MCP Server Testing

Model Context Protocol (MCP) servers expose tools and resources to AI agents over JSON-RPC 2.0 using the Streamable HTTP transport. These servers accept structured input from AI assistants like Claude, Cursor, and Windsurf — making them HTTP endpoints that process untrusted data. Like any API, MCP servers are vulnerable to injection attacks, data disclosure, and other security issues that dynamic application security testing (DAST) can detect. HawkScan discovers MCP tools automatically and scans them for vulnerabilities without requiring an OpenAPI specification or manual endpoint configuration.

How MCP Scanning Works

HawkScan performs a standard MCP protocol handshake to discover and test your server’s tools:

1. Initialize — Sends an initialize request to establish a session with the MCP server
2. Confirm — Sends a notifications/initialized notification to complete the handshake
3. Discover tools — Sends a tools/list request to enumerate available tools and their input schemas
4. Scan — For each discovered tool, generates fuzzed payloads from the tool’s inputSchema and sends them as tools/call requests, analyzing responses for vulnerability indicators

This means HawkScan tests your MCP server the same way an AI agent would use it — through the standard protocol — ensuring that vulnerabilities found in testing reflect real-world attack surfaces.

What HawkScan Detects

HawkScan runs the same active and passive security checks against MCP tools that it runs against any other API. Findings are tied to specific tools, so you know exactly which tool is vulnerable and how.

• SQL Injection — Detects SQL errors in tool responses caused by injected payloads. For example, a query_database tool that passes user input directly into SQL queries.
• Cross-Site Scripting (XSS) — Identifies reflected content in tool output that could be rendered in a browser or downstream application.
• Server-Side Request Forgery (SSRF) — Tests URL parameters for internal network access. Tools like fetch_url or get_resource that accept URLs are common targets.
• Prompt Injection — Detects when crafted inputs can manipulate LLM behavior through tool responses, potentially overriding system instructions or leaking sensitive context.
• Information Disclosure — Finds sensitive data exposure in tool responses, including error messages that reveal internal system details, stack traces, or credentials.
• Security Headers — Checks HTTP response headers on the MCP endpoint for missing security controls.

MCP tool responses use the result.content format with text entries. HawkScan extracts text content from these responses for vulnerability analysis, including error messages that may indicate injection vulnerabilities.

How to Enable MCP Testing

Add the mcp block under jsonRpcConf in your stackhawk.yml:

# stackhawk.yml
app:
  host: http://localhost:3000
  jsonRpcConf:
    mcp:
      endpoint: /mcp

The presence of the mcp block enables MCP scanning mode. No enabled: true or schema file is needed — HawkScan discovers tools automatically via the MCP handshake.

For full configuration options including custom values, excluding tools, faker support, and timeout settings, see JSON-RPC Configuration.

What to Expect

When you run a scan with MCP configuration, HawkScan connects to your MCP server, completes the protocol handshake, and discovers all available tools. For each tool, it generates test payloads based on the tool’s input schema and sends them as standard tools/call requests.

Findings appear in the StackHawk platform like any other scan. Each finding includes the tool name and the specific parameter that triggered the vulnerability, making it straightforward to locate and fix the issue in your server code.

hawk scan

HawkScan will connect to the MCP endpoint, discover available tools, and scan them for security vulnerabilities.