Skip to content

Agent-Hellboy/mcp-server-fuzzer

BranchesTags

Repository files navigation

MCP Server Fuzzer

A comprehensive super aggressive CLI based fuzzing tool for MCP servers using multiple transport protocols, with support for both tool argument fuzzing and protocol type fuzzing. Features pretty output using rich.

The most important thing I'm aiming to ensure here is: If your server conforms to the MCP schema, this tool will be able to fuzz it effectively.

CI codecov PyPI - Version PyPI Downloads

Documentation

View Full Documentation

Quick Start

Installation

# Install from PyPI
pip install mcp-fuzzer

# Or install from source
git clone https://github.com/Agent-Hellboy/mcp-server-fuzzer.git
cd mcp-server-fuzzer
pip install -e .

Basic Usage

  1. Set up your MCP server (HTTP, SSE, or Stdio)
  2. Run basic fuzzing:
# Fuzz tools on an HTTP server
mcp-fuzzer --mode tools --protocol http --endpoint http://localhost:8000

# Fuzz protocol types on an SSE server
mcp-fuzzer --mode protocol --protocol sse --endpoint http://localhost:8000/sse

Key Features

  • Two-Phase Fuzzing: Realistic testing + aggressive security testing
  • Multi-Protocol Support: HTTP, SSE, and Stdio transports
  • Built-in Safety: Environment detection and system protection
  • Intelligent Testing: Hypothesis-based data generation strategies
  • Rich Reporting: Detailed output with exception tracking

Architecture

The system is built with a modular architecture:

  • CLI Layer: User interface and argument handling
  • Transport Layer: Protocol abstraction (HTTP/SSE/Stdio)
  • Fuzzing Engine: Test orchestration and execution
  • Strategy System: Data generation (realistic + aggressive)
  • Safety System: Core filter + SystemBlocker PATH shim; safe mock responses
  • Runtime: Async ProcessManager + ProcessWatchdog + AsyncProcessWrapper
  • Authentication: Multiple auth provider support
  • Reporting: FuzzerReporter, Console/JSON/Text formatters, SafetyReporter

Contributing

We welcome contributions! Please see our Contributing Guide for details.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Disclaimer

This tool is designed for testing and security research. Always use in controlled environments and ensure you have permission to test the target systems. The safety system provides protection but should not be relied upon as the sole security measure.

About

A generic mcp server fuzzer

Topics

ai mcp ai-agents security-research testing-tool llm-agents agentic-workflow agentic-ai ai-testing-tool mcp-servers mcp-client mcp-tools mcp-security protocol-testing mcp-fuzzer mcp-specification-validation property-based-testing-mcp mutation-testing-mcp generative-testing-mcp

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

12 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 8

Release v0.1.7 Latest
Aug 12, 2025
+ 7 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages