15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

MCP Server Vulnerability Scanner: Mapping the Attack Surface

January 15, 202615 Research Lab

mcp-safetytoolsred-teamopen-source

You cannot secure what you have not mapped. Before hardening your MCP deployment, you need a clear picture of the attack surface. Automated scanning tools enumerate the security properties of MCP servers and flag gaps.

What to Scan For

Authentication status. Does the server require authentication? What type? Is it enforced on all endpoints? Many servers implement auth on the main endpoint but leave health checks or metadata endpoints unprotected.

Transport security. Is TLS enabled for SSE transport? Are certificates valid? Are CORS headers properly restrictive?

Tool inventory. What tools does the server expose? What capabilities do they grant? A server advertising a "run_shell_command" tool has a fundamentally different risk profile than one offering "get_weather."

Tool description content. Do any descriptions contain instruction-like language, URLs, or references to other tools? These could be injection payloads or simply poorly written descriptions that confuse the model.

Parameter schemas. Are parameters properly typed and constrained? An "email" parameter that accepts any string is less secure than one with format validation. Missing schemas mean the agent can pass arbitrary data.

Response behavior. Do tool responses contain instruction-like patterns? Does the response format change based on input in ways that suggest dynamic content injection?

Capability scope. Does the server expose more tools than the agent needs? Excessive capability means excessive risk from a compromised agent.

The Attack Surface Mapper

The Attack Surface Mapper automates these checks. It connects to MCP servers, enumerates their tools, analyzes descriptions and schemas, and produces a report covering:

Authentication and transport security status
Tool capability categorization (read-only, write, execute, network)
Injection risk scoring for tool descriptions
Parameter validation coverage
SARIF-formatted output for integration with GitHub Security tab and other security dashboards

The SARIF output is important because it integrates MCP security findings into existing security workflows rather than creating a separate process.

Manual Follow-Up

Automated scanning catches structural issues. Manual testing is needed for:

Behavioral testing: does the server actually enforce its schema constraints?
Rug pull testing: does the server change behavior between the initial scan and subsequent connections?
Response injection: do tool responses attempt to manipulate the agent when given specific inputs?
Authorization bypass: can you access tools that should be restricted by changing request parameters?

Continuous Scanning

Run scans on every deployment. MCP servers change when their dependencies update, when configuration changes, or when upstream services modify their APIs. A server that was secure last month may have new vulnerabilities today.

Integrate scanning into CI/CD. Block deployments that introduce new high-severity findings. Track findings over time to measure whether your security posture is improving or degrading.