About
Damn Vulnerable MCP Server is an educational security training platform featuring deliberately vulnerable Model Context Protocol implementations designed to teach AI safety professionals and developers about MCP-specific attack vectors. Key features of Damn Vulnerable MCP Server: - 10 hands-on security challenges across easy, medium, and hard difficulty levels - Demonstrates critical MCP vulnerabilities including prompt injection, tool poisoning, rug pull attacks, tool shadowing, and excessive permission exploitation - Self-contained Docker environment with challenge servers running on ports 9001-9010 - Covers multi-vector attacks combining token theft, malicious code execution, and unauthorized remote access - Interactive labs for security researchers to learn identification and mitigation techniques for LLM context protocol security risks
README
Damn Vulnerable Model Context Protocol (DVMCP)
A deliberately vulnerable implementation of the Model Context Protocol (MCP) for educational purposes.
Overview
The Damn Vulnerable Model Context Protocol (DVMCP) is an educational project designed to demonstrate security vulnerabilities in MCP implementations. It contains 10 challenges of increasing difficulty that showcase different types of vulnerabilities and attack vectors.
This project is intended for security researchers, developers, and AI safety professionals to learn about potential security issues in MCP implementations and how to mitigate them.
What is MCP?
The Model Context Protocol (MCP) is a standardized protocol that allows applications to provide context for Large Language Models (LLMs) in a structured way. It separates the concerns of providing context from the actual LLM interaction, enabling applications to expose resources, tools, and prompts to LLMs.
Recommended MCP Clients
CLINE - VSCode Extension Refer to this Connecting to a Remote Server - Cline for connecting Cline with MCP server
Quick Start
Once you have cloned the repository, run the following commands:
docker build -t dvmcp .
docker run -p 9001-9010:9001-9010 dvmcp
Disclaimer
It's not stable in a Windows environment. If you don't want to use Docker then please use Linux environment. I recommend Docker to run the LAB and I am 100% percent sure it works well in the Docker environmentSecurity Risks
While MCP provides many benefits, it also introduces new security considerations. This project demonstrates various vulnerabilities that can occur in MCP implementations, including:
1. Prompt Injection: Manipulating LLM behavior through malicious inputs 2. Tool Poisoning: Hiding malicious instructions in tool descriptions 3. Excessive Permissions: Exploiting overly permissive tool access 4. Rug Pull Attacks: Exploiting tool definition mutations 5. Tool Shadowing: Overriding legitimate tools with malicious ones 6. Indirect Prompt Injection: Injecting instructions through data sources 7. Token Theft: Exploiting insecure token storage 8. Malicious Code Execution: Executing arbitrary code through vulnerable tools 9. Remote Access Control: Gaining unauthorized system access 10. Multi-Vector Attacks: Combining multiple vulnerabilities
Project Structure
damn-vulnerable-MCP-server/
├── README.md # Project overview
├── requirements.txt # Python dependencies
├── challenges/ # Challenge implementations
│ ├── easy/ # Easy difficulty challenges (1-3)
│ │ ├── challenge1/ # Basic Prompt Injection
│ │ ├── challenge2/ # Tool Poisoning
│ │ └── challenge3/ # Excessive Permission Scope
│ ├── medium/ # Medium difficulty challenges (4-7)
│ │ ├── challenge4/ # Rug Pull Attack
│ │ ├── challenge5/ # Tool Shadowing
│ │ ├── challenge6/ # Indirect Prompt Injection
│ │ └── challenge7/ # Token Theft
│ └── hard/ # Hard difficulty challenges (8-10)
│ ├── challenge8/ # Malicious Code Execution
│ ├── challenge9/ # Remote Access Control
│ └── challenge10/ # Multi-Vector Attack
├── docs/ # Documentation
│ ├── setup.md # Setup instructions
│ ├── challenges.md # Challenge descriptions
│ └── mcp_overview.md # MCP protocol overview
├── solutions/ # Solution guides
└── common/ # Shared code and utilities
Getting Started
See the Setup Guide for detailed instructions on how to install and run the challenges.
Challenges
The project includes 10 challenges across three difficulty levels:
Easy Challenges
1. Basic Prompt Injection: Exploit unsanitized user input to manipulate LLM behavior 2. Tool Poisoning: Exploit hidden instructions in tool descriptions 3. Excessive Permission Scope: Exploit overly permissive tools to access unauthorized resources
Medium Challenges
4. Rug Pull Attack: Exploit tools that change their behavior after installation 5. Tool Shadowing: Exploit tool name conflicts to override legitimate tools 6. Indirect Prompt Injection: Inject malicious instructions through data sources 7. Token Theft: Extract authentication tokens from insecure storage
Hard Challenges
8. Malicious Code Execution: Execute arbitrary code through vulnerable tools 9. Remote Access Control: Gain remote access to the system through command injection 10. Multi-Vector Attack: Chain multiple vulnerabilities for a sophisticated attack
See the Challenges Guide for detailed descriptions of each challenge.
Solutions
Solution guides are provided for educational purposes.
Related MCP Servers
AI Research Assistant
hamid-vakilzadeh
AI Research Assistant provides comprehensive access to millions of academic papers through the Semantic Scholar and arXiv databases. This MCP server enables AI coding assistants to perform intelligent literature searches, citation network analysis, and paper content extraction without requiring an API key. Key features include: - Advanced paper search with multi-filter support by year ranges, citation thresholds, field of study, and publication type - Title matching with confidence scoring for finding specific papers - Batch operations supporting up to 500 papers per request - Citation analysis and network exploration for understanding research relationships - Full-text PDF extraction from arXiv and Wiley open-access content (Wiley TDM token required for institutional access) - Rate limits of 100 requests per 5 minutes with options to request higher limits through Semantic Scholar
Linkup
LinkupPlatform
Linkup is a real-time web search and content extraction service that enables AI assistants to search the web and retrieve information from trusted sources. It provides source-backed answers with citations, making it ideal for fact-checking, news gathering, and research tasks. Key features of Linkup: - Real-time web search using natural language queries to find current information, news, and data - Page fetching to extract and read content from any webpage URL - Search depth modes: Standard for direct-answer queries and Deep for complex research across multiple sources - Source-backed results with citations and context from relevant, trustworthy websites - JavaScript rendering support for accessing dynamic content on JavaScript-heavy pages
Math-MCP
EthanHenrickson
Math-MCP is a computation server that enables Large Language Models (LLMs) to perform accurate numerical calculations through the Model Context Protocol. It provides precise mathematical operations via a simple API to overcome LLM limitations in arithmetic and statistical reasoning. Key features of Math-MCP: - Basic arithmetic operations: addition, subtraction, multiplication, division, modulo, and bulk summation - Statistical analysis functions: mean, median, mode, minimum, and maximum calculations - Rounding utilities: floor, ceiling, and nearest integer rounding - Trigonometric functions: sine, cosine, tangent, and their inverses with degrees and radians conversion support