Overview
What is MCP Server Pentest?
MCP Server Pentest is an MCP server that automates browser-based security vulnerability detection (XSS and SQL injection) and provides comprehensive browser automation capabilities. It is intended for security testers and developers who need to scan web applications for common vulnerabilities and interact with browser pages programmatically.
How to use MCP Server Pentest?
Install dependencies with npx playwright install firefox, then run yarn install and npm run build. The installation automatically adds a configuration entry to your Claude config file, which points to the built server script. Once configured, you can invoke its tools from Claude.
Key features of MCP Server Pentest
- Automatic XSS and SQL injection vulnerability detection
- Full page and element screenshots
- Browser navigation, clicking, hovering, form filling, and selection
- Console log monitoring
- JavaScript execution in the browser context
Use cases of MCP Server Pentest
- Scanning web application URLs for reflected XSS vulnerabilities
- Testing for SQL injection vulnerabilities in URL parameters
- Automating browser interactions during security audits
- Capturing screenshots of web pages or specific elements for documentation
- Executing custom JavaScript to inspect or modify page behavior
FAQ from MCP Server Pentest
What vulnerability detection tools are available?
The server provides broser_url_reflected_xss for XSS testing and browser_url_sql_injection for SQL injection testing. Both accept a URL and a parameter name.
How do I install and configure the server?
Run npx playwright install firefox, then yarn install and npm run build. The installation automatically adds a configuration entry to your Claude MCP settings file with the server command pointing to the built dist/index.js.
What browser automation tools does it offer?
Tools include browser_navigate, browser_screenshot, browser_click, browser_click_text, browser_hover, browser_hover_text, browser_fill, browser_select, browser_select_text, and browser_evaluate for executing JavaScript.
Does it support console log monitoring?
Yes, console log monitoring is listed as a feature, though no dedicated tool is documented for it.
What are the runtime dependencies?
The server requires Node.js, Playwright (specifically Firefox), and the packages installed via yarn install and npm run build.