Spaces:

MCP-1st-Birthday
/

vapt-agent

Sleeping

App Files Files Community

chsubhasis commited on Nov 28, 2025

Commit

772a578

verified ·

1 Parent(s): 7f06d4e

Update README.md

Browse files

Files changed (1) hide show

README.md +139 -36

README.md CHANGED Viewed

@@ -420,47 +420,115 @@ Built for **MCP's 1st Birthday Hackathon** hosted by **Anthropic** and **Gradio*
 # VAPT Agent MCP Server
-This Gradio application has been integrated with **Model Context Protocol (MCP)** to enable AI assistants and other MCP clients to interact with the VAPT (Vulnerability Assessment and Penetration Testing) agent programmatically.
-## MCP Server Overview
-The MCP server exposes the VAPT agent's functionality through a standardized interface, allowing AI assistants like Claude to perform security testing and receive guidance directly.
-**MCP Server URL**: `http://<ip>:<port>/gradio_api/mcp/`
-### Available MCP Tools
-The server provides **4 MCP tools**:
-1. **`run_security_test`** - Execute a security test on an API endpoint
-   - Parameters:
-     - `api_endpoint` (string): The target API endpoint URL
-     - `http_method` (string): HTTP method (GET, POST, PUT, DELETE, etc.)
-     - `api_key` (string): API authentication key
-   - Returns: Progress updates, vulnerability report markdown, report file path, and button state
-2. **`update_dashboard`** - Update the security dashboard
-   - Parameters:
-     - `report_md` (string): Report markdown content
-3. **`tutor_respond`** - Get security guidance from the AI tutor
-   - Parameters:
-     - `question` (string): Security-related question
-     - `history` (array): Conversation history
-     - `report_md` (string): Current report markdown for context
-   - Note: If passing a file as input, use the `upload_file_to_gradio` tool first
-## Configuration
 ### Streamable HTTP Transport
-For MCP clients that support Streamable HTTP, add this configuration:
 ```json
 {
   "mcpServers": {
-    "gradio": {
-      "url": "http://<ip>:<port>/gradio_api/mcp/"
     },
     "upload_files_to_gradio": {
       "command": "uvx",
@@ -469,7 +537,7 @@ For MCP clients that support Streamable HTTP, add this configuration:
         "gradio[mcp]",
         "gradio",
         "upload-mcp",
-        "http://<ip>:<port>/",
         "<UPLOAD_DIRECTORY>"
       ]
     }
@@ -479,16 +547,16 @@ For MCP clients that support Streamable HTTP, add this configuration:
 ### STDIO Transport
-For clients like Claude Desktop that only support STDIO, first [install Node.js](https://nodejs.org/en/download/), then use:
 ```json
 {
   "mcpServers": {
-    "gradio": {
       "command": "npx",
       "args": [
         "mcp-remote",
-        "http://<ip>:<port>/gradio_api/mcp/",
         "--transport",
         "streamable-http"
       ]
@@ -500,7 +568,7 @@ For clients like Claude Desktop that only support STDIO, first [install Node.js]
         "gradio[mcp]",
         "gradio",
         "upload-mcp",
-        "http://<ip>:<port>/",
         "<UPLOAD_DIRECTORY>"
       ]
     }
@@ -508,15 +576,50 @@ For clients like Claude Desktop that only support STDIO, first [install Node.js]
 }
 ```
-### File Upload Support
-The `upload_files_to_gradio` tool uploads files from your local `<UPLOAD_DIRECTORY>` (or any subdirectories) to the Gradio app. This is required because MCP servers need files as URLs. You can omit this tool if you prefer manual file uploads.
 **Requirements**: [uv](https://docs.astral.sh/uv/getting-started/installation/) must be installed.
-## Resources
-- [Gradio MCP Documentation](https://www.gradio.app/guides/building-mcp-server-with-gradio)
-- [Hugging Face Spaces Configuration](https://huggingface.co/docs/hub/spaces-config-reference)
 ---

 # VAPT Agent MCP Server
+## 🔌 From Gradio App to MCP Server
+This VAPT Agent started as an **interactive Gradio web application** designed to provide an intuitive UI for vulnerability assessment and penetration testing. To extend its capabilities and make it accessible to AI assistants and automation tools, **we additionally converted it into a Model Context Protocol (MCP) server** using Gradio's built-in MCP support.
+Following the guidelines from the **[Hugging Face blog on building MCP servers with Gradio](https://huggingface.co/blog/gradio-mcp)**, we transformed our application to support both web-based and programmatic access. This conversion allows the same powerful security testing features to be available through:
