Red Specter VECTOR
MCP Protocol Exploitation Framework — 7 subsystems. 172 tests.
Overview
VECTOR targets the Model Context Protocol (MCP) — the emerging standard for connecting AI agents to external tools and data sources. Every MCP server exposes tool descriptions, parameter schemas, and authentication flows that can be exploited. VECTOR finds the gaps.
Every tool call is an attack surface. VECTOR finds the gaps.
Installation
$ vector init
$ vector status
POISONER — Tool Description Poisoning
| ID | Technique | Description |
|---|---|---|
| PS-001 | Description Injection | Inject malicious instructions into MCP tool description fields |
| PS-002 | Metadata Manipulation | Alter tool metadata to influence AI agent decision-making |
| PS-003 | Schema Poisoning | Modify parameter schemas to accept malicious input types |
| PS-004 | Trust Exploitation | Exploit implicit trust in tool registry descriptions |
INJECTOR — Parameter Injection
| ID | Technique | Description |
|---|---|---|
| IJ-001 | Type Confusion | Exploit parameter type validation weaknesses in MCP servers |
| IJ-002 | Nested Injection | Inject payloads via nested object parameters |
| IJ-003 | Schema Bypass | Bypass JSON schema validation through edge cases |
| IJ-004 | Command Injection | Inject OS commands through tool parameter values |
SSRF — Server-Side Request Forgery
Force MCP servers to make unintended network requests. Internal network scanning via tool call parameters. Cloud metadata endpoint access through SSRF chains. Service-to-service exploitation via MCP server trust relationships.
EXFIL — Data Exfiltration
Extract sensitive data through MCP tool responses. Conversation history leakage via crafted tool calls. Context window exfiltration through response manipulation. Cross-session data theft through persistent tool abuse.
IMPERSONATOR — Server Impersonation
Impersonate legitimate MCP servers to intercept tool calls. Man-in-the-middle attacks on MCP connections. Rogue server injection into tool registries. Trust chain exploitation through server certificate manipulation.
AUTH — Authentication Bypass
Bypass MCP authentication mechanisms. OAuth token theft from tool configurations. Session hijacking via MCP transport layer weaknesses. API key extraction from exposed tool server configurations.
REGISTRY — Registry Poisoning
Poison MCP tool registries with malicious tool packages. Supply chain attacks on MCP tool distribution. Typosquatting legitimate tool names. Malicious tool update injection. Registry trust chain exploitation.
VECTOR UNLEASHED
Standard mode detects. UNLEASHED exploits. Ed25519 crypto. Dual-gate safety. One operator.
$ vector scan --target mcp-server.example.com
# UNLEASHED (dry run)
$ vector exploit --target mcp-server.example.com --override
# UNLEASHED (live)
$ vector campaign --target mcp-server.example.com --override --confirm-destroy
UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Targets must be in allowed_targets.txt. 30-minute auto-lock. Unauthorised use violates applicable law.
CLI Reference
| Command | Description |
|---|---|
| vector init | Initialise configuration and Ed25519 keys |
| vector status | System status and subsystem count |
| vector scan | Scan MCP servers for vulnerabilities |
| vector poison | POISONER — tool description poisoning tests |
| vector inject | INJECTOR — parameter injection tests |
| vector ssrf | SSRF — server-side request forgery tests |
| vector exfil | EXFIL — data exfiltration tests |
| vector impersonate | IMPERSONATOR — server impersonation tests |
| vector auth | AUTH — authentication bypass tests |
| vector registry | REGISTRY — registry poisoning tests |
| vector campaign | Full MCP exploitation campaign |
MITRE ATLAS Mapping
VECTOR techniques map to MITRE ATLAS tactics including AML.T0040 (ML Supply Chain Compromise), AML.T0043 (Craft Adversarial Data), and emerging MCP-specific threat vectors for tool-based AI agent exploitation.
Disclaimer
Red Specter VECTOR is for authorised security testing only. MCP protocol exploitation can disrupt AI agent operations and expose sensitive data. You must have explicit written permission before testing any system. Unauthorised use may violate the Computer Misuse Act 1990 (UK), CFAA (US), or equivalent legislation.