Skip to main content

What is Security Testing?

Security testing validates that your MCP server properly implements authentication, authorization, and protection against common vulnerabilities. It ensures your server can safely handle untrusted inputs and enforce access controls correctly.

Key Benefits

  • Authentication validation - Verify auth flows work correctly
  • Access control testing - Ensure permissions are enforced
  • Vulnerability detection - Find injection attacks and other security issues
  • Rate limiting verification - Test DoS protection mechanisms

How It Works

Configuration

Basic Security Test Suite

{
  "suite_id": "basic_security_tests",
  "name": "Essential Security Validation",
  "suite_type": "security",
  "auth_required": true,
  "test_cases": [
    {
      "test_id": "auth_validation",
      "auth_method": "oauth",
      "rate_limit_threshold": 100,
      "vulnerability_checks": ["auth"],
      "severity_threshold": "medium"
    }
  ],
  "include_penetration_tests": false
}

Test Configuration Fields

FieldTypeDefaultDescription
auth_methodstringrequiredAuthentication method to test (oauth, token, etc.)
vulnerability_checksarray[“auth”]Security checks: [“auth”, “rate_limit”, “injection”, “token_validation”]
rate_limit_thresholdinteger100Expected rate limit (requests per minute)
severity_thresholdstring”medium”Minimum severity to report (low, medium, high, critical)

Suite-Level Settings

SettingTypeDefaultDescription
auth_requiredbooleantrueWhether authentication is required
include_penetration_testsbooleanfalseInclude aggressive security testing

Authentication Methods

1. OAuth Authentication

Test OAuth flows and token security: 
{
  "test_id": "oauth_flow_security",
  "auth_method": "oauth",
  "vulnerability_checks": ["oauth_validation", "token_validation"],
  "severity_threshold": "high"
}
Tests:
  • OAuth token validation
  • Authorization flow security
  • Token refresh handling
  • Scope enforcement

2. Token Authentication

Test bearer token security: 
{
  "test_id": "token_security",
  "auth_method": "token",
  "vulnerability_checks": ["token_validation", "authentication_bypass"],
  "severity_threshold": "medium"
}
Tests:
  • Bearer token validation
  • Token expiration handling
  • Token manipulation detection
  • Authentication bypass prevention

Vulnerability Testing

Available Vulnerability Checks

{
  "vulnerability_checks": [
    "input_validation",
    "injection_attacks",
    "authentication_bypass",
    "oauth_validation",
    "token_validation",
    "mcp_prompt_injection",
    "mcp_data_leakage"
  ]
}

MCP-Specific Security Tests

  • Prompt Injection (mcp_prompt_injection): Tests resistance to prompt manipulation attacks
  • Data Leakage (mcp_data_leakage): Detects sensitive information exposure through responses
  • Authentication Bypass (authentication_bypass): Validates permission enforcement

Input Validation Tests

{
  "test_id": "input_validation_security",
  "auth_method": "oauth",
  "vulnerability_checks": ["input_validation", "injection_attacks"],
  "severity_threshold": "high"
}

Security Test Examples

1. OAuth Security Testing

{
  "test_id": "oauth_comprehensive",
  "auth_method": "oauth",
  "vulnerability_checks": ["oauth_validation", "token_validation"],
  "rate_limit_threshold": 50,
  "severity_threshold": "high",
  "metadata": {
    "category": "oauth_security",
    "priority": "critical"
  }
}

2. Input Sanitization Testing

{
  "test_id": "injection_resistance",
  "auth_method": "oauth",
  "vulnerability_checks": ["input_validation", "injection_attacks"],
  "severity_threshold": "medium",
  "metadata": {
    "category": "vulnerability_assessment",
    "priority": "high"
  }
}

Running Security Tests

Create Security Test Suite

# Interactive security suite creation
mcp-t create suite
# Select option "2" for security testing

Run Security Tests

# Run security test suite
mcp-t run security-tests server-id

# Run with verbose output
mcp-t run security-tests server-id --verbose

Example Command Flow

# 1. Create security test suite
mcp-t create suite

# 2. Run security assessment  
mcp-t run my-security-suite server-id

# 3. Review results in test_results/ directory

Configuration Files

The framework includes example security configurations:

Pre-built Security Suite

Location: configs/suites/security-tests.json 
{
  "suite_id": "security-tests",
  "name": "Security Test Suite",
  "description": "Authentication and vulnerability testing",
  "suite_type": "security",
  "test_cases": [
    {
      "test_id": "auth_validation",
      "auth_method": "oauth",
      "vulnerability_checks": ["auth"],
      "severity_threshold": "medium"
    },
    {
      "test_id": "injection_testing",
      "auth_method": "oauth",
      "vulnerability_checks": ["injection"],
      "severity_threshold": "medium"
    }
  ],
  "auth_required": true,
  "include_penetration_tests": true
}

OAuth-Specific Security Suite

Location: configs/suites/oauth-security-tests.json 
{
  "suite_id": "oauth-security-tests",
  "name": "OAuth Security Test Suite",
  "description": "Comprehensive OAuth security validation",
  "suite_type": "security",
  "test_cases": [
    {
      "test_id": "oauth_token_validation",
      "auth_method": "oauth",
      "vulnerability_checks": ["oauth_validation", "token_validation"],
      "severity_threshold": "high"
    }
  ],
  "auth_required": true,
  "include_penetration_tests": false
}

Security Issue Severity Levels

Critical Issues

  • Remote code execution vulnerabilities
  • Authentication bypass flaws
  • Complete authorization bypass
  • Data exposure vulnerabilities

High Severity

  • Privilege escalation vectors
  • Token manipulation vulnerabilities
  • OAuth flow vulnerabilities
  • Sensitive information disclosure

Medium Severity

  • Input validation gaps
  • Minor authentication issues
  • Configuration weaknesses
  • Rate limiting issues

Low Severity

  • Information leakage (non-sensitive)
  • Logging and monitoring gaps
  • Documentation security concerns

Next Steps

  1. CLI Reference
  2. Server Configuration for auth setup
  3. Compliance Testing for protocol validation
  4. Conversational Testing for user experience
I