MCP Servers

hackbrowser-mcp

Enables AI agents to perform security testing on web applications by controlling a Firefox browser with 39 security tools, including injection testing and access control analysis.

README

<h3 align="center">The first browser MCP built for security testing.</h3>

Other browser MCPs let your AI fill forms and take screenshots. This one lets it find vulnerabilities.

<a href="#what-it-does">What It Does</a> • <a href="#how-its-different">How It's Different</a> • <a href="#quick-start">Quick Start</a> • <a href="#workflow-examples">Examples</a> • <a href="#tools-reference-39-tools">Tools</a> • <a href="#architecture">Architecture</a>

What It Does

hackbrowser-mcp gives your AI agent a real Firefox browser and 39 security testing tools via the Model Context Protocol. The agent can launch the browser, browse a target, capture all traffic, and test for vulnerabilities — all through natural language.

You: "Log in as admin and as a regular user. Find endpoints the user shouldn't access."

Agent: → launches Firefox
       → creates two isolated containers (admin + user)
       → logs in both accounts
       → browses the app, captures traffic
       → compares responses across roles
       → "User can access GET /api/admin/users — should return 403, returns 200"

The AI handles the entire workflow: launching the browser, managing sessions, discovering endpoints, testing parameters, and generating a security report. You describe what to test. It does the rest.

How It's Different

There are dozens of browser MCPs. They all do the same thing: let an LLM navigate pages, click buttons, and extract text. They're built for automation — filling forms, scraping data, running UI tests.

None of them can test for vulnerabilities. That's the gap hackbrowser-mcp fills.

<table> <thead> <tr> <th></th> <th>Other Browser MCPs</th> <th>hackbrowser-mcp</th> </tr> </thead> <tbody> <tr> <td>Purpose</td> <td>Web automation, scraping, form filling</td> <td>Security testing, vulnerability assessment</td> </tr> <tr> <td>Sessions</td> <td>Single session</td> <td>2-4 isolated containers with separate cookies, storage, and auth</td> </tr> <tr> <td>Traffic</td> <td>Read-only network tab (if any)</td> <td>Full HAR capture + replay with modifications</td> </tr> <tr> <td>Security tools</td> <td>None</td> <td>14 tools: injection testing, CSRF, IDOR, access matrix, report generation</td> </tr> <tr> <td>Injection testing</td> <td>Not possible</td> <td>7 types, 60+ payloads, technique-labeled results</td> </tr> <tr> <td>Access control</td> <td>Not possible</td> <td>Cross-role comparison, endpoint access matrix, IDOR detection</td> </tr> <tr> <td>Browser</td> <td>Chromium (CDP)</td> <td>Firefox (WebDriver BiDi) — different engine catches different bugs</td> </tr> <tr> <td>Anti-detection</td> <td>Varies</td> <td>Stealth mode built-in (fingerprint, UA, WebGL spoofing)</td> </tr> </tbody> </table>

<details> <summary>Specific comparisons with popular projects</summary>

Project	Stars	What it does	What it can't do
playwright-mcp	29k	Navigate, click, type, screenshot via accessibility tree	No multi-session, no traffic capture, no security testing
browser-use	81k	AI completes web tasks (shopping, forms, research)	Single agent action, no HAR, no injection testing
stagehand	22k	act/extract/observe SDK for browser automation	No security tools, no container isolation
chrome-devtools-mcp	29k	DevTools debugging, performance analysis, network monitoring	Read-only network, no replay, no active testing
browser-tools-mcp	7k	Console, network, audit monitoring for coding agents	IDE-focused, no offensive testing capability
mcp-playwright	5k	Multi-browser test automation + scraping	No security awareness, no access control analysis

All of these are excellent tools for their intended purpose. hackbrowser-mcp doesn't replace them — it serves a completely different use case.

</details>

Core Capabilities

Multi-Container Isolation

Run 2-4 browser sessions simultaneously, each with completely isolated state. This is the foundation for access control testing.

┌────────────────────────────────────────────────────────┐
│                     Firefox Instance                    │
├───────────────┬───────────────┬────────────────────────-┤
│  Container 1  │  Container 2  │  Container 3            │
│  role: admin  │  role: user   │  role: guest             │
│               │               │                         │
│  cookies: A   │  cookies: B   │  cookies: none          │
│  storage: A   │  storage: B   │  storage: none          │
│  session: ✓   │  session: ✓   │  session: ✗             │
└───────────────┴───────────────┴─────────────────────────┘

compare_access → "GET /api/admin/users returns 200 for user (expected 403)"
access_matrix  → role × endpoint grid showing every authorization gap

Traffic Intelligence

Every HTTP request and response is captured, stored, and queryable. Replay any request with modifications.

