Expected Findings
- MCP server accepts anonymous JSON-RPC requests over HTTP.
- `tools/list` discloses dangerous tools including shell exec and DB query.
- `resources/read` returns internal documents with no scope check.
MCP Server
Open MCP Server
An internal MCP server is reachable on the public internet with no auth, exposing list-tools, internal resources, and an exec tool.
MCP probe
Primary Flows
- JSON-RPC endpoint POST tools/list, tools/call, resources/read
- Manifest Server discovery descriptor
Signals
Tools
["shell.exec","db.query","secrets.read","fs.write"]