VulneraMCP
by telmon95
Overview
An AI-powered platform for automated security testing, vulnerability research, and bug bounty hunting.
Installation
npm startEnvironment Variables
- POSTGRES_HOST
- POSTGRES_PORT
- POSTGRES_DB
- POSTGRES_USER
- POSTGRES_PASSWORD
- REDIS_HOST
- REDIS_PORT
- REDIS_PASSWORD
- ZAP_URL
- ZAP_API_KEY
- CAIDO_MCP_SERVER
- CAIDO_API_TOKEN
- BURP_BRIDGE_PORT
- DASHBOARD_PORT
Security Notes
The server uses `eval()` in `render.execute_js` which allows arbitrary JavaScript execution provided by the user/AI, posing a critical remote code execution risk if the MCP client is compromised or provides untrusted input. Default PostgreSQL passwords like 'bugbounty123' are suggested in setup scripts and `docker-compose.yml`, which is a hardcoded secret vulnerability. ZAP is often configured with `api.disablekey=true` in examples, leaving its API unprotected.
Similar Servers
flowlens-mcp-server
Provides rich browser context (user actions, network, console, storage, DOM, screen recording) to coding agents for in-depth debugging and automated regression testing of web applications.
VibeShift
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
rocketship
This MCP server acts as a knowledgeable assistant for AI coding agents, providing guidance, examples, and introspection data for writing Rocketship tests, rather than directly generating test files.
mcp-pentest
An AI-driven middleware to orchestrate and manage penetration testing tools and engagements.