Content
Web Application Penetration Testing MCP
A comprehensive tool for analyzing web applications with a focus on business logic security vulnerabilities. This Master Control Program (MCP) systematically crawls, analyzes, and identifies potential security issues beyond what standard scanners detect.
Overview
Web Application Penetration Testing MCP helps you understand the business context of web applications by building a complete map of the application structure and identifying potential security weak points, particularly in business logic implementation.
Key Features
Comprehensive Discovery
- Automatically builds a tree structure of the entire web application
- Maps all links, forms, and interactive elements
- Identifies input fields with their types and expected values
Authentication Handling
- Automatically detects login/logout pages
- Can authenticate using credentials to access protected areas
- Supports both cookie-based and bearer token authentication
Business Logic Analysis
- Identifies potential IDOR (Insecure Direct Object Reference) vulnerabilities
- Detects mathematical/calculation edge cases
- Maps multi-step workflows that could be manipulated
- Discovers permission and access control issues
Advanced Input Analysis
- Identifies input field types (even when not explicitly defined)
- Generates appropriate test values based on field type
- Detects hidden fields that might contain sensitive values
Visualization Support
- Creates a visual sitemap using DOT format (viewable with Graphviz)
- Highlights complex pages requiring more attention
Installation
# Clone the repository
git clone https://github.com/yourusername/web-app-penetration-testing-mcp.git
# Navigate to the directory
cd web-app-penetration-testing-mcp
# Install dependencies - using uv
pip install -r requirements.txt
Usage
at the moment other.py is the continued tool version
Basic Operation
# Basic usage
python web_app_mcp.py https://example.com
# With authentication
python web_app_mcp.py https://example.com --username user@example.com --password mysecretpassword
# Create visual sitemap
python web_app_mcp.py https://example.com --visual
# Control crawl speed and depth
python web_app_mcp.py https://example.com --delay 1.0 --max-pages 200
Command Line Arguments
| Argument | Description |
|---|---|
url | Target web application URL (required) |
--username | Username for authenticated scanning |
--password | Password for authenticated scanning |
--visual | Generate visual sitemap in DOT format |
--delay | Delay between requests in seconds (default: 0.5) |
--max-pages | Maximum number of pages to scan (default: 100) |
--output | Output file name (default: mcp_results.json) |
--cookies | Cookie string for authenticated scanning |
--headers | Additional headers in JSON format |
Output
The tool generates a mcp_results.json file containing:
- Complete application structure
- Identified input fields and their types
- Detected authentication mechanisms
- Multi-step workflows
- Potential edge cases and vulnerabilities
- Business logic analysis results
Workflow for Testing
- Review the generated
mcp_results.jsonfile to understand the application structure - Focus on the "potential_edge_cases" section for high-value test targets
- Use the visual sitemap to identify complex areas of the application
- Leverage the generated test cases to find business logic vulnerabilities
Example Output
{
"application_map": {
"https://example.com/": {
"type": "page",
"links": ["https://example.com/login", "https://example.com/about"],
"forms": []
},
"https://example.com/login": {
"type": "authentication",
"links": [],
"forms": [
{
"action": "/process-login",
"method": "POST",
"inputs": [
{"name": "username", "type": "email"},
{"name": "password", "type": "password"}
]
}
]
}
},
"potential_edge_cases": [
{
"url": "https://example.com/user/profile",
"type": "IDOR",
"description": "User ID parameter may allow access to other profiles"
}
]
}
Visualization
When using the --visual flag, the tool generates a sitemap.dot file that can be converted to an image using Graphviz:
dot -Tpng sitemap.dot -o sitemap.png
Advanced Usage
Scanning with Custom Headers
python web_app_mcp.py https://example.com --headers '{"X-API-Key": "your-api-key"}'
Rate Limited Scanning
python web_app_mcp.py https://example.com --delay 2.0 --max-pages 50
Focusing on Specific Areas
python web_app_mcp.py https://example.com/admin --max-depth 3
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Recommend Servers
TraeBuild with Free GPT-4.1 & Claude 3.7. Fully MCP-Ready.
WindsurfThe new purpose-built IDE to harness magic
Visual Studio Code - Open Source ("Code - OSS")Visual Studio Code
AiimagemultistyleA Model Context Protocol (MCP) server for image generation and manipulation using fal.ai's Stable Diffusion model.
Baidu Map百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Jina AI MCP ToolsA Model Context Protocol (MCP) server that integrates with Jina AI Search Foundation APIs.
MiniMax MCPOfficial MiniMax Model Context Protocol (MCP) server that enables interaction with powerful Text to Speech, image generation and video generation APIs.
BlenderBlenderMCP connects Blender to Claude AI through the Model Context Protocol (MCP), allowing Claude to directly interact with and control Blender. This integration enables prompt assisted 3D modeling, scene creation, and manipulation.
Amap Maps高德地图官方 MCP Server
EdgeOne Pages MCPAn MCP service designed for deploying HTML content to EdgeOne Pages and obtaining an accessible public URL.
Playwright McpPlaywright MCP server
Howtocook Mcp基于Anduin2017 / HowToCook (程序员在家做饭指南)的mcp server,帮你推荐菜谱、规划膳食,解决“今天吃什么“的世纪难题;
Based on Anduin2017/HowToCook (Programmer's Guide to Cooking at Home), MCP Server helps you recommend recipes, plan meals, and solve the century old problem of "what to eat today"
MCP AdvisorMCP Advisor & Installation - Use the right MCP server for your needs
CursorThe AI Code Editor
Serper MCP ServerA Serper MCP Server
Tavily Mcp
ChatWiseThe second fastest AI chatbot™
Zhipu Web SearchZhipu Web Search MCP Server is a search engine specifically designed for large models. It integrates four search engines, allowing users to flexibly compare and switch between them. Building upon the web crawling and ranking capabilities of traditional search engines, it enhances intent recognition capabilities, returning results more suitable for large model processing (such as webpage titles, URLs, summaries, site names, site icons, etc.). This helps AI applications achieve "dynamic knowledge acquisition" and "precise scenario adaptation" capabilities.
Context7Context7 MCP Server -- Up-to-date code documentation for LLMs and AI code editors
TimeA Model Context Protocol server that provides time and timezone conversion capabilities. This server enables LLMs to get current time information and perform timezone conversions using IANA timezone names, with automatic system timezone detection.
DeepChatYour AI Partner on Desktop