MCP Server Security Testing: OWASP MCP Top 10 red-teaming #1470
Description
Context
PyRIT is excellent for generative AI red-teaming. With MCP (Model Context Protocol) becoming the standard for AI agent tool access -- adopted by Anthropic, OpenAI, Google, and Microsoft's own ecosystem -- there's a protocol-level attack surface that current red-teaming tools don't specifically address.
MCP-Specific Attack Vectors
The OWASP MCP Top 10 documents these risks:
- MCP-03: Tool Poisoning -- injecting malicious tool definitions
- MCP-04: Rug Pull -- redefining tools after trust establishment
- MCP-06: Prompt injection via unsigned JSON-RPC messages
- MCP-07: Authentication bypass on MCP server endpoints
- MCP-09: Man-in-the-Middle attacks on MCP connections
- MCP-10: Context poisoning through prompt concatenation
mcps-audit -- OWASP Scanner for MCP Servers
We built an open-source static analysis scanner for MCP security:
npx mcps-audit ./your-mcp-serverScans against OWASP MCP Top 10 (protocol-level) + OWASP Agentic AI Top 10 (code-level). Generates PDF compliance reports.
Real-world findings
| Framework | Findings | Verdict |
|---|---|---|
| CrewAI | 89 | FAIL |
| LangGraph | 47 | FAIL |
| Pydantic AI | 113 | FAIL |
| MCP Filesystem Server | 6 | WARN |
Relevance to PyRIT
PyRIT could extend its red-teaming capabilities to include MCP-specific attack scenarios:
- Testing tool definition injection resilience
- Probing authentication boundaries on MCP endpoints
- Evaluating message integrity (signed vs unsigned JSON-RPC)
- Assessing audit trail completeness
Links
- npm: https://www.npmjs.com/package/mcps-audit
- GitHub: https://github.com/razashariff/mcps-audit
- OWASP MCP Top 10: https://owasp.org/www-project-mcp-top-10/
- MCPS IETF Draft: https://datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/