A deliberately vulnerable implementation of the Model Context Protocol (MCP) for educational purposes, featuring complete Docker integration and comprehensive hands-on learning materials.
Based on: Original DVMCP Repository - Enhanced with StreamableHTTP support, Docker integration, and comprehensive bug fixes.
The Damn Vulnerable Model Context Protocol (DVMCP) is an enhanced educational cybersecurity platform designed to demonstrate security vulnerabilities in MCP implementations. This fork includes major improvements:
- π StreamableHTTP Migration: All servers updated from legacy SSE to modern StreamableHTTP transport for better MCP client compatibility
- π³ Complete Docker Integration: Fully containerized environment with
docker-composesupport for one-command setup - π Bug Fixes: Resolved multiple server stability and compatibility issues from the original implementation
- π Comprehensive Learning Guide: Detailed
SOLUTIONS.mdwith step-by-step instructions for Claude Desktop - π‘οΈ Real-World Context: Each challenge includes real-world impact analysis and mitigation strategies
- π Educational Excellence: Enhanced for cybersecurity training, AI safety education, and MCP security research
This project contains 10 progressive challenges showcasing different types of MCP vulnerabilities, from basic prompt injection to sophisticated multi-vector attacks.
Target Audience: Security researchers, developers, AI safety professionals, cybersecurity students, and anyone building secure MCP implementations.
The Model Context Protocol (MCP) is a standardized protocol that allows applications to provide context for Large Language Models (LLMs) in a structured way. It separates the concerns of providing context from the actual LLM interaction, enabling applications to expose resources, tools, and prompts to LLMs.
- Docker & Docker Compose (recommended - works on all platforms)
- Node.js & NPM (for MCP client connectivity)
- Claude Desktop (primary supported client)
# Clone and start all 10 challenge servers
git clone <repository-url>
cd damn-vulnerable-MCP-server
docker-compose up -d# Check all servers are running
docker logs dvmcp-serverYou should see all 10 challenges starting successfully on ports 9001-9010.
π SOLUTIONS.md - Complete hands-on guide with:
- Exact Claude Desktop MCP configuration
- Step-by-step copy-paste instructions for each challenge
- Real-world vulnerability impact analysis
- Comprehensive mitigation strategies
- Success validation criteria
Want to master MCP development and security?
Check out the comprehensive course: Learn MCP (Model Context Protocol) - Course & A2A Bootcamp
π― Perfect for: Developers, AI Engineers, Security Professionals
π Includes: MCP development, security best practices, hands-on projects, and real-world applications
This platform demonstrates 10 critical MCP vulnerabilities that every developer should understand:
| Challenge | Difficulty | Vulnerability Type | Real-World Impact |
|---|---|---|---|
| 1 | π’ Easy | Prompt Injection | Customer data leaks, system compromise |
| 2 | π’ Easy | Tool Poisoning | Trojan marketplace apps, corporate espionage |
| 3 | π’ Easy | Excessive Permissions | Unauthorized file access, data breaches |
| 4 | π‘ Medium | Rug Pull Attacks | Supply chain compromises, long-term infiltration |
| 5 | π‘ Medium | Tool Shadowing | Impersonation attacks, namespace hijacking |
| 6 | π‘ Medium | Indirect Prompt Injection | Document-based attacks, email phishing |
| 7 | π‘ Medium | Token Theft | API credential leaks, service impersonation |
| 8 | π΄ Hard | Code Execution | System takeover, infrastructure compromise |
| 9 | π΄ Hard | Command Injection | Remote access, lateral movement |
| 10 | π΄ Hard | Multi-Vector Attacks | APT-style sophisticated breaches |
- Enterprise Adoption: Major companies integrating MCP into critical systems
- AI Agent Ecosystems: Autonomous agents with extensive MCP tool access
- Third-Party Integrations: Marketplace of MCP tools with varying security standards
