Releases · Agent-Hellboy/mcp-server-fuzzer

Add streamablehttp support by @Agent-Hellboy in #60
update docs by @Agent-Hellboy in #63
Fix asyncio issues by @Agent-Hellboy in #64
Improve safety system by @Agent-Hellboy in #66
refactor and add tests by @Agent-Hellboy in #68
Make runtime async only by @Agent-Hellboy in #69
make fuzzer async by @Agent-Hellboy in #72
reorg client by @Agent-Hellboy in #73
Fix duplicate server requests in protocol client and improve code for… by @Agent-Hellboy in #74
Add JSON Schema parser and property-based invariants system by @Agent-Hellboy in #75
Reorganize tests into component-based structure by @Agent-Hellboy in #76
Add custom transport support (fixes #9) by @Agent-Hellboy in #82
Add unittest for report and integration tests by @Agent-Hellboy in #77
Add missing MCP protocol types and enhance fuzzing coverage by @Agent-Hellboy in #78
Fix Hypothesis deadlock by converting strategies to async by @Agent-Hellboy in #80
Improve transport layer by @Agent-Hellboy in #81
Improve docs by @Agent-Hellboy in #79
feat: Add comprehensive performance optimizations and resource manage… by @Agent-Hellboy in #83
feat: use emoji library for emoji handling in Python code by @Agent-Hellboy in #85
feat: Add comprehensive MCP schema fuzzing support by @Agent-Hellboy in #86
Feature/standardized output format by @Agent-Hellboy in #87
Improve docs by @Agent-Hellboy in #89

Full Changelog: v0.1.8...v0.1.9

Contributors

Agent-Hellboy

Assets 4

12 Aug 15:43

Agent-Hellboy

v0.1.8

e43325f

Major design change

v0.1.8

Update pyproject.toml

Assets 2

12 Aug 15:48

github-actions

v0.1.7

7cc0fa4

Release v0.1.7

Assets 4

08 Aug 15:48

Agent-Hellboy

v0.1.5

e51b999

Release v0.1.5 - AuthNZ tool fuzzing Support + Two-Phase Fuzzing

Major Features

Authentication-Based Tool Fuzzing

NEW: Fuzz tools that require authentication! 🎯
API Key Authentication: Bearer token support for protected endpoints
Basic Authentication: Username/password authentication
OAuth Token Authentication: OAuth bearer token support
Custom Headers: Flexible custom authentication headers
Tool-Specific Auth: Different authentication per tool via configuration
Configuration Options: JSON config files + environment variables

Two-Phase Fuzzing Architecture

NEW: --phase CLI argument supporting realistic, aggressive, and both modes
Realistic Phase: Tests with valid, compliant data to verify correct functionality
Aggressive Phase: Tests with malicious, malformed data to find security vulnerabilities
Comprehensive Testing: Run both phases with single --phase both command

Technical Improvements

Modular Strategy Architecture

Complete reorganization for maintainability and extensibility:

strategy/
├── strategy_manager.py          # Unified interface
├── realistic/
│   ├── tool_strategy.py         # Valid tool arguments (UUID, Base64, timestamps)
│   └── protocol_type_strategy.py # Valid protocol messages
└── aggressive/
    ├── tool_strategy.py         # Malicious tool arguments (injections, overflows)  
    └── protocol_type_strategy.py # Malformed protocol messages

Enhanced Fuzzing Capabilities

Phase-Aware Fuzzing: Strategy selection based on testing goals
Realistic Strategies: Base64 strings, UUIDs, ISO-8601 timestamps, semantic versions
Aggressive Strategies: SQL injection, XSS, path traversal, buffer overflows, null bytes
Authentication Integration: All fuzzing modes work with authenticated tools

Usage Examples

Authentication-Based Fuzzing

# Fuzz authenticated tools with config file
mcp-fuzzer --mode tools --auth-config examples/auth_config.json --endpoint http://localhost:8000/

# Fuzz authenticated tools with environment variables
export MCP_API_KEY="sk-your-api-key"
mcp-fuzzer --mode tools --auth-env --endpoint http://localhost:8000/

