Web Application Penetration Testing MCP
@yallasec
About Web Application Penetration Testing MCP
No overview available yet
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"mcp_server_pt": {
"command": "python",
"args": [
"web_app_mcp.py",
"https://example.com"
]
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Web Application Penetration Testing MCP?
Web Application Penetration Testing MCP is a command-line tool that systematically crawls, analyzes, and identifies security vulnerabilities in web applications, with a primary focus on business logic flaws that standard scanners often miss. It builds a complete map of the application’s structure, maps links, forms, and interactive elements, and surfaces potential issues such as IDOR, calculation edge cases, and permission problems. It is intended for penetration testers and security researchers who need deeper, context-aware analysis of web apps.
How to use Web Application Penetration Testing MCP?
Install by cloning the repository and running pip install -r requirements.txt. Then run python web_app_mcp.py <target_url>. Common options include --username and --password for authenticated scanning, --visual to generate a DOT‑format sitemap, --delay to rate‑limit requests, and --max-pages to limit crawl depth. Output is saved to mcp_results.json by default.
Key features of Web Application Penetration Testing MCP
- Automatically builds a tree structure of the entire web application
- Detects login/logout pages and supports cookie and bearer token authentication
- Identifies IDOR, calculation edge cases, and multi‑step workflow issues
- Discovers hidden fields and generates test values based on input field type
- Produces visual sitemaps in DOT format (viewable with Graphviz)
Use cases of Web Application Penetration Testing MCP
- Identify insecure direct object references (IDOR) in user profile pages
- Detect mathematical edge cases in financial or calculation‑based workflows
- Map multi‑step processes (e.g., checkout flows) for manipulation testing
- Discover permission and access control issues across protected areas
- Generate a visual sitemap to understand complex application structure
FAQ from Web Application Penetration Testing MCP
What types of vulnerabilities does the tool detect?
It focuses on business logic vulnerabilities: IDOR, calculation edge cases, multi‑step workflow manipulation, and permission/access control issues. It also identifies hidden fields and generates context‑aware test values.
How do I scan a page that requires authentication?
Use the --username and --password flags to provide login credentials, or pass a cookie string with --cookies. The tool automatically detects login/logout pages and handles cookie‑based and bearer token authentication.
What output does the tool produce after a scan?
A JSON file (mcp_results.json by default) containing the complete application structure, authentication mechanisms, identified input fields, multi‑step workflows, potential edge cases, and business logic analysis results.
Can I generate a visual representation of the site map?
Yes. Use the --visual flag to produce a sitemap.dot file. Convert it to PNG with Graphviz: dot -Tpng sitemap.dot -o sitemap.png.
How can I control the scan speed and depth?
Use --delay to set the delay between requests (default 0.5 seconds) and --max-pages to limit how many pages are crawled (default 100). You can also specify a starting path and use --max-depth to limit nested traversal.
More Other MCP servers
Inbox Zero AI MCP
elie222The world's best AI personal assistant for email. Open source app to help you reach inbox zero fast.
Awesome-MCP-ZH
yzflyMCP 资源精选, MCP指南,Claude MCP,MCP Servers, MCP Clients
Maestro
mobile-dev-incPainless E2E Automation for Mobile and Web
FastMCP v2 🚀
jlowin🚀 The fast, Pythonic way to build MCP servers and clients.
IDA Pro MCP
mrexodiaAI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
Comments