mcp-server-fuzzer
Verified Safeby Agent-Hellboy
Overview
Fuzzing and security testing of Model Context Protocol (MCP) servers across multiple transport protocols (HTTP, SSE, Stdio) to validate functionality, robustness, and protocol compliance.
Installation
mcp-fuzzer --mode tools --protocol http --endpoint http://localhost:8000 --runs 10Environment Variables
- MCP_API_KEY
- MCP_USERNAME
- MCP_PASSWORD
- MCP_HEADER_NAME
- MCP_PREFIX
- MCP_OAUTH_TOKEN
- MCP_CUSTOM_HEADERS
- MCP_TOOL_AUTH_MAPPING
- MCP_SPEC_SCHEMA_VERSION
- MCP_FUZZER_TIMEOUT
- MCP_FUZZER_LOG_LEVEL
- MCP_FUZZER_SAFETY_ENABLED
- MCP_FUZZER_FS_ROOT
- MCP_FUZZER_HTTP_TIMEOUT
- MCP_FUZZER_SSE_TIMEOUT
- MCP_FUZZER_STDIO_TIMEOUT
Security Notes
The MCP Server Fuzzer is explicitly designed with robust, multi-layered safety features (command blocking, filesystem sandboxing via `--fs-root`, strict network policies with `--no-network`/`--allow-host`, process isolation, and non-root Docker user execution) to safely test potentially vulnerable target servers. Its internal architecture (e.g., `SafetyFilter`, `SystemCommandBlocker`) is built to prevent the fuzzer itself from performing dangerous operations on the host machine.
Similar Servers
mcp-interviewer
A Python CLI tool to evaluate Model Context Protocol (MCP) servers for agentic use-cases, by inspecting capabilities, running functional tests, and providing LLM-as-a-judge evaluations.
mcp-watch
A comprehensive security scanner for Model Context Protocol (MCP) servers, detecting various vulnerabilities in their implementations.
mcp-security-scanner
A Python-based penetration testing tool designed to scan and identify vulnerabilities in Model Context Protocol (MCP) servers.
mcp-jest
A testing framework for Model Context Protocol (MCP) servers, allowing automated validation of AI agent tools, resources, and prompts.