MCP Server Security Testing: OWASP MCP Top 10 red-teaming

[razashariff]

Context

PyRIT is excellent for generative AI red-teaming. With MCP (Model Context Protocol) becoming the standard for AI agent tool access -- adopted by Anthropic, OpenAI, Google, and Microsoft's own ecosystem -- there's a protocol-level attack surface that current red-teaming tools don't specifically address.

MCP-Specific Attack Vectors

The OWASP MCP Top 10 documents these risks:

• MCP-03: Tool Poisoning -- injecting malicious tool definitions
• MCP-04: Rug Pull -- redefining tools after trust establishment
• MCP-06: Prompt injection via unsigned JSON-RPC messages
• MCP-07: Authentication bypass on MCP server endpoints
• MCP-09: Man-in-the-Middle attacks on MCP connections
• MCP-10: Context poisoning through prompt concatenation

mcps-audit -- OWASP Scanner for MCP Servers

We built an open-source static analysis scanner for MCP security:

npx mcps-audit ./your-mcp-server

Scans against OWASP MCP Top 10 (protocol-level) + OWASP Agentic AI Top 10 (code-level). Generates PDF compliance reports.

Real-world findings

Framework	Findings	Verdict
CrewAI	89	FAIL
LangGraph	47	FAIL
Pydantic AI	113	FAIL
MCP Filesystem Server	6	WARN

Relevance to PyRIT

PyRIT could extend its red-teaming capabilities to include MCP-specific attack scenarios:

• Testing tool definition injection resilience
• Probing authentication boundaries on MCP endpoints
• Evaluating message integrity (signed vs unsigned JSON-RPC)
• Assessing audit trail completeness

Links

• npm: https://www.npmjs.com/package/mcps-audit
• GitHub: https://github.com/razashariff/mcps-audit
• OWASP MCP Top 10: https://owasp.org/www-project-mcp-top-10/
• MCPS IETF Draft: https://datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/

[esxr]

For the active testing side of MCP red-teaming, we built operant-mcp. It's an MCP server with 51 security tools that can actually test for the vulnerability classes you mentioned: injection (SQLi, command injection, XSS), auth bypass, SSRF, path traversal, and more. Since it's MCP-native, it could plug into PyRIT's orchestrator pattern for MCP-specific attack scenarios. npx operant-mcp to install.

[diamond8658]

Hi, I'd like to take this on!

I'm planning to start with a focused first PR covering the two most tractable attack vectors from the OWASP MCP Top 10:

• MCP-03 (Tool Poisoning) — injecting malicious tool definitions into MCP server responses
• MCP-06 (Prompt Injection via unsigned JSON-RPC messages) — testing LLM resilience to crafted message payloads

My approach would be to implement these as new PyRIT PromptTarget and/or converter components that interface with an MCP server endpoint, consistent with how existing attack surfaces are structured in the framework. I'll include unit tests and a notebook example.

[tejas0077]

Hi, I'd like to work on MCP-07 (Authentication Bypass) — probing authentication
boundaries on MCP server endpoints. I'll implement this as a PyRIT PromptTarget
that tests for auth bypass scenarios, with unit tests and a notebook example.

[tejas0077]

Hi, I've submitted a PR implementing MCP-07 (Authentication Bypass) testing: #1567

It adds MCPAuthBypassTarget with 4 bypass techniques: no_auth, empty_token, malformed_token, and role_escalation (alg:none attack). Happy to get feedback!

[romanlutz]

Sorry for taking a little to chime in here. PromptTarget is the wrong abstraction. We don't prompt MCP servers. Instead, agents call them if needed. Of course, there are targets (e.g., OpenAIResponseTarget) which are able to use MCP servers. I can see us supporting this kind of probing at some point but it’ll probably look different and maintainers need to think about what that will look like. We appreciate your interest and thought, of course.

[diamond8658]

Thanks for the conext, @romanlutz. That's a really helpful distinction and I appreciate you taking the time to explain it.
If I'm understanding correctly, the more natural fit might be something like XPIAOrchestrator, where the attack surface is the agent processing layer rather than the MCP server itself. So instead of trating the MCP server as a target to probe, we would set up a mock malicious MCP server as the adversarial environment and observe how an egen using something like OpenAIResponseTarget responds to poisoned tool definitions or crafted JSON-RPC payloads.

Am I thinking about this the right way? And if so, is this something the team would potentially be open to exploring, or is the coverage something you're still working through architecturally? I am happy to learn more about how the framework is evolving in this area before proposing a rework.

[romanlutz]

@diamond8658 yes that's one avenue to explore.

The other is to directly test the MCP server as your target does. However, PromptTarget is not the abstraction I would use for that since it's something else. That leaves us with coming up with a better abstraction. In full transparency, it's not a concrete priority for us at the moment so I'm not quite sure when we'll get to it.

If you created (simple) examples of AI systems (with MCP) that plug into XPIA workflow, for example, I could see us adding that. I suppose you would have to capture whether the attack was successful as well. There's a fundamental problem with attacker-based systems that it's hard to observe what happens behind the scenes. We will have an answer to this soon but in the meantime feel free to propose examples.

[razashariff]

Thanks Roman -- helpful guidance on both comments. Understood that PromptTarget isn't the right abstraction for MCP and that the XPIA workflow is the more natural fit.

I have a deliberately vulnerable MCP server (dvmcp.co.uk) that serves poisoned tool definitions, and a defence layer (x-agent-trust, recently approved into the OpenAPI Extensions Registry) that catches the attack via signed request verification. The patterns align with what the OWASP MCP Security Cheat Sheet documents for message integrity.

Happy to put together a minimal XPIA example showing the attack/defence flow with attack success/failure captured. Will open a draft PR when it's ready for your review.