MCP Server Security & Performance Analysis — v0.3.0
| Test ID | Severity | Test Name | Description / Details | Duration |
|---|---|---|---|---|
| SECURITY · 149 tests | ||||
| T07-002-02 | MEDIUM | Malformed Token: Empty bearer token |
Unexpected exception: LocalProtocolErrorIllegal header value b'Bearer '
|
585ms |
| T07-005 | MEDIUM | CORS Misconfiguration |
Server returns 'Access-Control-Allow-Origin: *' — any browser origin can connect to this MCP server.Wildcard CORS — any browser origin can connect to this MCP server
Remediation:
Restrict the CORS origin allowlist to known, trusted domains. A wildcard allows a malicious web page to make authenticated cross-origin calls to this MCP server. |
615ms |
| T07-010 | LOW | Duplicate Initialize (Replay Attack) |
Server accepted a second initialize() call on an already active session. The session remained usable, but the server sta…Double initialize() succeeded.
Post-replay list_tools() succeeded — session is still functional but capabilities or internal state may have been altered.
Remediation:
The server should reject or ignore repeated initialize() calls. Accepting them enables mid-session protocol version downgrade and capability reset attacks. |
672ms |
| T07-013 | LOW | Protocol Version Abuse |
Server did not negotiate a recognised MCP protocol version (version is empty or unknown).
Remediation:
Ensure the server returns a valid protocolVersion in its initialize response (e.g. '2024-11-05'). Clients rely on this to select compatible behaviour. |
0ms |
| T24-001 | LOW | Deserialisation — Summary | 1 tool(s) leaked deserialiser markers in error messages. | 19059ms |
| T24-TOOL-search_cloudflare_do-DS-005 | LOW | Deserialisation DS-005 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' error suggests XML parser is being invoked on user input. No confirmed RCE — revi…Match: 'DTD'
|
2187ms |
| T07-001 | INFO | Unauthenticated MCP Access |
Unexpected HTTP status 404 on unauthenticated probe.Unexpected status: 404
|
710ms |
| T07-002-01 | INFO | Malformed Token: Invalid bearer token | HTTP 404 for Invalid bearer token — unable to confirm rejection. | 773ms |
| T07-002-03 | INFO | Malformed Token: Basic auth instead of Bearer | HTTP 404 for Basic auth instead of Bearer — unable to confirm rejection. | 787ms |
| T07-002-04 | INFO | Malformed Token: Wrong API key format | HTTP 404 for Wrong API key format — unable to confirm rejection. | 598ms |
| T07-003 | INFO | Resource URI Path Traversal | Server advertises no resources — path traversal test skipped. | 0ms |
| T07-006 | INFO | Process Privilege Check | Process privilege check requires STDIO transport — skipped (transport='http'). | 0ms |
| T07-007 | INFO | Environment Variable Probe | Environment variable probe requires STDIO transport — skipped (transport='http'). | 0ms |
| T13-002 | INFO | Unsolicited Sampling Requests | MCP client SDK does not expose an incoming-request hook; unsolicited sampling detection relies on capability audit (T13-001). | 1361ms |
| T17-002 | INFO | Description Fingerprint Inventory |
Catalogued 3 SHA-256 description fingerprints. Use `mcpsafe compare` to detect drift across scans.tool:search_cloudflare_documentation = fb5bf70a271f9ccaf9062c13f058b203e21fe88ee413284e495d9035eb2c7513
tool:migrate_pages_to_workers_guide = fc1b50a88c58bc18d7add334587e6d1624d0b88357cd88486ea9bd6f1be37808
prompt:workers-prompt-full = 07abf707ebcefee88382f79d897d6044c2bbd61df9689f3592e599d9154c42b3
|
0ms |
| T18-001 | INFO | SSRF — Summary | Server does not expose resources/read; SSRF probes skipped. | 0ms |
| T25-001 | INFO | IDOR — Summary | Server does not expose resources — IDOR probe skipped. | 0ms |
| T27-001 | INFO | Session Token Reuse After Close | Could not extract the session identifier from SDK internals — reuse-after-close check could not be performed. | 2097ms |
| T27-002 | INFO | Session Token Entropy | No session token exposed by SDK — entropy check skipped. | 0ms |
| T27-003 | INFO | Session Token Leak in Response | No session token exposed by SDK — leak check skipped. | 0ms |
