MCP -Pentest

MCP - Pentest is a browser-based testing server built on Playwright that automates common web app security checks and interactions. It provides capabilities to automatically detect browser-based vulnerabilities such as reflected XSS and potential SQL injection, capture full-page or element screenshots, simulate real user interactions (navigation, clicks, form filling), monitor console logs, and execute JavaScript within the browser context. Use the included tools to perform targeted security tests on a given web application by directing the browser to URLs, providing parameters, and inspecting the results returned by each tool.

To use it, first ensure the server is installed and configured via the provided mcp_config. The server runs a set of tools under the Playwright runtime, such as broser_url_reflected_xss for XSS checks, browser_url_sql_injection for SQLi checks, browser_navigate to visit URLs, browser_screenshot for captures, browser_click and related interaction tools, and browser_evaluate to run custom scripts in the page context. Each tool accepts a JSON payload with the required fields (e.g., url, paramName, selector, value, text) and returns structured results that you can review for security findings. You can chain multiple tools to simulate real-world usage and document any vulnerabilities or observations found during testing.

Prerequisites:

• Node.js and npm installed on your system
• Git (optional, for cloning repositories)

Install and prepare the server:

1. Install dependencies and build assets

   • Run: npm install npm run build

2. Install Playwright browsers (required for the testing runtime)

   • Run: npx playwright install firefox

3. Ensure the server is ready to run. The README shows an example that uses npx to execute the built server entrypoint (dist/index.js). If you are integrating with an MCP manager, ensure the command and arguments match the mcp_config example. A minimal launch flow would be:

   • Confirm dist/index.js exists after build
   • Start or register the MCP server using the provided configuration (as shown below in mcp_config).

4. Optional verification: run a quick test to ensure the server can initialize and expose its tools via the MCP interface.

Tips and notes:

• The server relies on Playwright; ensure the target environment has network access and the necessary permissions to launch browser instances.
• If you encounter path issues for dist/index.js, adjust the absolute path in the mcp_config to point to your built entry file.
• The tools accept JSON payloads; ensure fields like url, selector, and text are correctly provided for each tool.
• If you need to disable the server temporarily, set disabled to true in the mcp_config.
• For troubleshooting, check console output and any logs produced by the browser context during tests; common issues include blocked navigations, CSP restrictions, or missing browser binaries.