Browser → Network Interceptor → In-Memory Store (10K max, FIFO)
                                       │
                             ┌─────────┴──────────┐
                             │                     │
                       Auto-save (60s)       Replay / modify
                             │                     │
                             ▼                     ▼
                       HAR file (disk)      replay_request
                             │              (change method,
                       Resume on restart     headers, body)

Active Security Testing

Discover injection points from captured traffic, then test them with 60+ payloads across 7 vulnerability types.

Type	Payloads	Techniques
SQLi	9	Error-based, union, time-based blind (MSSQL/MySQL/Postgres), boolean-blind
XSS	8	Reflected script, event handler, SVG, JS context, HTML5 events, iframe
SSTI	8	Jinja2, Freemarker, ERB, Angular sandbox, Spring EL, Vue
SSRF	8	Localhost variants (IPv4/v6/hex/octal), AWS/GCP/Azure metadata, DNS rebind
CMDi	8	Semicolon, pipe, backtick, subshell, newline, quote-break
LFI	8	Path traversal, double-dot, /proc/environ, PHP filter, double-encode
HTML Injection	6	Tag injection, form injection, style overlay, meta redirect

When built-in payloads get blocked, the AI agent analyzes the WAF response and crafts custom bypass payloads using replay_request.

Quick Start

Install

git clone https://github.com/user/hackbrowser-mcp.git
cd hackbrowser-mcp
bun install

Connect to your AI agent

<details> <summary>Claude Desktop / Claude Code</summary>

Add to your MCP config (~/.claude/claude_desktop_config.json):

{
  "mcpServers": {
    "hackbrowser": {
      "command": "bun",
      "args": ["run", "/path/to/hackbrowser-mcp/src/index.ts", "--mcp"]
    }
  }
}

</details>

<details> <summary>Cursor / Continue / other MCP clients</summary>

Same config format. Point the command to your installation path.

</details>

<details> <summary>Standalone (no AI agent)</summary>

bun run src/index.ts --launch              # GUI mode
bun run src/index.ts --launch --headless   # headless
bun run src/index.ts --mcp                 # MCP server (stdio)

</details>

Start testing

You: "Launch the browser and scan https://target.com for vulnerabilities"

That's it. The agent handles the rest.

Workflow Examples

Full Security Scan

You: "Crawl https://app.com, find injection points, test them, generate a report."

Agent: browser_launch → navigate → crawl (100 pages)
       → find_injection_points → test_injection (SQLi, XSS)
       → test_csrf → test_rate_limit
       → generate_report
       → "Found 3 XSS, 1 SQLi, 2 missing CSRF tokens"

IDOR / Access Control Audit

You: "Login as admin and regular user. Find what the user shouldn't access."

Agent: container_setup (admin + user) → container_login (both)
       → navigate admin pages → compare_access
       → access_matrix
       → "User can reach GET /api/admin/users (200 instead of 403)"

WAF Bypass

You: "Test the search param for XSS. Bypass any WAF."

Agent: test_injection {types: ["xss"]} → all blocked
       → analyzes response: <script> stripped, events filtered
       → replay_request with <details/open/ontoggle=alert(1)> → REFLECTED
       → "Confirmed XSS via HTML5 ontoggle event bypass"

Offline HAR Analysis

You: "Import this HAR file and find injection candidates."

Agent: import_har → get_endpoints (87 found)
       → find_injection_points (23 candidates)
       → test_injection → "2 reflected XSS confirmed"

Tools Reference (39 tools)

<details> <summary>Browser Control (3)</summary>

Tool	Description
`browser_launch`	Launch Firefox with managed profile
`browser_close`	Close browser, auto-export HAR
`browser_status`	Protocol, containers, tab count, captured requests

</details>

<details> <summary>Containers (3)</summary>

Tool	Description
`container_setup`	Create 1-4 containers with roles and credentials
`container_login`	Login for a container (programmatic or manual)
`container_list`	List containers with auth status

</details>

<details> <summary>Navigation (4)</summary>

Tool	Description
`navigate`	Go to URL in a container tab
`go_back` / `go_forward`	Browser history navigation
`wait_for`	Wait for selector, URL, network idle, or JS condition

</details>

<details> <summary>Interaction (7)</summary>

Tool	Description
`click`	Click by CSS selector or text content
`type_text`	Type into input fields
`select_option`	Select dropdown value
`submit_form`	Submit a form
`scroll`	Scroll page or element
`hover`	Hover over element
`press_key`	Keyboard keys (Enter, Tab, Escape, etc.)

