What is Mcp Server Pt

mcp_server_pt is a comprehensive tool designed for analyzing web applications, specifically focusing on identifying business logic vulnerabilities that traditional scanners may overlook.

Use cases

Use cases for mcp_server_pt include conducting security assessments of web applications, identifying potential vulnerabilities in business logic, and ensuring robust security measures are in place during application development.

How to use

To use mcp_server_pt, clone the repository from GitHub, navigate to the directory, install the required dependencies using pip, and run the tool with the command ‘python web_app_mcp.py h’ for basic operations.

Key features

Key features of mcp_server_pt include comprehensive discovery of web application structure, authentication handling, business logic analysis, advanced input analysis, and visualization support with a visual sitemap.

Where to use

mcp_server_pt can be used in various fields including cybersecurity, web application development, and penetration testing, where understanding business logic vulnerabilities is crucial.

Web Application Penetration Testing MCP

A comprehensive tool for analyzing web applications with a focus on business logic security vulnerabilities. This Master Control Program (MCP) systematically crawls, analyzes, and identifies potential security issues beyond what standard scanners detect.

Overview

Web Application Penetration Testing MCP helps you understand the business context of web applications by building a complete map of the application structure and identifying potential security weak points, particularly in business logic implementation.

Key Features

Comprehensive Discovery

• Automatically builds a tree structure of the entire web application
• Maps all links, forms, and interactive elements
• Identifies input fields with their types and expected values

Authentication Handling

• Automatically detects login/logout pages
• Can authenticate using credentials to access protected areas
• Supports both cookie-based and bearer token authentication

Business Logic Analysis

• Identifies potential IDOR (Insecure Direct Object Reference) vulnerabilities
• Detects mathematical/calculation edge cases
• Maps multi-step workflows that could be manipulated
• Discovers permission and access control issues

Advanced Input Analysis

• Identifies input field types (even when not explicitly defined)
• Generates appropriate test values based on field type
• Detects hidden fields that might contain sensitive values

Visualization Support

• Creates a visual sitemap using DOT format (viewable with Graphviz)
• Highlights complex pages requiring more attention

Installation

# Clone the repository
git clone https://github.com/yourusername/web-app-penetration-testing-mcp.git

# Navigate to the directory
cd web-app-penetration-testing-mcp

# Install dependencies - using uv
pip install -r requirements.txt

Usage

at the moment other.py is the continued tool version

Basic Operation

# Basic usage
python web_app_mcp.py https://example.com

# With authentication
python web_app_mcp.py https://example.com --username [email protected] --password mysecretpassword

# Create visual sitemap
python web_app_mcp.py https://example.com --visual

# Control crawl speed and depth
python web_app_mcp.py https://example.com --delay 1.0 --max-pages 200

Command Line Arguments

Output

The tool generates a mcp_results.json file containing:

• Complete application structure
• Identified input fields and their types
• Detected authentication mechanisms
• Multi-step workflows
• Potential edge cases and vulnerabilities
• Business logic analysis results

Workflow for Testing

1. Review the generated mcp_results.json file to understand the application structure
2. Focus on the “potential_edge_cases” section for high-value test targets
3. Use the visual sitemap to identify complex areas of the application
4. Leverage the generated test cases to find business logic vulnerabilities

Example Output

{
  "application_map": {
    "https://example.com/": {
      "type": "page",
      "links": [
        "https://example.com/login",
        "https://example.com/about"
      ],
      "forms": []
    },
    "https://example.com/login": {
      "type": "authentication",
      "links": [],
      "forms": [
        {
          "action": "/process-login",
          "method": "POST",
          "inputs": [
            {
              "name": "username",
              "type": "email"
            },
            {
              "name": "password",
              "type": "password"
            }
          ]
        }
      ]
    }
  },
  "potential_edge_cases": [
    {
      "url": "https://example.com/user/profile",
      "type": "IDOR",
      "description": "User ID parameter may allow access to other profiles"
    }
  ]
}

Visualization

When using the --visual flag, the tool generates a sitemap.dot file that can be converted to an image using Graphviz:

dot -Tpng sitemap.dot -o sitemap.png

Advanced Usage

Scanning with Custom Headers

python web_app_mcp.py https://example.com --headers '{"X-API-Key": "your-api-key"}'

Rate Limited Scanning

python web_app_mcp.py https://example.com --delay 2.0 --max-pages 50

Focusing on Specific Areas

python web_app_mcp.py https://example.com/admin --max-depth 3

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.