Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Vulnerability Reporting

БесплатноНе проверен

Professional vulnerability report generator that creates standardized, well-formatted security reports with AI-generated content, supporting CVSS scoring, evide

GitHubEmbed

Описание

Professional vulnerability report generator that creates standardized, well-formatted security reports with AI-generated content, supporting CVSS scoring, evidence management, and markdown export.

README

Professional vulnerability report generator for security assessments. This MCP server creates standardized, well-formatted security reports following industry best practices.

⚠️ IMPORTANT: AI-Generated Content

This MCP does not use pre-written templates. Instead, the AI (Claude) generates all report content based on the specific vulnerability instance. The report structure follows the template format from /Users/orhanyildirim/Desktop/mcp-browser-injection-extented/report.md, but the content is dynamically created for each unique finding.

What the AI Generates:

  • ✅ Vulnerability Overview (educational description of the vulnerability type)
  • ✅ Specific Findings (detailed analysis of this instance)
  • ✅ Steps to Reproduce (customized for the target application)
  • ✅ Recommendations (actionable remediation guidance)
  • ✅ Impacts (business and technical impact analysis)
  • ✅ References (OWASP, CWE, security resources)

Features

  • AI-Powered Content Generation: Claude generates comprehensive, contextual report content for each vulnerability
  • Template Structure Compliance: Maintains the exact format from your report template
  • Flexible Content: Adapts to different vulnerability types, severities, and application contexts
  • CVSS Scoring: Automated CVSS v3.1 score and vector calculation
  • Evidence Management: Support for screenshots, HTTP requests/responses, PoC code
  • Markdown Export: Professional markdown reports ready for bug bounty submissions or pentest deliverables
  • Reference Database: Fallback to default OWASP/CWE references if AI doesn't provide custom ones

Installation

npm install
npm run build

Usage with Claude Desktop

Add to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "browser-automation": {
      "command": "node",
      "args": ["/Users/your-username/Desktop/mcp-browser-injection-extented/dist/index.js"]
    },
    "vulnerability-reporting": {
      "command": "node",
      "args": ["/Users/your-username/Desktop/mcp-vulnerability-reporting/dist/index.js"]
    }
  }
}

Tools Available

1. create_vulnerability_report

Creates a new vulnerability report with AI-generated content following the template structure.

IMPORTANT: The AI must generate all content sections. This tool does NOT use pre-written templates.

Parameters:

  • vulnerability: Object containing vulnerability details

    • type: Vulnerability type (e.g., SQL_INJECTION, XSS, SSTI)
    • severity: Severity level (Critical, High, Medium, Low, Informational)
    • url: Target URL
    • parameter: Vulnerable parameter name
    • payload: Successful payload
    • affectedEndpoint (optional): Specific endpoint
    • method (optional): HTTP method
  • overview: AI-GENERATED - General description of the vulnerability type (what is it, how does it work, why is it dangerous)

  • findings: Object with specific findings

    • specificDescription: AI-GENERATED - Detailed description of this specific instance
    • detectedBehaviors: Array of observed behaviors (from testing)
    • confidence: Detection confidence level
  • stepsToReproduce: AI-GENERATED - Array of step-by-step reproduction instructions

  • recommendations: AI-GENERATED - Array of remediation recommendations with format:

    • "- **Bold Header**: Detailed explanation"
  • impacts: AI-GENERATED - Array of potential impacts with format:

    • "- **Bold Header**: What could happen"
  • references (optional): Array of security references

    • If not provided, template defaults are used

Returns: Report ID for future operations

2. add_evidence_to_report

Adds evidence to an existing report.

Parameters:

  • reportId: Target report ID
  • evidenceType: Type of evidence (screenshot, request, response, poc, code)
  • content: Evidence content or file path
  • description: Evidence description

3. calculate_cvss_score

Calculates CVSS score and vector for a report.

Parameters:

  • reportId: Target report ID

4. export_report

Exports report as markdown file.

Parameters:

  • reportId: Report ID to export
  • outputPath: Output file path

5. list_reports

Lists all generated reports.

6. get_report_preview

Previews report in markdown format.

Parameters:

  • reportId: Report ID to preview

7. get_report_template

Gets the exact report template format that AI should follow. Use this before creating reports to understand the required structure.