| T30-001 | INFO | OAuth AS Discovery | Server does not expose .well-known/oauth-authorization-server (status 404). OAuth flow tests will be skipped. | 778ms |
| T02-search_cloudflare_documentation-PI-001 | PASS | Injection PI-001 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-001 (Classic override) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/waf/detections/ai-security-for-apps/prompt-injection/</url>\n<title></title>\n<text>\n### Why a score instead of a boolea'
|
3368ms |
| T02-search_cloudflare_documentation-PI-002 | PASS | Injection PI-002 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-002 (Newline injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/ai-search/configuration/system-prompt/</url>\n<title></title>\n<text>\n# System prompt\n\nSystem prompts allow you to guide'
|
1509ms |
| T02-search_cloudflare_documentation-PI-003 | PASS | Injection PI-003 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-003 (XML tag injection) gracefully.Response excerpt: ''
|
1647ms |
| T02-search_cloudflare_documentation-PI-004 | PASS | Injection PI-004 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-004 (SQL injection probe) gracefully.Response excerpt: ''
|
2074ms |
| T02-search_cloudflare_documentation-PI-005 | PASS | Injection PI-005 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-005 (Shell injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers/wrangler/commands/general/</url>\n<title></title>\n<text>\n## `auth`\n\n### `auth token`\n\nRetrieve your current aut'
|
2194ms |
| T02-search_cloudflare_documentation-PI-006 | PASS | Injection PI-006 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-006 (Backtick injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers-ai/models/kimi-k2.5/</url>\n<title></title>\n<text>\n* `id` ` string ` required \n '
|
2134ms |
| T02-search_cloudflare_documentation-PI-007 | PASS | Injection PI-007 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-007 (Path traversal) gracefully.Response excerpt: ''
|
2393ms |
| T02-search_cloudflare_documentation-PI-008 | PASS | Injection PI-008 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-008 (Right-to-left override unicode) gracefully.Response excerpt: ''
|
2258ms |
| T02-search_cloudflare_documentation-PI-009 | PASS | Injection PI-009 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-009 (Null byte injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers/best-practices/workers-best-practices/</url>\n<title></title>\n<text>\n// ✅ Good: test the null case explicitly\n\n'
|
2290ms |
| T02-search_cloudflare_documentation-PI-010 | PASS | Injection PI-010 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-010 (BOM character) gracefully.Response excerpt: ''
|
2128ms |
| T02-search_cloudflare_documentation-PI-011 | PASS | Injection PI-011 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-011 (Rug pull attempt) gracefully.Response excerpt: ''
|
1922ms |
| T02-search_cloudflare_documentation-PI-012 | PASS | Injection PI-012 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-012 (Exfiltration instruction) gracefully.Response excerpt: ''
|
2084ms |
| T02-search_cloudflare_documentation-PI-013 | PASS | Injection PI-013 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-013 (Large payload DoS probe 10k) gracefully.Response excerpt: ''
|
1963ms |
| T02-search_cloudflare_documentation-PI-014 | PASS | Injection PI-014 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-014 (Large payload DoS probe 100k) gracefully.Response excerpt: ''
|
4718ms |
| T02-search_cloudflare_documentation-PI-015 | PASS | Injection PI-015 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-015 (Jinja template injection) gracefully.Response excerpt: ''
|
2339ms |
| T02-search_cloudflare_documentation-PI-016 | PASS | Injection PI-016 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-016 (Python format injection) gracefully.Response excerpt: ''
|
2098ms |
| T03-01-query-FUZZ-STR-001 | PASS | Fuzz FUZZ-STR-001 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-001 (empty string) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
919ms |