- Regulatory Compliance: Growing requirements for AI system security auditing
damn-vulnerable-mcs/
βββ README.md # Project overview
βββ requirements.txt # Python dependencies
βββ challenges/ # Challenge implementations
β βββ easy/ # Easy difficulty challenges (1-3)
β β βββ challenge1/ # Basic Prompt Injection
β β βββ challenge2/ # Tool Poisoning
β β βββ challenge3/ # Excessive Permission Scope
β βββ medium/ # Medium difficulty challenges (4-7)
β β βββ challenge4/ # Rug Pull Attack
β β βββ challenge5/ # Tool Shadowing
β β βββ challenge6/ # Indirect Prompt Injection
β β βββ challenge7/ # Token Theft
β βββ hard/ # Hard difficulty challenges (8-10)
β βββ challenge8/ # Malicious Code Execution
β βββ challenge9/ # Remote Access Control
β βββ challenge10/ # Multi-Vector Attack
βββ docs/ # Documentation
β βββ setup.md # Setup instructions
β βββ challenges.md # Challenge descriptions
β βββ mcp_overview.md # MCP protocol overview
βββ solutions/ # Solution guides
βββ common/ # Shared code and utilities
Perfect for learning MCP security fundamentals:
Challenge 1: Prompt Injection - Learn how malicious input can manipulate LLM behavior
Challenge 2: Tool Poisoning - Discover hidden malicious instructions in tool descriptions
Challenge 3: Excessive Permissions - Exploit overly broad tool access controls
Build advanced attack skills:
Challenge 4: Rug Pull Attacks - Exploit tools that change behavior over time
Challenge 5: Tool Shadowing - Override legitimate tools with malicious ones
Challenge 6: Indirect Injection - Attack through external data sources
Challenge 7: Token Theft - Extract credentials from error messages and logs
Master sophisticated attack techniques:
Challenge 8: Code Execution - Execute arbitrary code through vulnerable tools
Challenge 9: Command Injection - Gain remote system access via command manipulation
Challenge 10: Multi-Vector - Chain multiple vulnerabilities for maximum impact
- π SOLUTIONS.md - Complete step-by-step walkthrough with Claude Desktop
- π solutions/ - Individual challenge solution guides
- π₯ MCP Course - Comprehensive MCP development and security training
- π³ Docker-First Approach: Complete containerization with multi-service orchestration
- π StreamableHTTP Migration: All 10 challenge servers updated from legacy SSE to modern StreamableHTTP transport
- π± Claude Desktop Integration: Native support for the most popular MCP client with tested configurations
- π Stability Improvements: Fixed server startup issues, port conflicts, and transport layer bugs
- π Educational Excellence: Comprehensive documentation with real-world context and step-by-step guides
- π‘οΈ Security Focus: Each vulnerability includes mitigation strategies and secure code examples
- Multi-Server Design: Each challenge runs as an independent service
- Port Isolation: Challenges 1-10 on dedicated ports 9001-9010
- Client Compatibility: Works with Claude Desktop, Cline, and other MCP clients
- Cross-Platform: Consistent experience across Windows, macOS, and Linux
π¨ EDUCATIONAL USE ONLY - This project contains intentionally vulnerable code for learning purposes.
- β Allowed: Security research, education, training, vulnerability demonstration
- β Prohibited: Using these vulnerabilities against production systems
- π‘οΈ Responsibility: Always implement proper security measures in real applications
Created by Harish Santhanalakshmi Ganesan using Cursor IDE and Manus AI.
- StreamableHTTP migration and Docker integration
- Comprehensive SOLUTIONS.md guide
- Real-world security context and mitigation strategies
- Claude Desktop compatibility and testing
This project is enhanced for use with the Learn MCP Course, providing hands-on practical experience for MCP security learning.
This project is licensed under the MIT License - see the LICENSE file for details.
Ready to start learning MCP security? π
- Run
docker-compose up -d - Follow SOLUTIONS.md
- Master MCP security step-by-step!