FOR SECURITY TESTING ONLY

DVMCP

Damn Vulnerable MCP Server

The deliberately insecure MCP server for security testing, education, and CIS benchmark validation. Map every vulnerability in the OWASP MCP Top 10.

Run Security Scan View on GitHub DVMCP Pro

10 Vulnerabilities

12 OWASP Checks

22 CIS Controls

Standards-Backed

Built on real security standards, not just best guesses.

OWASP

MCP Security Cheat Sheet

Section 7 -- implementation reference for MCP message signing and tool verification.

View Cheat Sheet

IETF

6 Internet-Drafts

MCP security, agent trust, ATTP, agent identity, audit trails, and agent transport -- all submitted to the IETF.

View Internet-Draft

OpenID Foundation

Agent Identity Claims

IETF Internet-Draft submitted extending OpenID Connect for autonomous AI agent identity verification.

Security Scanner

Run a live OWASP MCP Top 10 scan against this server from your browser.

Total

Pass

Fail

Time

Vulnerabilities

10 intentional vulnerabilities covering every OWASP MCP Top 10 category.

ID	Vulnerability	Severity	OWASP MCP
MCP-001	No authentication on any endpoint	Critical	MCP-07
MCP-002	Tool definition tampering (rug pull)	Critical	MCP-01
MCP-003	Command injection via tool arguments	Critical	MCP-04
MCP-004	No input validation	High	MCP-04
MCP-005	SSRF via resources/read	Critical	MCP-06
MCP-006	Data exfiltration (no response limits)	High	MCP-06
MCP-007	Replay attacks (no nonce/timestamp)	High	MCP-08
MCP-008	No rate limiting	Medium	MCP-09
MCP-009	Privilege escalation via sampling	Critical	MCP-03
MCP-010	Sensitive tools exposed	High	MCP-09

Tools Exposed

Every tool this server exposes, and the risk each one carries.

Tool	Risk	What it does
run_command	Critical	Executes arbitrary shell commands
search_files	Critical	Command injection via find pattern
fetch_url	Critical	SSRF -- fetches any URL server-side
read_file	Critical	Reads any file (path traversal)
write_file	Critical	Writes to any file
query_database	Critical	SQL injection vector
list_processes	High	Exposes running processes
get_env_vars	Critical	Leaks all environment variables
admin_panel	Critical	Unauthenticated admin access
get_weather	Medium	Safe tool (rug pull target)

Test It

Try the MCP endpoints directly with curl.

Initialize

curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"initialize","id":1,"params":{"clientInfo":{"name":"test"}}}'

List Tools

curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/list","id":2}'

Command Injection

curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/call","id":3,"params":{"name":"run_command","arguments":{"command":"whoami"}}}'

Read /etc/passwd

curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/call","id":4,"params":{"name":"read_file","arguments":{"path":"/etc/passwd"}}}'

Run Locally (Recommended)

For security testing, always use the Docker image locally. Do not point scanning tools at the hosted site.

Docker

docker pull razas/dvmcp
docker run -p 3001:3001 razas/dvmcp

Verify: docker inspect razas/dvmcp --format '{{.Id}}'
Expected: sha256:fd3c41f4c44dd31b62fe9e963d48f5977d38a937d7caba66913719618cf66c27
License: BSL 1.1 -- Educational and security training use only. Commercial use requires Pro license.

Then visit http://localhost:3001

Usage Guide

How to use DVMCP for MCP security testing and education.

1. Run Locally

Pull the Docker image and run on your machine. This is the recommended approach for all security testing.

docker pull razas/dvmcp
docker run -p 3001:3001 razas/dvmcp

sha256:fd3c41f4c44dd31b62fe9e963d48f5977d38a937d7caba66913719618cf66c27

2. Scan with security tools

Point your preferred security scanner at your local DVMCP instance. Import the MCP server URL and run active + passive scans.

Target: http://localhost:3001
Method: MCP Server Import

3. Scan with CLI

Use the agentpass-pentest tool to run all 12 OWASP MCP Top 10 checks.

pip install agentpass-pentest
agentpass-pentest -t http://localhost:3001 --owasp-mcp

4. Manual Testing

Use curl or any HTTP client to send JSON-RPC requests directly to the MCP endpoint.

curl -X POST http://localhost:3001 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'

Disclaimer

Important -- Read Before Use

DVMCP is a deliberately vulnerable application designed for security testing and educational purposes only.
Do NOT deploy DVMCP in any production environment or on any network accessible to untrusted users.
Do NOT point automated scanning tools at the hosted version (dvmcp.co.uk). Use the Docker image locally for all security testing.
The hosted version at dvmcp.co.uk is for personal, educational, and non-commercial use only. Use of the hosted service as part of, or in conjunction with, any commercial product or service is prohibited without a license from CyberSecAI Ltd.
CyberSecAI Ltd accepts no liability for any damage, loss, or legal consequences arising from the use or misuse of this software.
By using DVMCP you accept full responsibility for your actions and agree to use it only in environments you are authorised to test.
DVMCP is licensed under the Business Source License 1.1. Free for non-commercial use. Commercial use requires a separate license from CyberSecAI Ltd.
This software is provided "as is" without warranty of any kind, express or implied.
DVMCP is an independent project. It is not affiliated with, endorsed by, or associated with Anthropic, the Model Context Protocol project, or the Linux Foundation.

References

Standards, specifications, and tools behind DVMCP.

OWASP MCP Security Cheat Sheet
Section 7 -- MCP Message Signing
IETF draft-sharif-mcps-secure-mcp
MCP Message Signing
CIS MCP Security Benchmark
22 controls, 6 sections (Community Draft)
MCP Specification
Model Context Protocol
DVMCP on GitHub
Source code and documentation
Cybersecify
MCP Security Scanner with CIS Benchmark

DVMCP Pro

Enterprise MCP security training platform. Everything in Community, plus:

Community Edition FREE

10 vulnerabilities
12 OWASP MCP Top 10 checks
Self-hosted Docker image
Browser-based scanner
curl test examples
BSL 1.1 License (view)

Get Community Edition

COMING SOON

Pro Edition

Everything in Community, plus:
25+ vulnerabilities
CIS MCP Benchmark integration (22 controls)
Guided training modules (fix each vuln step-by-step)
Team scoreboard and progress tracking
Custom vulnerability injection
OWASP MCP Top 10 mapping per vulnerability
EU AI Act compliance mapping
PDF and JSON report export
Dedicated hosted instances (per-org)
Slack and webhook notifications
Priority support

Request Early Access