| T03-01-query-FUZZ-STR-002 | PASS | Fuzz FUZZ-STR-002 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-002 (single space) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
248ms |
| T03-01-query-FUZZ-STR-003 | PASS | Fuzz FUZZ-STR-003 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-003 (whitespace only) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
314ms |
| T03-01-query-FUZZ-STR-004 | PASS | Fuzz FUZZ-STR-004 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-004 (null value) on param 'query' — hand…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "null",
"path": [
"query"
],
"message": "Expected string, received null"
}
]
|
299ms |
| T03-01-query-FUZZ-STR-005 | PASS | Fuzz FUZZ-STR-005 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-005 (integer as string field) on param '…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "number",
"path": [
"query"
],
"message": "Expected string, received number"
}
]
|
182ms |
| T03-01-query-FUZZ-STR-006 | PASS | Fuzz FUZZ-STR-006 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-006 (boolean as string field) on param '…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "boolean",
"path": [
"query"
],
"message": "Expected string, received boolean"
}
]
|
163ms |
| T03-01-query-FUZZ-STR-007 | PASS | Fuzz FUZZ-STR-007 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-007 (list as string field) on param 'que…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "array",
"path": [
"query"
],
"message": "Expected string, received array"
}
]
|
329ms |
| T03-01-query-FUZZ-STR-008 | PASS | Fuzz FUZZ-STR-008 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-008 (dict as string field) on param 'que…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "object",
"path": [
"query"
],
"message": "Expected string, received object"
}
]
|
191ms |
| T03-01-query-FUZZ-STR-009 | PASS | Fuzz FUZZ-STR-009 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-009 (very long string 10k) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
2372ms |
| T03-01-query-FUZZ-STR-010 | PASS | Fuzz FUZZ-STR-010 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-010 (newlines and tabs) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
304ms |
| T03-01-query-FUZZ-STR-011 | PASS | Fuzz FUZZ-STR-011 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-011 (null byte in string) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
2221ms |
| T03-01-query-FUZZ-STR-012 | PASS | Fuzz FUZZ-STR-012 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-012 (all unicode planes) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
1793ms |
| T04-001 | PASS | Rug Pull Detection (Mutation Check) | All 2 tool description(s) were stable across two list_tools() calls (3 s apart). | 3282ms |
| T04-002 | PASS | Hidden Instruction Scan | No suspicious patterns found in 2 tool description(s). | 0ms |
| T04-003 | PASS | Cross-Tool Reference Detection | No cross-tool name references found across 2 tool descriptions. | 0ms |
| T04-004 | PASS | Schema Field Injection Check | All 2 tool inputSchema(s) contain only sanctioned JSON Schema fields. | 0ms |
| T04-005 | PASS | Tool Count Stability Check |
Tool count stable at 2 across 5 polls (2.5s window).Counts per poll: [2, 2, 2, 2, 2]
|
3935ms |
| T07-004 | PASS | Credentials in Error Messages |
No credential patterns found in error response for non-existent tool call.Error excerpt: 'MCP error -32602: Tool mcpsafe_nonexistent_tool_probe not found'
|
294ms |
| T07-008 | PASS | Invalid Tool Name Rejection | Server correctly rejected all invalid tool names. | 1319ms |
| T07-009 | PASS | Oversized Argument Rejection | Server correctly rejected oversized tool arguments. | 836ms |
| T07-011 | PASS | Deeply Nested Argument (JSON Bomb) | Server rejected deeply nested JSON argument. | 1ms |
| T07-012 | PASS | Unicode Homoglyph Tool Name Spoofing | Server rejected homoglyph tool name 'seаrch_cloudflare_documentation' correctly. | 235ms |
| T09-001 | PASS | Output Sanitization — Summary | All 2 tool outputs and 0 resource reads passed PI-marker scanning. | 1412ms |
| T09-TOOL-migrate_pages_to_workers_gui | PASS | Output Sanitization → migrate_pages_to_workers_guide | Tool 'migrate_pages_to_workers_guide' output clean — no prompt-injection markers detected. | 558ms |
