pentest-ai

MCP launch-blocker release. Two-part fix that turns ptai into a true MCP action surface for outer LLMs (Claude Code, Cursor, etc), and closes a structural defect that was silently dropping auth credentials on the MCP code path.

Current published benchmark via the MCP path (OWASP Juice Shop v19.2.1): 43/68 authenticated challenges (63.24%), 58 unauthenticated findings, 4 auto-composed exploit chains. The auth-wiring fix in this release is the prerequisite that makes the MCP path reach parity with the CLI path.

TL;DR

• Fixed: mcp_server.test_web_app now calls WebAgent.set_auth(creds) before the registry sweep. Every requires_auth=True probe (race conditions, mass assignment, type confusion, authenticated SQLi/XXE/IDOR) was silently skipping at agents/web/web_agent.py:354 because the deterministic path reads self._captured_auth, not the dict argument passed to run_assessment. Coverage advertised in 0.12.0 release notes was unreachable via MCP. Now reachable.
• New: start_engagement accepts an auth_profile parameter. Resolves and logs in server-side; credentials never enter MCP/LLM payload.
• New: iterative MCP action surface. Three new tools that let an outer LLM drive engagements probe-by-probe rather than fire-and-forget:
  • list_probes(bug_class?, requires_auth_only?) — enumerate all 60 registered web probes.
  • run_probe(probe_name, target, engagement_id?, auth_profile?, candidate_endpoints?) — dispatch one probe synchronously; refuses to silently skip requires_auth=True without credentials.
  • http_request(method, url, engagement_id, ...) — raw HTTP escape hatch for novel attack chains (stored SSTI, PATCH mass-assign) under a hard scope guard (URL host:port must equal engagement target), destructive-method guard (DELETE/PURGE/TRACE require allow_destructive=True), and body-size caps.
• Safety: PTAI_PRICE_LIMIT default changed from 0 (unlimited) to $2. Explicit 0 still means unlimited but logs a loud warning. Pre-launch hardening for new users.
• Probe coverage: web.idor_sequential now retries authenticated when unauth gets uniform 401/403s, flags cross-user divergence as "Authenticated IDOR" (high).

What this fixes

Prior to this release, calling mcp__pentest-ai__test_web_app against an authenticated target dropped credentials at the WebAgent boundary. The orchestrator path (ptai start CLI) had always done this correctly via engine/orchestrator.py:_configure_agent; only the MCP path was broken. After this fix, the MCP path produces the same results as the CLI path, which is what makes the current Juice Shop benchmark (43/68 authenticated, 58 unauth findings, 4 chained) reachable via Claude Code / Cursor / Codex.

What's new for LLM-driven workflow

Claude Code (or any MCP client) can now drive an engagement step-by-step:

list_probes()                       → enumerate the 60-probe surface
start_engagement(target, auth_profile=...)
run_probe("web.api_path_discovery", target, engagement_id)
run_probe("web.sqli_fuzz", target, engagement_id, candidate_endpoints=[discovered])
http_request("POST", target+"/profile/update", engagement_id, body="bio={{7*7}}")
http_request("GET",  target+"/profile/me",     engagement_id)
get_findings(engagement_id)
close_engagement(engagement_id)

The LLM picks the next probe based on what fired; http_request synthesizes attacks no canned probe covers (stored SSTI, novel PATCH chains).

Tests

• New end-to-end test tests/honeypot/test_mcp_honeypot_e2e.py boots the in-process honeypot, drives it through the MCP boundary, scores findings against the planted-vuln matrix. Hardcoded coverage threshold so any regression in the auth wiring or registry sweep fails CI loudly.
• 11 new unit tests in tests/test_mcp_action_surface.py covering list_probes, run_probe, http_request (enumeration, filtering, requires_auth gating, scope guard, destructive guard, happy-path round-trip).
• 1,706 tests pass; 0 failures.

Install

pip install ptai==0.13.0

PyPI: https://pypi.org/project/ptai/0.13.0/

Full notes in CHANGELOG.md.