</details>

<details> <summary>Page Inspection (4)</summary>

Tool	Description
`screenshot`	Capture PNG screenshot
`get_page_source`	Full HTML source
`get_dom_tree`	Simplified DOM tree (LLM-friendly)
`evaluate_js`	Execute JavaScript and return result

</details>

<details> <summary>Traffic Capture (5)</summary>

Tool	Description
`get_requests`	List captured requests with filters (URL, method, status, MIME)
`get_response`	Full request/response details by ID
`get_endpoints`	Auto-discovered API endpoints with parameter templates
`export_har`	Save traffic as HAR 1.2 file
`import_har`	Load HAR from previous session

</details>

<details> <summary>Security Analysis (4)</summary>

Tool	Description
`compare_access`	Cross-container IDOR / broken authorization detection
`access_matrix`	Role x endpoint access grid
`find_injection_points`	Identify injectable params across 10 vuln types
`replay_request`	Replay with modified method, headers, body, URL

</details>

<details> <summary>Active Testing (3)</summary>

Tool	Description
`test_injection`	7 types, 60+ payloads, technique-labeled results
`test_csrf`	Replay without CSRF tokens
`test_rate_limit`	Rapid-fire requests, check for 429

</details>

<details> <summary>Auth Detection (3)</summary>

Tool	Description
`detect_auth`	Check session validity
`detect_login_form`	Find login form fields and CSRF token
`auto_login`	Auto-fill and submit login

</details>

<details> <summary>Discovery (2)</summary>

Tool	Description
`crawl`	BFS spider with form discovery and API extraction
`get_sitemap`	Return crawl results

</details>

<details> <summary>Reporting (1)</summary>

Tool	Description
`generate_report`	Security report (markdown/HTML) with findings and evidence

</details>

Library Usage

Use hackbrowser-mcp as a TypeScript library for custom tooling:

import {
  launchFirefox, closeFirefox,
  NetworkInterceptor, BrowserInteraction, Crawler,
  extractEndpoints, findInjectionPoints, testInjection,
  compareAccess, generateReport,
  buildHar, saveHar, loadHar,
} from "hackbrowser-mcp";

// Offline HAR analysis
const har = await loadHar("./capture.har");
const requests = harEntriesToRequests(har.log.entries);
const endpoints = extractEndpoints(requests);
const points = findInjectionPoints(requests);

console.log(`${endpoints.length} endpoints, ${points.length} injection candidates`);

Architecture

src/
├── browser/                 Firefox control
│   ├── bidi-client.ts       WebDriver BiDi protocol
│   ├── cdp-client.ts        CDP fallback
│   ├── launcher.ts          Binary detection + profile setup
│   ├── container-manager.ts Container isolation + extension WS
│   ├── interaction.ts       Click, type, scroll, hover
│   ├── crawler.ts           BFS spider
│   └── auth-detector.ts     Session detection
├── capture/                 Traffic
│   ├── network-interceptor.ts  Capture + auto-save (10K cap)
│   ├── har-builder.ts          HAR 1.2 builder
│   └── har-storage.ts          HAR I/O + merge
├── analysis/                Security engines
│   ├── active-tester.ts     60+ injection payloads
│   ├── injection-mapper.ts  Param → vuln type mapping
│   ├── endpoint-extractor.ts  API endpoint discovery
│   ├── container-differ.ts  Cross-role comparison
│   ├── access-matrix.ts     Role x endpoint matrix
│   └── report-generator.ts  Report formatting
├── protocol/
│   ├── tools.ts             39 tool definitions (Zod schemas)
│   └── mcp-server.ts        MCP stdio transport
└── types/                   TypeScript types

Design decisions:

Firefox + BiDi first — Native Firefox protocol. Different rendering engine catches bugs Chrome-based tools miss. CDP available as fallback.
Container isolation — Firefox Multi-Account Containers for true session separation. Not separate browser instances.
Server-side fetch for testing — Active testing uses fetch() outside the browser to avoid polluting browser state.
HAR 1.2 standard — Import/export for session continuity. Auto-save every 60s, resume on restart.
Memory-bounded — 10K entry cap with FIFO eviction. 30s fetch timeout.
Stealth by default — navigator.webdriver, UA, plugins, WebGL fingerprint all spoofed.

Limitations

Firefox only (container isolation requires Firefox Multi-Account Containers)
macOS / Linux (Windows not tested)
One Firefox instance per port
WebSocket frames not captured (only upgrade request)

For authorized security testing only. Always obtain proper permission before testing any application.

<a href="LICENSE">MIT License</a> • Built with Bun + TypeScript

Recommended Servers

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official

Featured

TypeScript

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official

Featured

Local

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official

Featured

TypeScript

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official

Featured

Python

E2B

Using MCP to run code via e2b.

Official

Featured

Neon Database

MCP server for interacting with Neon Management API and databases

Official

Featured

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official

Featured

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official

Featured