Open-source MCP protocol-level security test harness (10 tests) #2430

msaleme · 2026-03-21T14:37:53Z

msaleme
Mar 21, 2026

Built an open-source security test harness that tests MCP servers at the JSON-RPC 2.0 wire level — not HTTP application-layer testing.

Supports two transports:

Streamable HTTP — python -m protocol_tests.mcp_harness --transport http --url http://localhost:8080/mcp
stdio — python -m protocol_tests.mcp_harness --transport stdio --command "node my-server.js"

10 tests across 7 categories:

Test	Category	What It Validates
MCP-001	Tool Discovery	`tools/list` integrity — scans for exfiltration URLs, hidden instructions in tool descriptions
MCP-002	Tool Discovery	Tool registration via `tools/call` injection — tries to register tools by calling non-existent ones
MCP-003	Capability Negotiation	`initialize` capability escalation — claims admin/bypass capabilities
MCP-004	Capability Negotiation	Protocol version downgrade — requests pre-2025-03-26 versions lacking OAuth 2.1
MCP-005	Resource Traversal	`resources/read` path traversal — `../../etc/passwd`, `/proc/self/environ`
MCP-006	Prompt Injection	`prompts/get` argument injection — exfiltration URLs in prompt arguments
MCP-007	Sampling	`sampling/createMessage` context exfiltration — attempts to extract API keys and secrets
MCP-008	Malformed Messages	Wrong JSON-RPC version, missing fields, empty methods, non-JSON input
MCP-009	DoS	1000-message batch bomb
MCP-010	Tool Injection	Tool call argument injection — SQL, command injection, prototype pollution

Zero external dependencies (Python 3.10+ stdlib only). JSON report generation. Statistical mode with Wilson score CIs (NIST AI 800-2 aligned).

Part of a larger framework (175 total tests) that also covers A2A protocol testing, GTG-1002 APT simulation, and 20 enterprise platform adapters.

https://github.com/msaleme/red-team-blue-team-agent-fabric

Feedback welcome — especially interested in:

OAuth 2.1 flow testing scenarios (per the 2025-03-26 spec update)
Transport-layer attacks (stdio injection, SSE spoofing)
Any MCP-specific attack patterns the community has seen in the wild

polterguy · 2026-04-02T17:52:33Z

polterguy
Apr 2, 2026

This is a useful direction because protocol-level testing helps make agent security concrete instead of philosophical.

One thing I hope these harnesses keep emphasizing is that the real boundary is not whether the model can be influenced, but whether influenced output can cross into authority without a narrower enforcement layer in between. In practice, a lot of failures seem to come from collapsing interpretation and execution into the same trust zone.

So tests for prompt or feature injection are great, but the most valuable ones may be the ones that reveal where capability scoping, default deny behavior, and tool mediation are still too soft.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Open-source MCP protocol-level security test harness (10 tests) #2430

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Open-source MCP protocol-level security test harness (10 tests) #2430

Uh oh!

msaleme Mar 21, 2026

Replies: 1 comment

Uh oh!

polterguy Apr 2, 2026

msaleme
Mar 21, 2026

polterguy
Apr 2, 2026