| T09-TOOL-search_cloudflare_documentat | PASS | Output Sanitization → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' output clean — no prompt-injection markers detected. | 853ms |
| T10-001 | PASS | Cross-Session Data Leakage | Marker planted in 1 tool(s) via session A did not leak into an independent session B — state appears correctly partitioned. | 6083ms |
| T11-001 | PASS | Timing Side-Channel — Summary | Probed 1 tool(s); no timing oracles detected. | 17168ms |
| T11-TOOL-search_cloudflare_documentat | PASS | Timing Side-Channel → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' does not appear to leak timing information (mean 1955.3 ms vs 1953.4 ms, ratio 1.00×). | 17168ms |
| T12-001 | PASS | Error Secret Leakage — Summary | Probed 2 tool(s) and 0 resources; no secret patterns detected in error messages. | 4753ms |
| T12-TOOL-migrate_pages_to_workers_gui | PASS | Error Secret Leakage → migrate_pages_to_workers_guide | Tool 'migrate_pages_to_workers_guide' never errored on malformed inputs — nothing to scan. | 233ms |
| T12-TOOL-search_cloudflare_documentat | PASS | Error Secret Leakage → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' errored on 2 malformed input(s); no secret patterns found in error text. | 4517ms |
| T13-001 | PASS | Sampling Capability Advertisement | Server does not advertise the 'sampling' capability. | 0ms |
| T13-003 | PASS | Sampling Abuse — Summary | No sampling-abuse surface detected. | 1361ms |
| T14-001 | PASS | Notification Flood Rate | Server sent 0 notifications during a 5s quiet window (0.0/sec) — well within expected bounds. | 6337ms |
| T14-002 | PASS | Notification Flood — Summary | No notification-flood risk detected. | 6337ms |
| T15-001 | PASS | Reentrancy — Summary | Probed 1 tool(s) with 6 concurrent invocations each; no state-bleed detected. | 2043ms |
| T15-TOOL-search_cloudflare_documentat | PASS | Reentrancy → search_cloudflare_documentation | 6 concurrent calls to 'search_cloudflare_documentation' returned independent results — no state bleed detected. | 2043ms |
| T16-001 | PASS | Tool Set Drift | Tool inventory stable across snapshots. | 4938ms |
| T16-002 | PASS | Resource Set Drift | Resource inventory stable. | 0ms |
| T16-004 | PASS | Server Capability Drift | Server capabilities stable. | 0ms |
| T16-005 | PASS | Capability Creep — Summary | All capability surfaces stable over 3s window. | 4938ms |
| T17-001 | PASS | Cross-Session Hash Drift | All 3 descriptions match byte-for-byte across two independent sessions. | 4980ms |
| T19-001 | PASS | Non-ASCII Identifiers | All identifiers are pure ASCII. | 0ms |
| T19-002 | PASS | Confusable / Homoglyph Characters | No Unicode confusables detected in identifiers. | 0ms |
| T19-003 | PASS | Mixed-Script Identifiers | No mixed-script identifiers found. | 0ms |
| T19-004 | PASS | Invisible / Directional Characters | No invisible characters in identifiers. | 0ms |
| T19-005 | PASS | Homoglyph Scan — Summary | Scanned 3 identifier(s); no impersonation signals detected. | 0ms |
| T21-001 | PASS | Path Traversal — Summary | 12 probe(s) sent, no traversal to sensitive files confirmed. | 27278ms |
| T21-TOOL-search_cloudflare_do-PT-001 | PASS | Path Traversal PT-001 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Plain Unix. | 3028ms |
| T21-TOOL-search_cloudflare_do-PT-002 | PASS | Path Traversal PT-002 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Plain Windows. | 3483ms |
| T21-TOOL-search_cloudflare_do-PT-003 | PASS | Path Traversal PT-003 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected URL-encoded. | 2029ms |
| T21-TOOL-search_cloudflare_do-PT-004 | PASS | Path Traversal PT-004 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Double URL-encoded. | 1831ms |
| T21-TOOL-search_cloudflare_do-PT-005 | PASS | Path Traversal PT-005 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected UTF-8 overlong. | 1633ms |
| T21-TOOL-search_cloudflare_do-PT-006 | PASS | Path Traversal PT-006 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Backslash + forward. | 2254ms |
