MCP Goat

A deliberately vulnerable MCP (Model Context Protocol) application for learning MCP security through hands-on exercises. Inspired by AndroGoat, OWASP WebGoat, and other vulnerable applications. MCP Goat covers all 10 categories of the OWASP MCP Top 10.

WARNING: This application contains intentionally vulnerable servers. Do NOT expose to untrusted networks. For educational use only.

Quick Start

# Clone the repo
git clone https://github.com/satishpatnayak/MCP-Goat.git
cd MCP-Goat

# Create virtual environment and install
uv venv && source .venv/bin/activate && uv pip install -e .
# OR without uv:
python3 -m venv .venv && source .venv/bin/activate && pip install -e .

# List all challenges
mcp-goat list

# Start a vulnerable server
mcp-goat run mcp01-c01

# View guided exercise instructions
mcp-goat exercise mcp01-c01

# Get LLM client config snippet
mcp-goat config mcp01-c01

How It Works

1. Choose a challenge from the list (mcp-goat list)
2. Read the exercise (mcp-goat exercise <id>) to understand the vulnerability
3. Start the vulnerable server (mcp-goat run <id>)
4. Connect your LLM client (Claude Desktop, Cursor, LM Studio, MCP Inspector)
5. Explore and exploit the vulnerability following the guided steps
6. Learn the mitigations from the solution section

Connecting to Your LLM Client

Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "mcp-goat": {
      "command": "/full/path/to/mcp-goat/.venv/bin/mcp-goat",
      "args": ["run", "mcp01-c01"]
    }
  }
}

Cursor

Go to Settings → Cursor Settings → MCP → Add new MCP Server, or edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "mcp-goat": {
      "command": "/full/path/to/mcp-goat/.venv/bin/mcp-goat",
      "args": ["run", "mcp01-c01"]
    }
  }
}

Important: Use the full path to mcp-goat inside the .venv/bin/ directory. LLM clients don't activate virtual environments, so the bare mcp-goat command won't work.

To get your full path, run: echo "$(pwd)/.venv/bin/mcp-goat"

MCP Inspector

npx @modelcontextprotocol/inspector mcp-goat run mcp01-c01

Challenges

Category	ID	Title	Difficulty
MCP01 — Token Mismanagement & Secret Exposure	mcp01-c01	Leaked API Key	Beginner
MCP01 — Token Mismanagement & Secret Exposure	mcp01-c02	Plaintext OAuth Token	Intermediate
MCP02 — Privilege Escalation	mcp02-c01	Path Traversal	Beginner
MCP02 — Privilege Escalation	mcp02-c02	Write Escalation	Intermediate
MCP03 — Tool Poisoning	mcp03-c01	Tool Shadowing	Advanced
MCP03 — Tool Poisoning	mcp03-c02	Hidden Prompt Injection in Description	Intermediate
MCP04 — Supply Chain Attacks	mcp04-c01	Malicious Dependency	Advanced
MCP04 — Supply Chain Attacks	mcp04-c02	Backdoored Plugin	Advanced
MCP05 — Command Injection	mcp05-c01	DNS Lookup Injection	Intermediate
MCP05 — Command Injection	mcp05-c02	SQL Injection	Intermediate
MCP06 — Intent Flow Subversion	mcp06-c01	System Prompt Override	Advanced
MCP06 — Intent Flow Subversion	mcp06-c02	Fake Tool Result Injection	Advanced
MCP07 — Insufficient Auth & Authorization	mcp07-c01	No Authentication	Beginner
MCP07 — Insufficient Auth & Authorization	mcp07-c02	Broken Access Control / IDOR	Intermediate
MCP08 — Lack of Audit & Telemetry	mcp08-c01	Silent Data Exfiltration	Intermediate
MCP09 — Shadow Servers	mcp09-c01	Rogue MCP Server	Advanced
MCP10 — Context Injection & Over-Sharing	mcp10-c01	Cross-Agent Context Leak	Intermediate
MCP10 — Context Injection & Over-Sharing	mcp10-c02	PII Over-Sharing	Beginner

Adding New Challenges

1. Create a directory under src/mcp_goat/challenges/<category>/<challenge>/
2. Add:
   • __init__.py
   • challenge.py — subclass Challenge with metadata
   • server.py — the vulnerable FastMCP server
   • exercise.md — guided exercise instructions
3. Run mcp-goat list — auto-discovery picks it up immediately

Requirements

• Python 3.11+
• uv (recommended) or pip
• Dependencies (installed automatically): mcp, click, rich, pyyaml

References

• OWASP MCP Top 10
• Model Context Protocol
• MCP Security Cheat Sheet

License

MIT