MCP Server Security Testing: OWASP MCP Top 10 red-teaming

[razashariff]

Context

PyRIT is excellent for generative AI red-teaming. With MCP (Model Context Protocol) becoming the standard for AI agent tool access -- adopted by Anthropic, OpenAI, Google, and Microsoft's own ecosystem -- there's a protocol-level attack surface that current red-teaming tools don't specifically address.

MCP-Specific Attack Vectors

The OWASP MCP Top 10 documents these risks:

• MCP-03: Tool Poisoning -- injecting malicious tool definitions
• MCP-04: Rug Pull -- redefining tools after trust establishment
• MCP-06: Prompt injection via unsigned JSON-RPC messages
• MCP-07: Authentication bypass on MCP server endpoints
• MCP-09: Man-in-the-Middle attacks on MCP connections
• MCP-10: Context poisoning through prompt concatenation

mcps-audit -- OWASP Scanner for MCP Servers

We built an open-source static analysis scanner for MCP security:

npx mcps-audit ./your-mcp-server

Scans against OWASP MCP Top 10 (protocol-level) + OWASP Agentic AI Top 10 (code-level). Generates PDF compliance reports.

Real-world findings

Framework	Findings	Verdict
CrewAI	89	FAIL
LangGraph	47	FAIL
Pydantic AI	113	FAIL
MCP Filesystem Server	6	WARN

Relevance to PyRIT

PyRIT could extend its red-teaming capabilities to include MCP-specific attack scenarios:

• Testing tool definition injection resilience
• Probing authentication boundaries on MCP endpoints
• Evaluating message integrity (signed vs unsigned JSON-RPC)
• Assessing audit trail completeness

Links

• npm: https://www.npmjs.com/package/mcps-audit
• GitHub: https://github.com/razashariff/mcps-audit
• OWASP MCP Top 10: https://owasp.org/www-project-mcp-top-10/
• MCPS IETF Draft: https://datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/

[esxr]

For the active testing side of MCP red-teaming, we built operant-mcp. It's an MCP server with 51 security tools that can actually test for the vulnerability classes you mentioned: injection (SQLi, command injection, XSS), auth bypass, SSRF, path traversal, and more. Since it's MCP-native, it could plug into PyRIT's orchestrator pattern for MCP-specific attack scenarios. npx operant-mcp to install.

[diamond8658]

Hi, I'd like to take this on!

I'm planning to start with a focused first PR covering the two most tractable attack vectors from the OWASP MCP Top 10:

• MCP-03 (Tool Poisoning) — injecting malicious tool definitions into MCP server responses
• MCP-06 (Prompt Injection via unsigned JSON-RPC messages) — testing LLM resilience to crafted message payloads

My approach would be to implement these as new PyRIT PromptTarget and/or converter components that interface with an MCP server endpoint, consistent with how existing attack surfaces are structured in the framework. I'll include unit tests and a notebook example.

[tejas0077]

Hi, I'd like to work on MCP-07 (Authentication Bypass) — probing authentication
boundaries on MCP server endpoints. I'll implement this as a PyRIT PromptTarget
that tests for auth bypass scenarios, with unit tests and a notebook example.

[tejas0077]

Hi, I've submitted a PR implementing MCP-07 (Authentication Bypass) testing: #1567

It adds MCPAuthBypassTarget with 4 bypass techniques: no_auth, empty_token, malformed_token, and role_escalation (alg:none attack). Happy to get feedback!