| T21-TOOL-search_cloudflare_do-PT-007 | PASS | Path Traversal PT-007 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Unicode normalisation. | 1917ms |
| T21-TOOL-search_cloudflare_do-PT-008 | PASS | Path Traversal PT-008 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected NUL byte truncation. | 2008ms |
| T21-TOOL-search_cloudflare_do-PT-009 | PASS | Path Traversal PT-009 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Absolute Unix path. | 1828ms |
| T21-TOOL-search_cloudflare_do-PT-010 | PASS | Path Traversal PT-010 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Absolute Windows path. | 2288ms |
| T21-TOOL-search_cloudflare_do-PT-011 | PASS | Path Traversal PT-011 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Resource file:// scheme. | 3086ms |
| T21-TOOL-search_cloudflare_do-PT-012 | PASS | Path Traversal PT-012 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Proto-smuggling. | 1893ms |
| T22-001 | PASS | Command Injection — Summary | 8 probe(s) sent, no shell execution confirmed. | 16523ms |
| T22-TOOL-search_cloudflare_do-CI-001 | PASS | Command Injection CI-001 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Semicolon chain. | 2499ms |
| T22-TOOL-search_cloudflare_do-CI-002 | PASS | Command Injection CI-002 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Pipe. | 2699ms |
| T22-TOOL-search_cloudflare_do-CI-003 | PASS | Command Injection CI-003 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Background ampersand. | 1768ms |
| T22-TOOL-search_cloudflare_do-CI-004 | PASS | Command Injection CI-004 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Logical AND. | 1918ms |
| T22-TOOL-search_cloudflare_do-CI-005 | PASS | Command Injection CI-005 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Logical OR. | 1881ms |
| T22-TOOL-search_cloudflare_do-CI-006 | PASS | Command Injection CI-006 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Command substitution $(). | 1557ms |
| T22-TOOL-search_cloudflare_do-CI-007 | PASS | Command Injection CI-007 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Backtick cmdsub. | 2426ms |
| T22-TOOL-search_cloudflare_do-CI-010 | PASS | Command Injection CI-010 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Windows cmd chain. | 1774ms |
| T23-001 | PASS | SQL Injection Deep — Summary | No deep SQLi findings across 1 probed tool(s). | 24904ms |
| T23-TOOL-search_cloudflare_do-SQL-001 | PASS | SQL SQL-001 → search_cloudflare_documentation |
No SQLi detected via UNION version on 'search_cloudflare_documentation'.baseline=3366ms payload=2395ms
|
2395ms |
| T23-TOOL-search_cloudflare_do-SQL-002 | PASS | SQL SQL-002 → search_cloudflare_documentation |
No SQLi detected via UNION sqlite_ver on 'search_cloudflare_documentation'.baseline=3366ms payload=2341ms
|
2341ms |
| T23-TOOL-search_cloudflare_do-SQL-003 | PASS | SQL SQL-003 → search_cloudflare_documentation |
No SQLi detected via Boolean true on 'search_cloudflare_documentation'.baseline=3366ms payload=2090ms
|
2090ms |
| T23-TOOL-search_cloudflare_do-SQL-004 | PASS | SQL SQL-004 → search_cloudflare_documentation |
No SQLi detected via Boolean false on 'search_cloudflare_documentation'.baseline=3366ms payload=2170ms
|
2170ms |
| T23-TOOL-search_cloudflare_do-SQL-005 | PASS | SQL SQL-005 → search_cloudflare_documentation |
No SQLi detected via Time blind PG on 'search_cloudflare_documentation'.baseline=3366ms payload=1613ms
|
1613ms |
| T23-TOOL-search_cloudflare_do-SQL-006 | PASS | SQL SQL-006 → search_cloudflare_documentation |
No SQLi detected via Time blind MS on 'search_cloudflare_documentation'.baseline=3366ms payload=2443ms
|
2443ms |
| T23-TOOL-search_cloudflare_do-SQL-007 | PASS | SQL SQL-007 → search_cloudflare_documentation |
No SQLi detected via Time blind MySQL on 'search_cloudflare_documentation'.baseline=3366ms payload=2581ms
|
2581ms |
| T23-TOOL-search_cloudflare_do-SQL-008 | PASS | SQL SQL-008 → search_cloudflare_documentation |
No SQLi detected via Stacked drop on 'search_cloudflare_documentation'.baseline=3366ms payload=2142ms
|
2142ms |
| T23-TOOL-search_cloudflare_do-SQL-009 | PASS | SQL SQL-009 → search_cloudflare_documentation |
