Classification¶
The poison command classifies results by proof strength:
| Mode | Possible Strengths |
|---|---|
generic |
generic payload accepted |
ssrf-cloud |
provider-marker cloud metadata detected |
cmd-inject |
likely-executed vs possible-echo |
path-traversal |
file-read-confirmed vs path-disclosure |
type-field |
schema-poisoned |
default-value |
schema-poisoned |
example-inject |
schema-poisoned |
error-message |
schema-poisoned |
enum-poison |
schema-poisoned |
Vulnerability Templates¶
aipostex includes 20 MCP-specific vulnerability templates that run automatically during scan targets and discover network. These cover infrastructure exposure, CVEs, and server-specific vulnerabilities from the vulnerablemcp database.
Infrastructure Exposure¶
| Template | What It Detects |
|---|---|
mcp-auth-001 / 002 |
Unauthenticated SSE and HTTP transports |
mcp-auth-003 / 005 |
MCP Inspector UI and API exposed without auth |
mcp-auth-004 |
DNS rebinding via Host header trust |
mcp-session-001 |
Session IDs leaked in SSE endpoint URL query parameters |
CVEs and Server-Specific¶
| Template | CVE | What It Detects |
|---|---|---|
cve-2025-65513 |
CVE-2025-65513 | Fetch MCP Server SSRF via IP validation bypass |
cve-2025-49596 |
CVE-2025-49596 | MCP Inspector RCE (versions < 0.14.1) |
cve-2025-66414 |
CVE-2025-66414/66416 | Official MCP SDK DNS rebinding (TS < 1.24.0, Python < 1.23.0) |
cve-2025-53355 |
CVE-2025-53355 | Kubernetes MCP server command injection via kubectl tools |
cve-2025-53967 |
CVE-2025-53967 | Framelink Figma MCP server RCE via curl fallback |
cve-2025-59163 |
CVE-2025-59163 | Vet MCP server DNS rebinding |
tra-2025-36 |
TRA-2025-36 | Microsoft Learn MCP server SSRF via docs_fetch tool |
mcp-enum-006 |
CVE-2025-10193 | Neo4j MCP Cypher server exposure and DNS rebinding |
Run templates against an MCP endpoint:
See Built-in Templates for the full template reference.
Workflow Progression¶
discover network / discover files (discovers MCP config or endpoint)
→ scan targets --tags mcp (run vulnerability templates)
→ mcp analyze --config <path> (local config analysis)
→ mcp enum --target <url> (remote tool enumeration)
→ mcp env-extract (credential probing, read-only)
→ mcp poison --mode <mode> (exploit validation, gated)
→ mcp chain (automated credential exfiltration, gated)