Appsecco MasterClass Pentesting MCP Servers Model Context Protocol -Hands-On Demo & Attack Examples скачать в хорошем качестве

Appsecco MasterClass Pentesting MCP Servers Model Context Protocol -Hands-On Demo & Attack Examples

Learn how to pentest MCP (Model Context Protocol) servers with Appsecco’s hands-on masterclass. See real attacks, vulnerabilities, and live demos using our Universal MCP Client + Burp. Appsecco MasterClass — Pentesting MCP Servers (Model Context Protocol / MCP) Riyaz (Chief Hacker, Appsecco) and team show why MCP is the new critical attack surface, common MCP vulnerabilities in the wild, and a live hands-on pentest using Appsecco’s Universal MCP Client + Burp. For security pros, red teamers, DevSecOps, and devs working with AI integrations. What you’ll learn What MCP is and why it matters for enterprise security Transport types (stdio, HTTP/events) and attack surfaces MCP primitives: Tools, Resources, Prompts — where risks appear New attack classes: tool poisoning, schema poisoning, TOCTOU, OAuth abuse How to capture MCP traffic (stdio + backend HTTP) with our client + Burp Practical pentest checklist and mitigations 00:00:00 Introduction — Why MCP is the critical new attack surface 00:00:38 MCP Transport Types (stdio, HTTP, events) 00:00:53 MCP Server Primitives: Tools, Resources, Prompts 00:01:24 MCP Adoption across enterprises 00:01:57 Why care about MCP security (attack surface & stats) 00:02:32 MCP Servers in production — examples (bank, healthcare) 00:02:56 Common production deployment patterns for MCP servers 00:03:09 How AI amplifies traditional vulnerabilities 00:03:36 New MCP attack classes: Tool & schema poisoning 00:04:22 MCP real attack examples (TOCTOU, OAuth harvesting) 00:05:18 Why traditional security fails for MCP threats 00:06:01 Practical action plan for MCP security (inventory, controls, testing) 00:06:37 Pentesting MCP — Appsecco Masterclass intro 00:07:52 Appsecco’s Universal MCP Client — why we built it 00:10:03 Configure the test local MCP server (HackerNews sample) 00:12:59 Demo: start the Universal MCP Client 00:14:29 Live: capture local MCP server traffic with Burp 00:17:21 Burp interception demo & repeater testing 00:18:00 Top MCP vulnerabilities in the wild (2025) 00:19:16 Rebinding, rug-pull, tool-shadow attacks 00:20:05 Prompt injection, hidden text & chained MCP calls 00:20:53 Top 6 MCP vulnerabilities — checklist & wrap up Short transcript summary This masterclass explains why Model Context Protocol (MCP) is an emerging enterprise attack surface and demonstrates practical pentesting techniques. We cover transport types, server primitives, and why traditional security tools struggle with adaptive, AI-driven threats. Live demos show tool poisoning, schema poisoning, TOCTOU rug-pulls, OAuth scope abuse, and consent-fatigue attacks. Using Appsecco’s Universal MCP Client with Burp, we capture STDIO + backend HTTP calls, replay and fuzz traffic, and reveal vulnerabilities in production-style MCP deployments. Resources & downloads Appsecco Universal MCP Client (repo & proxy): https://github.com/appsecco/mcp-clien... HackerNews test MCP server: https://github.com/GeorgeNance/hacker... Slides & deck (download): https://drive.google.com/file/d/13ED8... Appsecco website: https://appsecco.com Masterclass page: https://masterclass.appsecco.com/pent... Quick demo reproduction 1. Clone HackerNews MCP and add its index.js to your mcp_config.json. 2. npm run build → start the MCP server (node command from config). 3. Start the client: python3 app.py --start (use proxy-chains for Node MCPs). 4. Capture STDIO + HTTP in Burp, send to Repeater, fuzz, and analyze. Call to action Like 👍, Subscribe, and share with your security/dev teams. Comment below — which MCP attack class should we deep-dive next? Hashtags #mcpserver #aisecurity #pentesting #mcpsecurity