No SQLi detected via NoSQL $ne on 'search_cloudflare_documentation'.baseline=3366ms payload=1973ms
|
1973ms |
| T23-TOOL-search_cloudflare_do-SQL-010 | PASS | SQL SQL-010 → search_cloudflare_documentation |
No SQLi detected via NoSQL $gt on 'search_cloudflare_documentation'.baseline=3366ms payload=1789ms
|
1789ms |
| T24-TOOL-search_cloudflare_do-DS-001 | PASS | Deserialisation DS-001 → search_cloudflare_documentation | Python pickle (b64) — no deserialisation markers detected. | 3026ms |
| T24-TOOL-search_cloudflare_do-DS-002 | PASS | Deserialisation DS-002 → search_cloudflare_documentation | YAML !!python apply print — no deserialisation markers detected. | 2633ms |
| T24-TOOL-search_cloudflare_do-DS-003 | PASS | Deserialisation DS-003 → search_cloudflare_documentation | YAML !!python os.popen — no deserialisation markers detected. | 1882ms |
| T24-TOOL-search_cloudflare_do-DS-004 | PASS | Deserialisation DS-004 → search_cloudflare_documentation | XML XXE file:// — no deserialisation markers detected. | 2170ms |
| T24-TOOL-search_cloudflare_do-DS-006 | PASS | Deserialisation DS-006 → search_cloudflare_documentation | Java serialised magic (b64) — no deserialisation markers detected. | 2851ms |
| T24-TOOL-search_cloudflare_do-DS-007 | PASS | Deserialisation DS-007 → search_cloudflare_documentation | Ruby Marshal magic (b64) — no deserialisation markers detected. | 2569ms |
| T24-TOOL-search_cloudflare_do-DS-008 | PASS | Deserialisation DS-008 → search_cloudflare_documentation | JSON __proto__ pollution — no deserialisation markers detected. | 1740ms |
| T26-001 | PASS | SSTI — Summary | No SSTI detected across 1 probed tool(s). | 19868ms |
| T26-TOOL-search_cloudflare_do-SSTI-001 | PASS | SSTI SSTI-001 → search_cloudflare_documentation | No template evaluation detected for Jinja/Twig {{7*7}} on 'search_cloudflare_documentation'. | 2391ms |
| T26-TOOL-search_cloudflare_do-SSTI-002 | PASS | SSTI SSTI-002 → search_cloudflare_documentation | No template evaluation detected for Jinja concat on 'search_cloudflare_documentation'. | 1373ms |
| T26-TOOL-search_cloudflare_do-SSTI-003 | PASS | SSTI SSTI-003 → search_cloudflare_documentation | No template evaluation detected for Handlebars #with on 'search_cloudflare_documentation'. | 2740ms |
| T26-TOOL-search_cloudflare_do-SSTI-004 | PASS | SSTI SSTI-004 → search_cloudflare_documentation | No template evaluation detected for ERB <%= 7*7 %> on 'search_cloudflare_documentation'. | 2613ms |
| T26-TOOL-search_cloudflare_do-SSTI-005 | PASS | SSTI SSTI-005 → search_cloudflare_documentation | No template evaluation detected for Freemarker ${7*7} on 'search_cloudflare_documentation'. | 2133ms |
| T26-TOOL-search_cloudflare_do-SSTI-006 | PASS | SSTI SSTI-006 → search_cloudflare_documentation | No template evaluation detected for Velocity #set on 'search_cloudflare_documentation'. | 1639ms |
| T26-TOOL-search_cloudflare_do-SSTI-007 | PASS | SSTI SSTI-007 → search_cloudflare_documentation | No template evaluation detected for JSP ${7*7} on 'search_cloudflare_documentation'. | 1856ms |
| T26-TOOL-search_cloudflare_do-SSTI-008 | PASS | SSTI SSTI-008 → search_cloudflare_documentation | No template evaluation detected for Smarty {$x=7*7} on 'search_cloudflare_documentation'. | 1687ms |
| T26-TOOL-search_cloudflare_do-SSTI-009 | PASS | SSTI SSTI-009 → search_cloudflare_documentation | No template evaluation detected for Razor @(7*7) on 'search_cloudflare_documentation'. | 1746ms |
| T26-TOOL-search_cloudflare_do-SSTI-010 | PASS | SSTI SSTI-010 → search_cloudflare_documentation | No template evaluation detected for Mako <%= 7*7 %> on 'search_cloudflare_documentation'. | 1688ms |
| T27-004 | PASS | Session Tokens — Summary | No session-handling weaknesses detected. | 2097ms |
| T28-001 | PASS | Header Injection — Summary | No CRLF/header-injection findings across 1 probed tool(s). | 10822ms |
| T28-TOOL-search_cloudflare_do-HDR-001 | PASS | Header Injection HDR-001 → search_cloudflare_documentation | No CRLF reflection detected for Classic CRLF + header on 'search_cloudflare_documentation'. | 3213ms |