# Two-phase fuzzing with authentication
mcp-fuzzer --mode both --phase both --auth-config auth_config.json --endpoint http://localhost:8000/

Two-Phase Fuzzing

# Realistic fuzzing - test with valid data
mcp-fuzzer --mode both --phase realistic --protocol http --endpoint http://localhost:8000/mcp/

# Aggressive fuzzing - test with attack data
mcp-fuzzer --mode both --phase aggressive --protocol http --endpoint http://localhost:8000/mcp/

# Comprehensive testing - both phases
mcp-fuzzer --mode both --phase both --protocol http --endpoint http://localhost:8000/mcp/

Authentication Configuration

{
  "providers": {
    "openai_api": {
      "type": "api_key",
      "api_key": "sk-your-openai-api-key",
      "header_name": "Authorization"
    },
    "github_api": {
      "type": "api_key", 
      "api_key": "ghp-your-github-token",
      "header_name": "Authorization"
    }
  },
  "tool_mappings": {
    "openai_chat": "openai_api",
    "github_search": "github_api"
  }
}

New CLI Arguments

--phase {realistic,aggressive,both}: Choose fuzzing strategy approach
--auth-config PATH: Authentication configuration file
--auth-env: Use environment variables for authentication

Bug Fixes

Fixed E501 line length linting errors across codebase
Resolved async test execution issues in unittest suite
Fixed transport mock configuration for proper async context management
Corrected import order and formatting consistency
Cleaned up redundant example files

Statistics

+2,024 lines added, -2,522 lines removed (net code reduction through modularization)
27 files changed across authentication and fuzzing improvements
171 unit tests added with 74% coverage
6 new CLI features: auth-config, auth-env, phase selection, realistic/aggressive modes

This release makes MCP Fuzzer significantly more powerful by adding authentication support for protected tools and implementing a sophisticated two-phase fuzzing approach. You can now fuzz both public and private/authenticated MCP tools with comprehensive realistic and aggressive testing strategies.

What's Changed

Add auth flags to fuzz tools with auth by @Agent-Hellboy in #23
clean strategy and add unittest by @Agent-Hellboy in #25
feat(strategy): Add new flag to fuzz the server with realistic and ag… by @Agent-Hellboy in #27

Full Changelog: v0.1.4...v0.1.6

Contributors

Agent-Hellboy

Assets 2

06 Aug 11:37

Agent-Hellboy

v0.1.4

98c053a

Add ability to fuzz the schema from https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/schema/2024-11-05/schema.ts

What's Changed

Improve fuzzer by @Agent-Hellboy in #17

Full Changelog: v0.1.3...v0.1.4

Contributors

Agent-Hellboy

Assets 2

06 Aug 06:24

Agent-Hellboy

v0.1.3

78fc671

Update contact info

Full Changelog: v0.1.2...v0.1.3

Assets 2

05 Aug 20:39

Agent-Hellboy

v0.1.2

e2e90ca

Arch changes

What's Changed

Refactor by @Agent-Hellboy in #8

Full Changelog: v0.1.1...v0.1.2

Contributors

Agent-Hellboy

Assets 2

Uh oh!

Releases: Agent-Hellboy/mcp-server-fuzzer

v0.2.1

What's Changed

Contributors

Uh oh!

v0.2.0

What's Changed

Contributors

Uh oh!

v0.1.9

What's Changed

Contributors

Uh oh!

Major design change

Uh oh!

Release v0.1.7

Uh oh!

Release v0.1.5 - AuthNZ tool fuzzing Support + Two-Phase Fuzzing

Major Features

Authentication-Based Tool Fuzzing

Two-Phase Fuzzing Architecture

Technical Improvements

Modular Strategy Architecture

Enhanced Fuzzing Capabilities

Usage Examples

Authentication-Based Fuzzing

Two-Phase Fuzzing

Authentication Configuration

New CLI Arguments

Bug Fixes

Statistics

What's Changed

Contributors

Uh oh!

Add ability to fuzz the schema from https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/schema/2024-11-05/schema.ts

What's Changed

Contributors

Uh oh!

Update contact info

Uh oh!

Arch changes

What's Changed

Contributors

Uh oh!