damn-vulnerable-MCP-server

# Damn Vulnerable Model Context Protocol (DVMCP)

A deliberately vulnerable implementation of the Model Context Protocol (MCP) for educational purposes.

## Overview

The Damn Vulnerable Model Context Protocol (DVMCP) is an educational project designed to demonstrate security vulnerabilities in MCP implementations. It contains 10 challenges of increasing difficulty that showcase different types of vulnerabilities and attack vectors specific to MCP.

This project is intended for security researchers, developers, and AI safety professionals to learn about potential security issues in MCP implementations and how to mitigate them. By exploring these vulnerabilities, users can gain a deeper understanding of the security considerations necessary when building and deploying MCP-enabled applications.

## What is MCP?

The [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) is a standardized protocol that allows applications to provide context for Large Language Models (LLMs) in a structured way. It decouples context provision from direct LLM interaction, enabling applications to expose resources, tools, and prompts to LLMs through a well-defined interface. This allows for richer and more controlled interactions with LLMs.

## Recommended MCP Clients

*   **CLINE - VSCode Extension:** A popular VSCode extension for interacting with MCP servers. Refer to the [CLINE documentation](https://docs.cline.bot/mcp-servers/connecting-to-a-remote-server) for instructions on connecting to a remote MCP server like DVMCP.

## Getting Started

To run DVMCP, follow these steps:

1.  **Clone the repository:**

    ```bash
    git clone <repository_url>
    cd dvmcp
    ```

2.  **Build the Docker image:**

    ```bash
    docker build -t dvmcp .
    ```

3.  **Run the Docker container:** This will expose the challenge ports (9001-9010) on your local machine.

    ```bash
    docker run -p 9001-9010:9001-9010 dvmcp
    ```

    Each challenge will be accessible on a separate port within the 9001-9010 range.

## Platform Compatibility

**Important:** While DVMCP can be run directly on Linux environments, Docker is the recommended and most reliable method, especially for Windows users. Docker ensures a consistent and isolated environment, mitigating potential compatibility issues.

## Security Risks Demonstrated

This project demonstrates various vulnerabilities that can occur in MCP implementations. Understanding these risks is crucial for building secure MCP-based applications.  The following vulnerabilities are explored:

1.  **Prompt Injection:** Manipulating LLM behavior by injecting malicious instructions through user inputs or context data provided via MCP.
2.  **Tool Poisoning:** Hiding malicious instructions within tool descriptions or documentation exposed through MCP, leading the LLM to execute unintended actions.
3.  **Excessive Permissions:** Exploiting overly permissive tool access granted through MCP, allowing unauthorized access to resources or functionalities.
4.  **Rug Pull Attacks:** Exploiting tool definition mutations after installation, where a seemingly benign tool becomes malicious after being integrated into the MCP environment.
5.  **Tool Shadowing:** Overriding legitimate tools with malicious ones by exploiting naming conflicts or registration vulnerabilities within the MCP server.
6.  **Indirect Prompt Injection:** Injecting malicious instructions through data sources exposed as tools or resources via MCP, influencing the LLM's behavior indirectly.
7.  **Token Theft:** Exploiting insecure storage or handling of authentication tokens used to access tools and resources within the MCP environment.
8.  **Malicious Code Execution:** Executing arbitrary code through vulnerabilities in tools exposed via MCP, potentially compromising the underlying system.
9.  **Remote Access Control:** Gaining unauthorized system access by exploiting vulnerabilities in tools that provide remote access capabilities through MCP.
10. **Multi-Vector Attacks:** Combining multiple vulnerabilities in a coordinated attack to achieve a more significant impact on the MCP environment and the LLM's behavior.

## Project Structure

dvmcp/
├── README.md # Project overview and instructions
├── requirements.txt # Python dependencies
├── challenges/ # Challenge implementations
│ ├── easy/ # Easy difficulty challenges (1-3)
│ │ ├── challenge1/ # Basic Prompt Injection
│ │ ├── challenge2/ # Tool Poisoning
│ │ └── challenge3/ # Excessive Permission Scope
│ ├── medium/ # Medium difficulty challenges (4-7)
│ │ ├── challenge4/ # Rug Pull Attack
│ │ ├── challenge5/ # Tool Shadowing
│ │ ├── challenge6/ # Indirect Prompt Injection
│ │ └── challenge7/ # Token Theft
│ └── hard/ # Hard difficulty challenges (8-10)
│ ├── challenge8/ # Malicious Code Execution
│ ├── challenge9/ # Remote Access Control
│ └── challenge10/ # Multi-Vector Attack
├── docs/ # Documentation
│ ├── setup.md # Setup instructions
│ ├── challenges.md # Challenge descriptions
│ └── mcp_overview.md # MCP protocol overview
├── solutions/ # Solution guides
└── common/ # Shared code and utilities

## Getting Started

For detailed instructions on setting up and running the challenges, please refer to the [Setup Guide](docs/setup.md).

## Challenges

The project includes 10 challenges categorized into three difficulty levels, each designed to highlight specific MCP vulnerabilities:

### Easy Challenges

1.  **Basic Prompt Injection:** Exploit unsanitized user input or context data to manipulate the LLM's behavior through MCP.
2.  **Tool Poisoning:** Inject malicious instructions into tool descriptions or documentation exposed via MCP, influencing the LLM's actions.
3.  **Excessive Permission Scope:** Exploit overly permissive tools exposed through MCP to access unauthorized resources or functionalities.

### Medium Challenges

4.  **Rug Pull Attack:** Exploit tools that change their behavior after being installed and integrated into the MCP environment.
5.  **Tool Shadowing:** Override legitimate tools with malicious ones by exploiting naming conflicts or registration vulnerabilities within the MCP server.
6.  **Indirect Prompt Injection:** Inject malicious instructions through data sources exposed as tools or resources via MCP, indirectly influencing the LLM's behavior.
7.  **Token Theft:** Extract authentication tokens from insecure storage or handling within the MCP environment, allowing unauthorized access to tools and resources.

### Hard Challenges

8.  **Malicious Code Execution:** Execute arbitrary code through vulnerabilities in tools exposed via MCP, potentially compromising the underlying system.
9.  **Remote Access Control:** Gain remote access to the system by exploiting vulnerabilities in tools that provide remote access capabilities through MCP.
10. **Multi-Vector Attack:** Chain multiple vulnerabilities in a coordinated attack to achieve a more significant impact on the MCP environment and the LLM's behavior.

For detailed descriptions of each challenge, please refer to the [Challenges Guide](docs/challenges.md).

## Solutions

Solution guides are provided for educational purposes. It is highly recommended to attempt the challenges independently before consulting the solutions.

See the [Solutions Guide](solutions/README.md) for detailed solutions to each challenge.

## Disclaimer

This project is intended for educational purposes only. The vulnerabilities demonstrated in this project should never be implemented in production systems. Always adhere to security best practices when implementing MCP servers and applications.  Proper input validation, secure tool design, and robust access control mechanisms are essential for mitigating the risks highlighted in this project.

## License

This project is licensed under the MIT License - see the LICENSE file for details.

## Author

This project was created by Harish Santhanalakshmi Ganesan using cursor IDE and Manus AI.