Damn Vulnerable Model Context Protocol (DVMCP)

Damn Vulnerable Model Context Protocol (DVMCP)

An educational project that deliberately implements vulnerable MCP servers to demonstrate various security risks like prompt injection, tool poisoning, and code execution for training security researchers and AI safety professionals.

Category
Visit Server

README

Damn Vulnerable Model Context Protocol (DVMCP)

A deliberately vulnerable implementation of the Model Context Protocol (MCP) for educational purposes.

Overview

The Damn Vulnerable Model Context Protocol (DVMCP) is an educational project designed to demonstrate security vulnerabilities in MCP implementations. It contains 10 challenges of increasing difficulty that showcase different types of vulnerabilities and attack vectors.

This project is intended for security researchers, developers, and AI safety professionals to learn about potential security issues in MCP implementations and how to mitigate them.

What is MCP?

The Model Context Protocol (MCP) is a standardized protocol that allows applications to provide context for Large Language Models (LLMs) in a structured way. It separates the concerns of providing context from the actual LLM interaction, enabling applications to expose resources, tools, and prompts to LLMs.

Recommended MCP Clients

CLINE - VSCode Extension refer this https://docs.cline.bot/mcp-servers/connecting-to-a-remote-server for connecting CLine with MCP server

getting started

once you have cloned the repository, run the following commands:

docker build -t dvmcp .
docker run -p 9001-9010:9001-9010 dvmcp

Security Risks

While MCP provides many benefits, it also introduces new security considerations. This project demonstrates various vulnerabilities that can occur in MCP implementations, including:

  1. Prompt Injection: Manipulating LLM behavior through malicious inputs
  2. Tool Poisoning: Hiding malicious instructions in tool descriptions
  3. Excessive Permissions: Exploiting overly permissive tool access
  4. Rug Pull Attacks: Exploiting tool definition mutations
  5. Tool Shadowing: Overriding legitimate tools with malicious ones
  6. Indirect Prompt Injection: Injecting instructions through data sources
  7. Token Theft: Exploiting insecure token storage
  8. Malicious Code Execution: Executing arbitrary code through vulnerable tools
  9. Remote Access Control: Gaining unauthorized system access
  10. Multi-Vector Attacks: Combining multiple vulnerabilities

Project Structure

damn-vulnerable-mcs/
├── README.md                 # Project overview
├── requirements.txt          # Python dependencies
├── challenges/               # Challenge implementations
│   ├── easy/                 # Easy difficulty challenges (1-3)
│   │   ├── challenge1/       # Basic Prompt Injection
│   │   ├── challenge2/       # Tool Poisoning
│   │   └── challenge3/       # Excessive Permission Scope
│   ├── medium/               # Medium difficulty challenges (4-7)
│   │   ├── challenge4/       # Rug Pull Attack
│   │   ├── challenge5/       # Tool Shadowing
│   │   ├── challenge6/       # Indirect Prompt Injection
│   │   └── challenge7/       # Token Theft
│   └── hard/                 # Hard difficulty challenges (8-10)
│       ├── challenge8/       # Malicious Code Execution
│       ├── challenge9/       # Remote Access Control
│       └── challenge10/      # Multi-Vector Attack
├── docs/                     # Documentation
│   ├── setup.md              # Setup instructions
│   ├── challenges.md         # Challenge descriptions
│   └── mcp_overview.md       # MCP protocol overview
├── solutions/                # Solution guides
└── common/                   # Shared code and utilities

Getting Started

See the Setup Guide for detailed instructions on how to install and run the challenges.

Challenges

The project includes 10 challenges across three difficulty levels:

Easy Challenges

  1. Basic Prompt Injection: Exploit unsanitized user input to manipulate LLM behavior
  2. Tool Poisoning: Exploit hidden instructions in tool descriptions
  3. Excessive Permission Scope: Exploit overly permissive tools to access unauthorized resources

Medium Challenges

  1. Rug Pull Attack: Exploit tools that change their behavior after installation
  2. Tool Shadowing: Exploit tool name conflicts to override legitimate tools
  3. Indirect Prompt Injection: Inject malicious instructions through data sources
  4. Token Theft: Extract authentication tokens from insecure storage

Hard Challenges

  1. Malicious Code Execution: Execute arbitrary code through vulnerable tools
  2. Remote Access Control: Gain remote access to the system through command injection
  3. Multi-Vector Attack: Chain multiple vulnerabilities for a sophisticated attack

See the Challenges Guide for detailed descriptions of each challenge.

Solutions

Solution guides are provided for educational purposes. It's recommended to attempt the challenges on your own before consulting the solutions.

See the Solutions Guide for detailed solutions to each challenge.

Disclaimer

This project is for educational purposes only. The vulnerabilities demonstrated in this project should never be implemented in production systems. Always follow security best practices when implementing MCP servers.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Author

This project is created by Harish Santhanalakshmi Ganesan using cursor IDE and Manus AI.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured