A practical, community-driven checklist for pentesting Model Context Protocol (MCP) servers. This guide covers local and remote MCP server risks, traffic analysis, tool-call behaviors, context boundaries, authorization flows, and unsafe code paths.
Originally created for the OWASP Bay Area talk on Pentesting MCP Servers (Oct 2025), this checklist is designed for practitioners performing assessments on MCP-based tools, agents, and integrations.
MCP servers are becoming the new execution layer for AI agents. This means they expose:
- File system access
- Tool execution
- Remote APIs
- STDIO and HTTP bridges
- Autonomous actions initiated by LLMs
Because of this, MCP servers introduce a wide attack surface that security testers need structured guidance for. This checklist helps you perform systematic and repeatable assessments.
- Secrets, PII, API keys in local files
- Dangerous functions (eval/exec)
- Namespace abuse
- Tool output mixed with user input
- Version pinning vs “latest” MCP versions
- URL redirection boundaries
- Data boundary validation
- Authorization and tenant isolation
- Code execution via redirect flows
- API telemetry consistency
- Inspect STDIO using proxy clients
- Inspect HTTP-based MCP servers
- Detect appended context or unexpected tool chaining
- Use the PDF checklist for field assessments
- Fork and adapt it for your team
- Submit PRs with improvements
- Open issues for new MCP attack patterns
- Checklist (PDF) — (/Pentesting MCP Servers - Checklist v1.0.pdf)
We welcome:
- New checklist items
- Additional MCP server categories
- Tooling contributions
- Red-team test cases
- Sanitized findings
This project is licensed under CC BY 4.0. You may remix, adapt, and build upon this checklist for any purpose, even commercially, as long as you provide attribution.
Appsecco
