ThreatByte-MCP

ThreatByte-MCP

An intentionally vulnerable case management system designed for security training that provides MCP tools for SOC analyst workflows like case handling and indicator search. It enables users to explore and demonstrate common security weaknesses such as prompt injection, SQL injection, and broken authorization in an MCP-integrated environment.

Category
Visit Server

README

ThreatByte-MCP

MIT License Python GitHub stars

ThreatByte-MCP is a deliberately vulnerable, MCP-based case management web app. It mirrors a realistic SOC analyst workflow with a server-rendered UI and a real MCP server. The MCP tools are intentionally vulnerable for training and demonstration.

For educational use in controlled environments only.

Features

  • Safe web authentication (signup/login/logout)
  • Case management UI (create/list/view cases)
  • Notes and attachments tied to cases
  • Indicator search and agent workflows via MCP tools
  • Agent customization with schema-based tool registry

MCP Server (JSON-RPC)

ThreatByte-MCP is a split architecture:

  • SOC Web App (client/UI) runs on port 5001.
  • MCP Server (tools + agent) runs on port 5002.

The MCP server exposes JSON-RPC at POST http://localhost:5002/mcp (Streamable HTTP). Optional SSE is supported for streaming agent responses. The web UI calls the MCP server through a server-side proxy to keep auth consistent with the SOC session. A sample mcp.json manifest is included at the repo root.

Architecture (simplified):

          Browser
             |
             v
    +------------------+        X-TBMCP-Token + X-TBMCP-User        +-------------------+
    |  SOC Web App     |  ---------------------------------------> |     MCP Server     |
    |  (Flask, :5001)  |           /mcp-proxy (server-side)         |   (Flask, :5002)   |
    +------------------+                                            +-------------------+
             |                                                                  |
             v                                                                  v
         SQLite DB                                                      Tool registry
                                                                       Agent + tool handlers

Architecture (detailed):

Browser (Analyst)
  |
  v
SOC Web App (Flask, :5001)
  |  - Auth session (cookie)
  |  - Dashboards, cases, notes, files UI
  |  - /mcp-proxy forwards JSON-RPC
  |
  +--> SQLite DB
  |     - users, cases, notes, files, indicators
  |
  +--> Uploads (app/uploads)
  |
  v
MCP Server (Flask, :5002)
  |  - /mcp JSON-RPC (Streamable HTTP + SSE)
  |  - X-TBMCP-Token + X-TBMCP-User headers
  |
  +--> Tool registry (mcp_tools)
  |     - schema-based tools (poisonable)
  |
  +--> Agent runtime
  |     - prompt builder (hardcoded tokens)
  |     - LLM API call
  |
  +--> Persistence
        - agent_contexts (prompt store)
        - agent_logs (full request/response)

MCP Auth Between Web App and MCP Server

The web app proxies MCP calls with these headers:

  • X-TBMCP-Token: shared secret from TBMCP_MCP_SERVER_TOKEN (configured on both servers).
  • X-TBMCP-User: current user id from the authenticated SOC session.

Direct MCP calls require the same headers.

Supported tools:

  • cases.create
  • cases.list
  • cases.list_all
  • cases.get
  • cases.rename
  • cases.set_status
  • cases.delete
  • notes.create
  • notes.list
  • notes.update
  • notes.delete
  • files.upload (base64)
  • files.list
  • files.get (base64)
  • files.read_path
  • indicators.search
  • agent.summarize_case
  • agent.run_task
  • tools.registry.list
  • tools.builtin.list
  • tools.registry.register
  • tools.registry.delete

Vulnerability Themes (Training-Focused)

The following weaknesses are intentionally present for teaching:

  • Broken object level authorization (cases/notes/files, list_all)
  • Stored XSS (notes rendered as trusted HTML)
  • SQL injection in indicator search
  • Prompt injection in agent task runner
  • Token mismanagement & secret exposure (hardcoded tokens in prompts, persisted contexts, full logs)
  • Tool poisoning via schema-driven tool registry overrides (MCP03)
  • Over-trusting client context (MCP header identity spoofing)
  • Arbitrary file read via files.read_path
  • Cross-user file overwrite (shared filename namespace)

Running Locally

cd ThreatByte-MCP
python -m venv venv_threatbyte_mcp
source venv_threatbyte_mcp/bin/activate
pip install -r requirements.txt
python db/create_db_tables.py
python run_mcp_server.py
python run.py

Open: http://localhost:5001

MCP Server: http://localhost:5002/mcp

Populate Sample Data

python db/populate_db.py --users 8 --cases 20 --notes 40 --files 20

This creates random users, cases, notes, and file artifacts. All user passwords are Password123!.

LLM Integration (Required for Agent Responses)

The agent task endpoint requires a real LLM. Without an API key, the agent returns an error indicating it is unavailable.

Environment variables:

  • TBMCP_OPENAI_API_KEY or OPENAI_API_KEY
  • TBMCP_OPENAI_MODEL (default: gpt-4o-mini)

Keep API keys server-side only and never expose them in the browser.

MCP Server Configuration

The SOC web app proxies MCP calls to the MCP server using a shared token.

Environment variables:

  • TBMCP_MCP_SERVER_URL (default: http://localhost:5002/mcp)
  • TBMCP_MCP_SERVER_TOKEN (shared secret between the SOC app and MCP server)

Notes

  • The UI uses server-rendered templates.
  • MCP tools are exposed under http://localhost:5002/mcp (JSON-RPC). The UI calls them through /mcp-proxy.
  • This app is intentionally insecure. Do not deploy it to the public internet.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured