Skip to content

Mr-Infect/MCP-Penetration-testing

Repository files navigation

🔥 The Ultimate OWASP MCP Top 10 Pentesting & Audit Framework 🔥
Built for Students • Pentesters • Security Engineers • Enterprises

Created by MR_INFECT


🚀 MCP Master Checklist — The Gold Standard for MCP Security

If OWASP Top 10 is the law, this repository is the courtroom.

This repository is the world’s first # 1 end-to-end, checklist-driven, pentest-ready security framework dedicated exclusively to the OWASP Model Context Protocol (MCP) Top 10 – 2025.

Designed to be:

  • Auditor-defensible
  • Pentester-usable
  • Student-friendly
  • Enterprise-grade
  • Future-proof

🛡️ Badges (Because Credibility Matters)


🧠 What Makes This Repository EXTRAORDINARY?

✨ This is not documentation
✨ This is not theory
✨ This is not another blog dump

This repo is a:

  • 📌 Master Security Checklist
  • 📌 Pentesting Playbook
  • 📌 Audit & Compliance Framework
  • 📌 Learning Roadmap for MCP Security
  • 📌 Single Source of Truth for MCP Risks

Every MCP vulnerability includes:

  • Clear explanation
  • Attack surface mapping
  • Real-world failure scenarios
  • Detection techniques
  • Mitigation strategy
  • Pentester checklist
  • Scoring & evaluation logic

🎯 Covered Vulnerabilities (OWASP MCP Top 10 – 2025)

ID Vulnerability
MCP01 Token Mismanagement & Secret Exposure
MCP02 Privilege Escalation via Scope Creep
MCP03 Tool Poisoning
MCP04 Supply Chain Attacks & Dependency Tampering
MCP05 Command Injection & Execution
MCP06 Prompt Injection via Contextual Payloads
MCP07 Insufficient Authentication & Authorization
MCP08 Lack of Audit & Telemetry
MCP09 Shadow MCP Servers
MCP10 Context Injection & Over-Sharing

✔ Each item has its own deep-dive markdown
✔ Each item is pentest-aligned
✔ Each item is checklist-driven


🧪 MCP Master Checklist (The Crown Jewel 👑)

The MCP Master Checklist allows you to:

  • 🔍 Evaluate MCP systems objectively
  • 🧮 Calculate a numeric security score (/100)
  • 🏷️ Classify MCP maturity (Critical → Enterprise)
  • 📊 Track progress over time
  • 🛠️ Prioritize remediation efforts

If it’s not measurable, it’s not secure.


📊 Scoring & Maturity Model

Score Maturity Risk
0–30 🔴 Critical Immediate compromise likely
31–50 🟠 Weak Easily exploitable
51–70 🟡 Moderate Partial controls
71–85 🟢 Strong Well-secured
86–100 🟣 Enterprise Best-in-class

🎓 Who Should Use This?

✔ Cybersecurity Students
✔ Red Teamers & Pentesters
✔ SOC Analysts
✔ AI Engineers
✔ DevSecOps Teams
✔ Security Architects
✔ Auditors & GRC Teams
✔ Enterprises deploying AI agents


🧩 Repository Structure

📦 MCP-Master-Checklist
 ┣ 📂 MCP01-Token-Mismanagement
 ┣ 📂 MCP02-Privilege-Escalation
 ┣ 📂 MCP03-Tool-Poisoning
 ┣ 📂 MCP04-Supply-Chain-Attacks
 ┣ 📂 MCP05-Command-Injection
 ┣ 📂 MCP06-Prompt-Injection
 ┣ 📂 MCP07-Authentication-Authorization
 ┣ 📂 MCP08-Audit-Telemetry
 ┣ 📂 MCP09-Shadow-MCP-Servers
 ┣ 📂 MCP10-Context-OverSharing
 ┣ 📄 MCP-master-checklist.md
 ┗ 📄 README.md

🧠 Philosophy

LLMs are not secure by default. MCP expands the attack surface. Security must be designed — not assumed.

This repository exists to kill blind trust in AI systems.


🌟 Why This Will Be #1 on GitHub

  • 🔥 First MCP-only security checklist
  • 🔥 Direct OWASP MCP Top 10 mapping
  • 🔥 Pentest + Audit + Learning in one repo
  • 🔥 SEO-optimized structure & keywords
  • 🔥 Continuously evolving with MCP ecosystem

🤝 Contributing

Contributions are welcome and encouraged.

You can help by:

  • Adding labs
  • Improving detection logic
  • Adding tooling references
  • Submitting real-world MCP failure cases

📬 Open an issue or pull request.


☕ Support the Project

If this repository helped you:

  • ⭐ Star the repo
  • 🔁 Share it with your network
  • ☕ Buy me a coffee (link coming soon)

Built with ⚔️ by MR_INFECT
Breaking AI systems so the world can build safer ones.

About

The ultimate OWASP MCP Top 10 security checklist and pentesting framework for Model Context Protocol (MCP), AI agents, and LLM-powered systems.

Topics

Resources

Stars

14 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors