{"id":"pawelkozy-mcp-breach-to-fix-labs","name":"mcp-breach-to-fix-labs","homepage":null,"repo_url":"https://github.com/PawelKozy/mcp-breach-to-fix-labs","category":"devtools","subcategories":[],"tags":["mcp","fastmcp","security","labs","docker","python","cve","vulnerability-reproduction","education"],"what_it_does":"Provides a Dockerized set of Model Context Protocol (MCP) security lab servers with intentionally vulnerable and corresponding hardened implementations for multiple common vulnerability classes (e.g., path traversal, SQL injection, prompt/tool-response injection, command injection). Includes challenge walkthroughs and proof artifacts meant to reproduce exploit-to-mitigation flows end-to-end.","use_cases":["Learning MCP security failure modes by running vulnerable and secure FastMCP servers locally","Reproducing specific classes of vulnerabilities (and mitigations) in isolated lab conditions","Building regression tests/teaching materials for secure MCP tool design"],"not_for":["Production deployment","Running against untrusted networks without isolation","Testing compliance requirements beyond local lab usage"],"best_when":"You need a reproducible, local training/regression environment to compare vulnerable vs. hardened MCP server patterns.","avoid_when":"You cannot isolate the environment (e.g., no Docker sandbox, no network restrictions) or you need a fully production-grade SaaS/API platform.","alternatives":["OWASP Juice Shop (web vulnerabilities, different interface)","Local security labs like DVWA/OWASP Benchmark (not MCP-specific)","Custom FastMCP/Python security test harnesses","MCP Inspector/test utilities with your own hardened/vulnerable fixtures"],"af_score":46.0,"security_score":28.5,"reliability_score":20.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:49:02.601047+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:8008/mcp/stream (example for vulnerable); secure variants use other localhost ports (e.g., 9008)","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Not specified in README; likely local-only lab access to MCP stream endpoints (no external auth described)."],"oauth":false,"scopes":false,"notes":"The README does not describe authentication/authorization mechanisms for the MCP endpoints; it focuses on insecure vs. hardened tool/server logic."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Repository appears to be a local lab with Docker; no pricing model described."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":46.0,"security_score":28.5,"reliability_score":20.0,"mcp_server_quality":70.0,"documentation_accuracy":80.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":100.0,"rate_limit_clarity":0.0,"tls_enforcement":10.0,"auth_strength":20.0,"scope_granularity":30.0,"dependency_hygiene":50.0,"secret_handling":40.0,"security_notes":"Security posture is mixed by design: the repo explicitly ships vulnerable challenge implementations alongside hardened ones. The README warns not to deploy in production, implying intended use is isolated lab environments. Authentication, TLS configuration, and operational security controls for the MCP endpoints are not described. Hardened scenarios mention defense-in-depth patterns (scoping credentials per tenant, canonical path enforcement, parameterized SQL, sanitizing tool/remote content, freezing tool descriptions), but those specifics are not evidenced here beyond descriptions.","uptime_documented":0.0,"version_stability":30.0,"breaking_changes_history":30.0,"error_recovery":20.0,"idempotency_support":"false","idempotency_notes":"Not stated; lab challenges include exploit flows that may be non-idempotent depending on fixtures and data mutations.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["These labs intentionally include exploitable behavior; agents may attempt exploitation steps that cause state changes or data exfiltration attempts.","Because the project includes vulnerable modes, an agent that is not constrained could perform actions beyond the intended learning scope.","Auth/rate-limit behavior is not documented in the README; an agent should not assume production-like guardrails."]}}