Damn Vulnerable MCP Server

A server designed to be intentionally vulnerable for security testing and educational purposes.

Damn Vulnerable Model Context Protocol (DVMCP)

A deliberately vulnerable implementation of the Model Context Protocol (MCP) for educational purposes.

Overview

The Damn Vulnerable Model Context Protocol (DVMCP) is an educational project designed to demonstrate security vulnerabilities in MCP implementations. It contains 10 challenges of increasing difficulty that showcase different types of vulnerabilities and attack vectors.

This project is intended for security researchers, developers, and AI safety professionals to learn about potential security issues in MCP implementations and how to mitigate them.

What is MCP?

The Model Context Protocol (MCP) is a standardized protocol that allows applications to provide context for Large Language Models (LLMs) in a structured way. It separates the concerns of providing context from the actual LLM interaction, enabling applications to expose resources, tools, and prompts to LLMs.

Recommended MCP Clients

CLINE - VSCode Extension
Refer to this Connecting to a Remote Server - Cline for connecting Cline with MCP server

Quick Start

Once you have cloned the repository, run the following commands:

docker build -t dvmcp .
docker run -p 9001-9010:9001-9010 dvmcp

Disclaimer

It's not stable in a Windows environment. If you don't want to use Docker then please use Linux environment. I recommend Docker to run the LAB and I am 100% percent sure it works well in the Docker environment

Security Risks

While MCP provides many benefits, it also introduces new security considerations. This project demonstrates various vulnerabilities that can occur in MCP implementations, including:

Prompt Injection: Manipulating LLM behavior through malicious inputs
Tool Poisoning: Hiding malicious instructions in tool descriptions
Excessive Permissions: Exploiting overly permissive tool access
Rug Pull Attacks: Exploiting tool definition mutations
Tool Shadowing: Overriding legitimate tools with malicious ones
Indirect Prompt Injection: Injecting instructions through data sources
Token Theft: Exploiting insecure token storage
Malicious Code Execution: Executing arbitrary code through vulnerable tools
Remote Access Control: Gaining unauthorized system access
Multi-Vector Attacks: Combining multiple vulnerabilities

Project Structure

damn-vulnerable-MCP-server/
├── README.md                 # Project overview
├── requirements.txt          # Python dependencies
├── challenges/               # Challenge implementations
│   ├── easy/                 # Easy difficulty challenges (1-3)
│   │   ├── challenge1/       # Basic Prompt Injection
│   │   ├── challenge2/       # Tool Poisoning
│   │   └── challenge3/       # Excessive Permission Scope
│   ├── medium/               # Medium difficulty challenges (4-7)
│   │   ├── challenge4/       # Rug Pull Attack
│   │   ├── challenge5/       # Tool Shadowing
│   │   ├── challenge6/       # Indirect Prompt Injection
│   │   └── challenge7/       # Token Theft
│   └── hard/                 # Hard difficulty challenges (8-10)
│       ├── challenge8/       # Malicious Code Execution
│       ├── challenge9/       # Remote Access Control
│       └── challenge10/      # Multi-Vector Attack
├── docs/                     # Documentation
│   ├── setup.md              # Setup instructions
│   ├── challenges.md         # Challenge descriptions
│   └── mcp_overview.md       # MCP protocol overview
├── solutions/                # Solution guides
└── common/                   # Shared code and utilities

Getting Started

See the Setup Guide for detailed instructions on how to install and run the challenges.

Challenges

The project includes 10 challenges across three difficulty levels:

Easy Challenges

Basic Prompt Injection: Exploit unsanitized user input to manipulate LLM behavior
Tool Poisoning: Exploit hidden instructions in tool descriptions
Excessive Permission Scope: Exploit overly permissive tools to access unauthorized resources

Medium Challenges

Rug Pull Attack: Exploit tools that change their behavior after installation
Tool Shadowing: Exploit tool name conflicts to override legitimate tools
Indirect Prompt Injection: Inject malicious instructions through data sources
Token Theft: Extract authentication tokens from insecure storage

Hard Challenges

Malicious Code Execution: Execute arbitrary code through vulnerable tools
Remote Access Control: Gain remote access to the system through command injection
Multi-Vector Attack: Chain multiple vulnerabilities for a sophisticated attack

See the Challenges Guide for detailed descriptions of each challenge.

Solutions

Solution guides are provided for educational purposes. It's recommended to attempt the challenges on your own before consulting the solutions.

See the Solutions Guide for detailed solutions to each challenge.

Disclaimer

This project is for educational purposes only. The vulnerabilities demonstrated in this project should never be implemented in production systems. Always follow security best practices when implementing MCP servers.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Author

This project is created by Harish Santhanalakshmi Ganesan using cursor IDE and Manus AI.

Related Servers

Scout Monitoring MCP

sponsor

Put performance and error data directly in the hands of your AI assistant.

Alpha Vantage MCP Server

sponsor

Access financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more

iOS Simulator

Provides programmatic control over iOS simulators through a standardized interface.

GemForge (Gemini Tools)

Integrates Google's Gemini for advanced codebase analysis, web search, and processing of text, PDFs, and images.

GroundDocs

A version-aware documentation assistant that connects LLMs to trusted, real-time docs to reduce hallucinations and provide accurate, version-specific responses.

Web3 Playground & Sandbox - Learn, Develop, Test MCP Servers + Toolkit SDK

Free Solidity compiler & Web3 IDE with interactive tutorials. Learn blockchain development, deploy smart contracts to 8+ chains (Ethereum, Polygon, Base, Arbitrum, Solana). Templates for tokens, NFTs, DeFi, DAOs. Monaco Editor, AI assistance, WCAG accessible. Remix alternative. Gas optimization, MetaMask integration, open source. Beginner-friendly. MCP toolkit.

Raygun

Interact with your crash reporting and real using monitoring data on your Raygun account

ActionKit MCP Starter

A demonstration server for ActionKit, providing access to Slack actions via Claude Desktop.

Dify Workflow

A tool server for integrating Dify Workflows via the Model Context Protocol (MCP).

Micromanage

A server for managing sequential development tasks with configurable rules using external .mdc files.

Repomix

Packs code repositories into a single, AI-friendly file using the repomix tool.

TouchDesigner MCP

Control and operate TouchDesigner projects with AI agents using the Model Context Protocol.