License MIT 26 challenges 78 flags Model Context Protocol

๐Ÿ MCPGoat

Hack the Model Context Protocol

A deliberately vulnerable Model Context Protocol (MCP) server for hands-on penetration-testing practice. Pick a difficulty level, then attack real MCP tools, resources, prompts and sampling โ€” and capture the flags.

26
Challenges
4
Levels each
78
Scored flags
20+
Vuln classes

What is MCPGoat?

As AI agents adopt the Model Context Protocol, MCP servers become a fresh, under-tested attack surface. MCPGoat is a safe, self-hosted lab to learn MCP security the only way that really sticks โ€” by breaking a target that's built to be broken.

๐ŸŽš๏ธ Tiered difficulty

Every challenge is implemented at Easy, Moderate and Difficult. The same flaw hardens as you climb โ€” from no auth to OAuth-style tokens, from full output to blind / out-of-band.

๐Ÿ Capture-the-flag scoreboard

A live scoreboard tracks 78 capture-the-flag flags. A 4th Secure level per challenge is the fixed reference where every documented exploit fails.

๐Ÿค– Real MCP attack surface

Attack it over Streamable HTTP with the bundled client, MCP Inspector, curl or Burp โ€” plus a victim-agent harness that shows a real LLM getting exploited.

Vulnerability coverage

MCP-specific attacks alongside the classic web bugs that resurface in MCP servers โ€” maximum coverage for AI / LLM security testing.

MCP: Tool poisoning Tool shadowing Rug-pull (TOCTOU) Indirect prompt injection Prompt-template injection Resource injection Sampling abuse Invisible / Unicode-tag stego OAuth token-audience confusion Command injection (RCE) SSRF SQL injection NoSQL injection Path traversal Broken authz / IDOR Secrets exposure SSTI XXE Insecure deserialization DNS rebinding CORS misconfig Predictable session IDs Unbounded consumption / DoS ReDoS Supply-chain (typosquat)

Pick your level, then pentest

The same vulnerability hardens as you climb, so you can grow from first exploit to multi-step, cross-primitive chains.

EasyModerateDifficultSecure
Authnonestatic tokenOAuth-style / cryptoenforced
Filteringnonebypassable blacklistallowlist with a gapcomplete
Feedbackfull outputpartialblind / out-of-bandnone leaked
Steps12โ€“3 chainedmulti-stepexploit fails

Quick start

One command with Docker โ€” self-contained, and any RCE stays inside the container. Keep it bound to 127.0.0.1.

# clone & run โ€” control panel on http://127.0.0.1:7332
git clone https://github.com/SabyasachiDhal/MCPGoat.git
cd MCPGoat
docker compose up --build
โš ๏ธ Authorized training use only. MCPGoat intentionally contains RCE, SSRF, SQLi, secret leakage and more. Run it locally or in a container โ€” never expose it to a network you don't own.

What it looks like

The control panel is config + progress only โ€” pick a level and track flags. The real target is the MCP server itself โ€” here, in MCP Inspector.

MCPGoat control panel โ€” select an MCP penetration-testing difficulty level and track the capture-the-flag scoreboard
Control panel โ€” pick a level, track the scoreboard
MCP Inspector connected to the vulnerable MCPGoat Model Context Protocol server, listing its tools
MCP Inspector connected to the vulnerable server