| T28-TOOL-search_cloudflare_do-HDR-002 | PASS | Header Injection HDR-002 → search_cloudflare_documentation | No CRLF reflection detected for URL-encoded CRLF on 'search_cloudflare_documentation'. | 2169ms |
| T28-TOOL-search_cloudflare_do-HDR-003 | PASS | Header Injection HDR-003 → search_cloudflare_documentation | No CRLF reflection detected for Double-encoded CRLF on 'search_cloudflare_documentation'. | 1931ms |
| T28-TOOL-search_cloudflare_do-HDR-004 | PASS | Header Injection HDR-004 → search_cloudflare_documentation | No CRLF reflection detected for Content-Length smuggling on 'search_cloudflare_documentation'. | 1685ms |
| T28-TOOL-search_cloudflare_do-HDR-005 | PASS | Header Injection HDR-005 → search_cloudflare_documentation | No CRLF reflection detected for Unicode newline on 'search_cloudflare_documentation'. | 1824ms |
| T29-001 | PASS | ReDoS — Summary | No ReDoS signatures across 1 probed tool(s). | 13082ms |
| T29-TOOL-search_cloudflare_do-RD-001 | PASS | ReDoS RD-001 → search_cloudflare_documentation | No ReDoS signature: baseline 2253ms, attack 1887ms, ratio 0.8×. | 1887ms |
| T29-TOOL-search_cloudflare_do-RD-002 | PASS | ReDoS RD-002 → search_cloudflare_documentation | No ReDoS signature: baseline 2253ms, attack 2302ms, ratio 1.0×. | 2302ms |
| T29-TOOL-search_cloudflare_do-RD-003 | PASS | ReDoS RD-003 → search_cloudflare_documentation | No ReDoS signature: baseline 2253ms, attack 2173ms, ratio 1.0×. | 2173ms |
| T29-TOOL-search_cloudflare_do-RD-004 | PASS | ReDoS RD-004 → search_cloudflare_documentation | No ReDoS signature: baseline 2253ms, attack 1956ms, ratio 0.9×. | 1956ms |
| T29-TOOL-search_cloudflare_do-RD-005 | PASS | ReDoS RD-005 → search_cloudflare_documentation | No ReDoS signature: baseline 2253ms, attack 2511ms, ratio 1.1×. | 2511ms |
| T30-099 | PASS | OAuth Flow Abuse — Summary | Server does not advertise OAuth flow; all probes skipped. | 778ms |
| DISCOVERY · 8 tests | ||||
| T01-001 | INFO | Server Identity |
Server did not advertise: name, version. Got name='unknown' version='unknown' protocol='unknown'.
Remediation:
Ensure the MCP server returns a populated 'serverInfo' object in its initialize response (name and version fields). |
0ms |
| T01-002 | PASS | Tool Enumeration |
Discovered 2 tool(s): search_cloudflare_documentation, migrate_pages_to_workers_guide.search_cloudflare_documentation: 'Search the Cloudflare documentation.\n\n\t\tThis tool should be used to answer any q'
migrate_pages_to_workers_guide: 'ALWAYS read this guide before migrating Pages projects to Workers.'
|
0ms |
| T01-003 | PASS | Resource Enumeration | Discovered 0 resource(s). | 0ms |
| T01-004 | PASS | Prompt Enumeration |
Discovered 1 prompt(s): workers-prompt-full.workers-prompt-full: 'Detailed prompt for generating Cloudflare Workers code (and other developer plat' (0 arg(s))
|
0ms |
| T01-005 | PASS | Tool Description Completeness | All 2 tool(s) have non-empty descriptions. | 0ms |
| T01-006 | PASS | Tool Schema Validity | All 2 tool(s) have valid JSON Schema inputSchema. | 0ms |
| T01-007 | PASS | Duplicate Tool Names | All 2 tool name(s) are unique. | 0ms |
| T01-008 | PASS | Tool Description Length | All 2 tool description(s) are within the 2,000-character limit. | 0ms |
| SCHEMA · 8 tests | ||||
| T06-004 | INFO | Return Type Consistency | No tools returned comparable JSON responses — consistency check not applicable. | 0ms |
| T06-001 | PASS | Schema Structural Validity | All 2 tool inputSchema(s) are structurally valid. | 0ms |
| T06-002-search_cloudflare_documentation | PASS | Required Enforcement: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query"
]
|
444ms |
| T06-003 | PASS | additionalProperties Strictness | All 2 tool(s) have 'additionalProperties': false. | 0ms |
| T06-005 | PASS | Overly Permissive Schema Detection | All 2 tool schema(s) are acceptably strict. | 0ms |
| T06-006-migrate_pages_to_workers_guide | PASS | Description Quality: migrate_pages_to_workers_guide |
Tool 'migrate_pages_to_workers_guide' has an adequate description (66 chars).Description: 'ALWAYS read this guide before migrating Pages projects to Workers.'
