Skip to content

Mcp jsonrpc2 ultimate detect #11944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 10, 2025
Merged

Mcp jsonrpc2 ultimate detect #11944

merged 5 commits into from
May 10, 2025

Conversation

@SemenchenkoA
Copy link
Contributor

Template / PR Information

Hi,

This PR propose a template to detect the exposed MCP servers via multiple JSON-RPC 2.0 methods

Template Validation

I've validated this template locally?

  • YES
  • NO

@GeorginaReeder
Copy link

Thanks for your contribution @SemenchenkoA , we appreciate it! :)

As a token of appreciation for your valuable contribution, you can grab some cool PD Stickers from here http://nux.gg/stickers .

We also have a Discord server, which you’re more than welcome to join. It's a great place to connect with fellow contributors and stay updated with the latest developments!

ehsandeep
ehsandeep reviewed Apr 15, 2025
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SemenchenkoA thanks for adding the template. Regarding severity/impact, is it possible that some MCP servers are intentionally exposed publicly, or should they always be behind auth? If some are meant to be public, I’m not sure how to differentiate between the two cases, but I wanted to check with you before merging this.

@SemenchenkoA
Copy link
Contributor Author

MCP servers should not be publicly exposed without auth

@Arrnitage
Copy link
Contributor

@SemenchenkoA thanks for adding the template. Regarding severity/impact, is it possible that some MCP servers are intentionally exposed publicly, or should they always be behind auth? If some are meant to be public, I’m not sure how to differentiate between the two cases, but I wanted to check with you before merging this.

I suggest adding an MCP Server detection template.Weather it is public or private

@princechaddha
Copy link
Member

Hello @SemenchenkoA, thank you so much for sharing this template with the community and contributing to this project 🍻

I have made a few changes and updated the severity to ‘unknown,’ as the APIs may be read-only by design or may require authentication depending on the matched method. Let me know if the changes look good; then we can merge the templates. Sorry for the delay, and thank you again

@princechaddha princechaddha added the Done Ready to merge label May 10, 2025
@princechaddha princechaddha self-assigned this May 10, 2025
@ehsandeep ehsandeep merged commit 8b80213 into projectdiscovery:main May 10, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

@ritikchaddha ritikchaddha Awaiting requested review from ritikchaddha

Assignees

@princechaddha princechaddha

Labels

Done Ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@SemenchenkoA @GeorginaReeder @Arrnitage @princechaddha @ehsandeep @alekseysemenchenko