Insecure MCP Demo Server

Overview

Kenhuangus Mcp Vulnerable Server Demo is a deliberately insecure Model Context Protocol (MCP) server designed to illustrate common security pitfalls that can arise when exposing database and system functionality to AI assistants. By presenting a set of openly accessible tools—such as record insertion, data querying, arbitrary SQL execution, and environment‑variable retrieval—the server demonstrates how insufficient input validation, lack of authentication, and overly permissive tooling can lead to data theft, privilege escalation, and system compromise. The accompanying “good” client shows how the same interface can be used safely when proper safeguards are in place, while an automated attack client showcases real‑world exploit scenarios.

What Problem Does It Solve?

The primary purpose of this demo is educational: it provides a hands‑on playground for developers, security researchers, and AI practitioners to observe how an MCP server can be abused when it lacks essential controls. Rather than focusing on deployment, the project emphasizes understanding the attack surface that arises from exposing raw database operations and environment data to untrusted clients. By making the vulnerabilities explicit, it encourages secure design practices before an MCP server is ever put into production.

Core Features and Their Value

• Insert Record Tool – Adds name/address pairs to a local database. Its vulnerability to SQL injection highlights the risks of building queries via string interpolation.
• Query Records Tool – Returns all database entries. Without authentication, it exposes the entire dataset to anyone who can reach the server.
• Execute SQL Tool – Allows any SQL statement, including destructive commands. This demonstrates the danger of providing unrestricted query execution to clients.
• Get Environment Variable Tool – Reads arbitrary environment variables, potentially leaking secrets such as API keys or database credentials.

Each tool serves as a micro‑example of a broader security principle: parameterized queries, least privilege, and access control. The server’s design intentionally omits these safeguards to make the consequences visible.

Real‑World Use Cases

• Security Training – Students and developers can experiment with SQL injection, privilege escalation, and data exfiltration in a controlled setting.
• Penetration Testing – Security teams can use the attack client to test how an MCP interface might be abused if exposed to external AI assistants.
• API Design Review – Architects can evaluate the trade‑offs between exposing powerful tools and protecting sensitive data, refining their MCP specifications accordingly.

Integration with AI Workflows

In a typical MCP workflow, an AI assistant sends JSON requests to the server’s exposed tools. This demo shows how an assistant could inadvertently invoke dangerous operations if the server does not enforce role‑based access or input validation. By pairing the vulnerable server with a “good” client, developers can see how adding authentication layers or sanitizing inputs changes the interaction pattern, ensuring that only authorized commands reach the database or system environment.

Unique Advantages

• Transparent Vulnerability Exposure – The project deliberately leaves tools unprotected, making the attack surface obvious and teachable.
• Automated Attack Client – The proof‑of‑concept client automatically runs a battery of injection payloads and environment‑variable probes, providing instant feedback on what can be compromised.
• Modular Design – Each tool is isolated, allowing developers to cherry‑pick which aspects they want to study or secure.

In summary, the Kenhuangus Mcp Vulnerable Server Demo is a focused, hands‑on resource for anyone looking to grasp the security implications of exposing MCP tools. It bridges theoretical concepts—such as SQL injection and privilege escalation—with practical, observable outcomes, thereby reinforcing best practices for building secure AI‑enabled data interfaces.