Parameters: None

Returns: The template with detailed formatting instructions for AI content generation

Example Workflow with Browser MCP

Here's how to use both MCPs together. Claude generates all report content:

User: "Test https://vulnerable-site.com/login for SQL injection and create a professional report"

Claude uses Browser MCP:
1. browser_navigate({ url: "https://vulnerable-site.com/login" })
2. browser_test_payload({
     targetSelector: "#username",
     payload: "' OR 1=1--",
     submitSelector: "#login"
   })
   // Returns: { isVulnerable: true, confidence: "high", detectedBehaviors: [...] }

3. browser_screenshot({ path: "./evidence/sqli-bypass.png" })

Claude uses Reporting MCP (AI GENERATES ALL CONTENT):
4. get_report_template()
   // Returns: Template with exact structure and formatting requirements

5. create_vulnerability_report({
     vulnerability: {
       type: "SQL_INJECTION",
       severity: "Critical",
       url: "https://vulnerable-site.com/login",
       parameter: "username",
       payload: "' OR 1=1--",
       method: "POST"
     },

     // AI WRITES THIS OVERVIEW:
     overview: "SQL Injection is a code injection technique that exploits security vulnerabilities in an application's database layer. This vulnerability occurs when user-supplied input is incorporated into SQL queries without proper sanitization...",

     findings: {
       // AI WRITES THIS SPECIFIC DESCRIPTION:
       specificDescription: "The login form at /login endpoint is vulnerable to SQL injection via the username parameter. The application directly concatenates user input into SQL queries without using parameterized statements...",
       detectedBehaviors: ["SQL_ERROR_MESSAGE", "AUTHENTICATION_BYPASS"],
       confidence: "high"
     },

     // AI GENERATES THESE STEPS:
     stepsToReproduce: [
       "Navigate to https://vulnerable-site.com/login",
       "In the username field, enter: ' OR 1=1--",
       "In the password field, enter any value",
       "Click the login button",
       "Observe successful authentication bypass",
       "Verify by checking session cookie"
     ],

     // AI WRITES THESE RECOMMENDATIONS:
     recommendations: [
       "- **Use Parameterized Queries**: Implement prepared statements with parameterized queries for all database interactions...",
       "- **Input Validation**: Implement strict server-side input validation...",
       "- **Principle of Least Privilege**: Configure database accounts with minimal permissions..."
     ],

     // AI WRITES THESE IMPACTS:
     impacts: [
       "- **Complete Authentication Bypass**: An attacker can bypass the login mechanism entirely...",
       "- **Sensitive Data Exfiltration**: Using UNION-based attacks, attackers can extract database contents...",
       "- **Database Manipulation**: Attackers could modify or delete records..."
     ]
   })

6. add_evidence_to_report({
     reportId: "vuln_report_xxx",
     evidenceType: "screenshot",
     content: "./evidence/sqli-bypass.png",
     description: "Authentication Bypass - Successfully logged in as admin"
   })

7. calculate_cvss_score({ reportId: "vuln_report_xxx" })

8. export_report({
     reportId: "vuln_report_xxx",
     outputPath: "./reports/sql-injection-login-bypass.md"
   })

See USAGE_EXAMPLE.md for a complete detailed example.

Report Format

Reports follow the exact template structure from /Users/orhanyildirim/Desktop/mcp-browser-injection-extented/report.md:

## Vulnerability Overview
[AI-generated general description of vulnerability type]

### Finding Details
[AI-generated specific findings for this instance]

### Steps To Reproduce
1. [AI-generated step]
2. [AI-generated step]
...

## Recommendations
To address this finding, implement the following:
[AI-generated recommendations with bold headers]

## References
See the following for more information:
[AI-generated or template default references]

## Impacts
If not addressed, this finding could lead to the following:
[AI-generated impacts with bold headers]

How It Works

  1. Template Loading: MCP reads report.md template from its directory
  2. AI Reads Template: Use get_report_template() to see the exact structure required
  3. Template Structure: The markdown format is fixed and matches your report template exactly
  4. AI Content: Claude generates all descriptive content based on:
    • The specific vulnerability found during testing
    • Security best practices and industry standards
    • Context from the target application
    • Severity and confidence levels
    • Template format guidelines
  5. Flexibility: Content adapts to different vulnerability types, applications, and contexts
  6. Fallback References: If AI doesn't provide custom references, the vulnerability database provides defaults for common types (SQL Injection, XSS, SSTI, Command Injection, NoSQL, LDAP, XXE)

Development

# Run in development mode
npm run dev

# Build for production
npm run build

# Run production build
npm start

Architecture

  • index.ts: Main MCP server implementation
  • vulnerability-db.ts: Vulnerability knowledge base with templates
  • dist/: Compiled JavaScript output

Integration with Browser Automation MCP

This MCP is designed to work seamlessly with the mcp-browser-injection-extended MCP server. The browser MCP handles:

  • Automated vulnerability testing
  • Payload generation and testing
  • Evidence collection (screenshots, HTTP responses)

The reporting MCP then transforms those findings into professional security reports.

License

MIT

Contributing

Contributions welcome! Please submit issues and pull requests.

from github.com/badchars/mcp-vulnerability-reporting

Установка Vulnerability Reporting

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/badchars/mcp-vulnerability-reporting

FAQ

Vulnerability Reporting MCP бесплатный?

Да, Vulnerability Reporting MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Vulnerability Reporting?

Нет, Vulnerability Reporting работает без API-ключей и переменных окружения.

Vulnerability Reporting — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Vulnerability Reporting в Claude Desktop, Claude Code или Cursor?

Открой Vulnerability Reporting на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Vulnerability Reporting with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai