Related MCP Server Resources

Explore more AI models, providers, and integration options:

  • Explore AI Models
  • Explore AI Providers
  • Explore MCP Servers
  • LangDB Pricing
  • Documentation
  • AI Industry Blog
  • MCP Server for ArangoDB
  • Jokes MCP Server
  • MCP Server
  • mcp-server-data-exploration
  • Airtable MCP
Back to MCP Servers
Insecure MCP Demo

Insecure MCP Demo

Public
kenhuangus/mcp-vulnerable-server-demo

Demonstrates a vulnerable Model Context Protocol server with tools for inserting and querying records, executing arbitrary SQL, and accessing environment variables, highlighting critical security flaws like SQL injection, unauthorized data exposure, and lack of access control for educational purposes.

python
0 tools
May 30, 2025
Updated Jun 4, 2025

Supercharge Your AI with Insecure MCP Demo

MCP Server

Unlock the full potential of Insecure MCP Demo through LangDB's AI Gateway. Get enterprise-grade security, analytics, and seamless integration with zero configuration.

Unified API Access
Complete Tracing
Instant Setup
Get Started Now

Free tier available • No credit card required

Instant Setup
99.9% Uptime
10,000+Monthly Requests

Insecure MCP Demo

Overview

This project demonstrates a vulnerable MCP server and multiple clients, including a proof-of-concept attack client and also a good client. It is designed for educational purposes to showcase potential security vulnerabilities in MCP server.

Project Structure

  • vuln-mcp.py: Vulnerable MCP server exposing insecure tools.
  • good-mcp-client.py: Regular good client for normal interactions (insert/query records).
  • attack-mcp-client.py: Automated attack client that demonstrates exploitation of server vulnerabilities.
  • requirements.txt: Python dependencies for the project.

Features & Vulnerabilities

Exposed Server Tools

  1. insert_record
    • Inserts a name/address record into the database.
    • Vulnerability: Prone to SQL injection due to direct string interpolation of user input into SQL queries.
  2. query_records
    • Lists all records in the database.
    • Vulnerability: Exposes all data without authentication or access control.
  3. execute_sql
    • Executes arbitrary SQL queries provided by the client.
    • Vulnerability: Allows any SQL command, including destructive ones (e.g., data exfiltration, schema changes).
  4. get_env_variable
    • Returns the value of any environment variable requested.
    • Vulnerability: Leaks sensitive environment variables (e.g., secrets, API keys).

How to Run

1. Install Dependencies

pip install -r requirements.txt

2. Start the Server and Good Client

In one terminal:

python good-mcp-client.py vuln-mcp.py

Follow the prompts to insert/query records interactively.

3. Run the Attack Client

In another terminal:

python attack-mcp-client.py vuln-mcp.py

This will automatically:

  • Attempt SQL injection attacks
  • Execute arbitrary SQL queries
  • Attempt to read several common environment variables

Example Output

  • Attack client will show which payloads succeed or fail, and print out database contents and environment variable values if accessible.

Vulnerabilities Demonstrated

  • SQL Injection: User input is unsanitized, allowing attackers to manipulate SQL logic and insert arbitrary data.
  • Arbitrary Code Execution: The execute_sql tool allows attackers to run any SQL command, including data theft or destruction.
  • Sensitive Data Exposure: The get_env_variable tool allows attackers to read secrets and configuration values.
  • Lack of Access Control: Anyone can run all tools and access all data without authentication.

Mitigation Strategies

To secure a real-world MCP server, you should:

  1. Use Parameterized Queries:
    • Always use parameter substitution instead of string interpolation for SQL queries to prevent injection.
    • Example (secure):
      cursor.execute("INSERT INTO records (name, address) VALUES (?, ?)", (name, address))
  2. Restrict Dangerous Tools:
    • Remove or strictly limit tools like execute_sql and get_env_variable.
    • Only expose necessary functionality.
  3. Implement Authentication & Authorization:
    • Require users to authenticate and check permissions before allowing access to sensitive tools or data.
  4. Validate and Sanitize Input:
    • Check and sanitize all user inputs, especially those that interact with the database or system.
  5. Limit Environment Variable Access:
    • Only allow access to non-sensitive variables, or remove this tool entirely.
  6. Audit and Monitor Usage:
    • Log all tool invocations and monitor for suspicious or abusive behavior.
  7. Principle of Least Privilege:
    • Run the server with minimal privileges and restrict database and OS access as much as possible.

Disclaimer

This project is for educational and demonstration purposes only. Do not deploy this code in production environments.


For questions or further improvements, please open an issue or contact the project maintainer.

Publicly Shared Threads0

Discover shared experiences

Shared threads will appear here, showcasing real-world applications and insights from the community. Check back soon for updates!

Share your threads to help others
Related MCPs5
  • MCP Server for ArangoDB
    MCP Server for ArangoDB

    Model Context Protocol server enabling seamless interaction with ArangoDB through core database oper...

    7 tools
    Added May 30, 2025
  • Jokes MCP Server
    Jokes MCP Server

    Deploy and integrate a Model Context Protocol (MCP) server to standardize AI model context delivery,...

    Added May 30, 2025
  • MCP Server
    MCP Server

    Provides greeting-related tools, resources, and prompts via Model Context Protocol (MCP), enabling p...

    Added May 30, 2025
  • mcp-server-data-exploration
    mcp-server-data-exploration

    Interactive Model Context Protocol server enabling seamless data exploration by loading CSV datasets...

    2 tools
    Added May 30, 2025
  • Airtable MCP
    Airtable MCP

    Connect AI tools to Airtable via Model Context Protocol to manage bases, tables, schemas, and record...

    Added May 30, 2025