MCP.so
ログイン

Web Application Penetration Testing MCP

@yallasec

Web Application Penetration Testing MCP について

概要はまだありません

基本情報

カテゴリ

その他

ランタイム

python

トランスポート

stdio

公開者

yallasec

設定

以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。

{
  "mcpServers": {
    "mcp_server_pt": {
      "command": "python",
      "args": [
        "web_app_mcp.py",
        "https://example.com"
      ]
    }
  }
}

ツール

ツールは検出されませんでした

ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。

概要

What is Web Application Penetration Testing MCP?

Web Application Penetration Testing MCP is a command-line tool that systematically crawls, analyzes, and identifies security vulnerabilities in web applications, with a primary focus on business logic flaws that standard scanners often miss. It builds a complete map of the application’s structure, maps links, forms, and interactive elements, and surfaces potential issues such as IDOR, calculation edge cases, and permission problems. It is intended for penetration testers and security researchers who need deeper, context-aware analysis of web apps.

How to use Web Application Penetration Testing MCP?

Install by cloning the repository and running pip install -r requirements.txt. Then run python web_app_mcp.py <target_url>. Common options include --username and --password for authenticated scanning, --visual to generate a DOT‑format sitemap, --delay to rate‑limit requests, and --max-pages to limit crawl depth. Output is saved to mcp_results.json by default.

Key features of Web Application Penetration Testing MCP

  • Automatically builds a tree structure of the entire web application
  • Detects login/logout pages and supports cookie and bearer token authentication
  • Identifies IDOR, calculation edge cases, and multi‑step workflow issues
  • Discovers hidden fields and generates test values based on input field type
  • Produces visual sitemaps in DOT format (viewable with Graphviz)

Use cases of Web Application Penetration Testing MCP

  • Identify insecure direct object references (IDOR) in user profile pages
  • Detect mathematical edge cases in financial or calculation‑based workflows
  • Map multi‑step processes (e.g., checkout flows) for manipulation testing
  • Discover permission and access control issues across protected areas
  • Generate a visual sitemap to understand complex application structure

FAQ from Web Application Penetration Testing MCP

What types of vulnerabilities does the tool detect?

It focuses on business logic vulnerabilities: IDOR, calculation edge cases, multi‑step workflow manipulation, and permission/access control issues. It also identifies hidden fields and generates context‑aware test values.

How do I scan a page that requires authentication?

Use the --username and --password flags to provide login credentials, or pass a cookie string with --cookies. The tool automatically detects login/logout pages and handles cookie‑based and bearer token authentication.

What output does the tool produce after a scan?

A JSON file (mcp_results.json by default) containing the complete application structure, authentication mechanisms, identified input fields, multi‑step workflows, potential edge cases, and business logic analysis results.

Can I generate a visual representation of the site map?

Yes. Use the --visual flag to produce a sitemap.dot file. Convert it to PNG with Graphviz: dot -Tpng sitemap.dot -o sitemap.png.

How can I control the scan speed and depth?

Use --delay to set the delay between requests (default 0.5 seconds) and --max-pages to limit how many pages are crawled (default 100). You can also specify a starting path and use --max-depth to limit nested traversal.

コメント

「その他」の他のコンテンツ