|
0ms |
| T06-006-search_cloudflare_documentation | PASS | Description Quality: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' has an adequate description (541 chars).Description: 'Search the Cloudflare documentation.\n\n\t\tThis tool should be used to answer any question about Cloudflare products or features, including:\n\t\t- Workers, Pages, R2, Images, Stream, D1, Durable Objects, K'
|
0ms |
| T16-003 | PASS | Tool Schema Required-Field Drift | No required-field drift detected. | 0ms |
| PERFORMANCE · 13 tests | ||||
| T08-003-00 | INFO | Resource Read Latency | No resources to benchmark. | 0ms |
| T05-001 | PASS | 10 Simultaneous Calls |
All 10 concurrent calls to 'search_cloudflare_documentation' succeeded with no data leakage.min=1614ms mean=1830ms max=2082ms
|
2394ms |
| T05-002 | PASS | 50 Sequential Rapid Calls |
p50=1877ms p95=2431ms p99=2765ms{
"tool": "search_cloudflare_documentation",
"calls": 50,
"errors": 0,
"min_ms": 1563.87,
"mean_ms": 1942.21,
"max_ms": 2764.63,
"p50_ms": 1876.73,
"p95_ms": 2430.54,
"p99_ms": 2764.63
}
|
97111ms |
| T05-003 | PASS | 100 Concurrent Calls (Stress Test) |
All 100 calls succeeded. Throughput: 5.5 calls/secThroughput: 5.5 calls/sec
|
18051ms |
| T05-004 | PASS | Connection Stability Under Rapid Reconnect |
Tool list consistent across all 5 reconnects: ['migrate_pages_to_workers_guide', 'search_cloudflare_documentation'].Reconnects: 5. Tools per connect: 2.
|
25878ms |
| T08-001-01 | PASS | Baseline Latency: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation': mean=2362ms min=1680ms max=3727ms (5 samples).{
"search_cloudflare_documentation": {
"mean_ms": 2362.31,
"min_ms": 1680.36,
"max_ms": 3727.42,
"samples": [
3727.42,
1827.44,
2340.11,
2236.23,
1680.36
]
}
}
|
11812ms |
| T08-001-02 | PASS | Baseline Latency: migrate_pages_to_workers_guide |
Tool 'migrate_pages_to_workers_guide': mean=357ms min=266ms max=570ms (5 samples).{
"migrate_pages_to_workers_guide": {
"mean_ms": 357.38,
"min_ms": 265.85,
"max_ms": 569.6,
"samples": [
265.85,
300.88,
310.3,
569.6,
340.26
]
}
}
|
1787ms |
| T08-002 | PASS | Tool Discovery Latency |
list_tools() mean=432ms min=218ms max=647ms.{
"list_tools": {
"mean_ms": 431.5,
"min_ms": 218.19,
"max_ms": 646.74,
"samples": [
218.19,
646.74,
473.77,
271.88,
546.94
]
}
}
|
2158ms |
| T08-004 | PASS | Cold Start Detection |
No significant cold-start penalty detected (ratio 1.0×, threshold 10×).Call 1 (cold): 1786ms
Calls 2-5 (warm): 1742ms, 2262ms, 1525ms, 1775ms
Warm mean: 1826ms Ratio: 1.0×
|
9090ms |
| T08-005 | PASS | Latency Degradation Under Load |
Latency stable under load: baseline 1360ms, load p95 2431ms (ratio 1.8×).Baseline mean: 1360ms Load p95: 2431ms Degradation ratio: 1.8×
|
0ms |
| T20-001 | PASS | Response-Size Drift | Response sizes stable (11061→11061 bytes, ratio 1.00×). | 73940ms |
| T20-002 | PASS | Latency Drift | Latency stable (1983.2→1853.7ms, ratio 0.93×). | 73940ms |
| T20-004 | PASS | Memory Leak — Summary | No memory growth signals over 40 probe calls. | 73940ms |