+- ✅ AI assistants like Claude Desktop
+- ✅ Automation scripts and CI/CD pipelines
+- ✅ Other MCP-compatible tools and workflows
+- ✅ Remote clients via both Streamable HTTP and STDIO transports
+**MCP Server URL**: `https://mcp-1st-birthday-vapt-agent.hf.space/gradio_api/mcp/`
+---
+## 🎯 Primary Tool: `vapt_agent_run_security_test`
+The core functionality of the VAPT Agent is exposed through the **`vapt_agent_run_security_test`** MCP tool, which allows external clients to programmatically trigger comprehensive security assessments.
+### 📋 Tool Details
+**Name**: `vapt_agent_run_security_test`
+**Type**: Tool
+**Description**: Execute a complete VAPT security test on an API endpoint. The function validates inputs, starts the VAPT agent in a background thread, and streams real-time progress updates. The test button is disabled during execution and re-enabled when complete.
+### 📥 Parameters
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `api_endpoint` | string | ✅ Yes | The target API endpoint URL to test (e.g., `https://api.example.com/users`) |
+| `http_method` | string | ✅ Yes | HTTP method for the endpoint (e.g., `GET`, `POST`, `PUT`, `DELETE`) |
+| `api_key` | string | ✅ Yes | API authentication key/token for authorized testing |
+### 📤 Returns
+The tool yields progressive updates and final results:
+1. **Progress Updates**: Real-time streaming of agent activities (endpoint discovery, vulnerability testing, report generation)
+2. **Report Markdown**: Complete vulnerability assessment report in markdown format
+3. **Report File Path**: Path to the downloadable report file
+4. **Button State**: UI state management (disabled during test, enabled on completion)
+### 🔍 What the Tool Does
+When invoked, `vapt_agent_run_security_test`:
+1. **Validates Inputs**: Ensures all required parameters are provided
+2. **Initiates VAPT Agent**: Starts the Claude-powered security testing agent in a background thread
+3. **Performs Discovery**: Uses Postman MCP to discover API endpoints and generate OpenAPI specs
+4. **Executes Security Tests**: Runs custom VAPT MCP tools for:
+   - Injection attacks (SQL, XSS, path traversal)
+   - Authentication/authorization bypass
+   - Rate limiting and DoS vulnerabilities
+   - CORS policy validation
+   - Security headers analysis
+5. **Streams Progress**: Yields real-time progress messages for client visibility
+6. **Generates Report**: Creates comprehensive markdown report with:
+   - Executive summary with risk score
+   - Detailed vulnerability findings with severity levels
+   - Evidence and remediation recommendations
+   - Security headers and CORS analysis
+7. **Updates Dashboard**: Automatically refreshes the visual risk dashboard with charts
+### 💡 Example Usage
+```python
+# Example MCP client call
+result = client.call_tool(
+    "vapt_agent_run_security_test",
+    {
+        "api_endpoint": "https://api.example.com/v1/users",
+        "http_method": "GET",
+        "api_key": "Bearer your-api-key-here"
+    }
+)
+# The tool will stream progress like:
+# "🔍 Starting API security assessment..."
+# "📮 Discovering endpoints using Postman MCP..."
+# "🛡️ Testing for SQL injection vulnerabilities..."
+# "📊 Generating vulnerability report..."
+# "✅ Security test completed!"
+```
+---
+## 🛠️ Additional Tools
+While the primary focus is on `vapt_agent_run_security_test`, the MCP server also exposes supporting tools for enhanced functionality:
+- **`vapt_agent_update_dashboard`**: Updates the visual security dashboard with new report data
+- **`vapt_agent_tutor_respond`**: Provides AI-powered security guidance and answers questions about the generated report using RAG (Retrieval-Augmented Generation)
+- **`vapt_agent__lambda_`**: Internal utility function
+> **Note**: For most use cases, you'll primarily interact with `vapt_agent_run_security_test` to perform security assessments.
+---
+## ⚙️ MCP Configuration
 ### Streamable HTTP Transport
+For MCP clients that support Streamable HTTP (recommended), add this configuration:
 ```json
 {
   "mcpServers": {
+    "vapt_agent": {
+      "url": "https://mcp-1st-birthday-vapt-agent.hf.space/gradio_api/mcp/"
     },
     "upload_files_to_gradio": {
       "command": "uvx",
         "gradio[mcp]",
         "gradio",
         "upload-mcp",
+        "https://mcp-1st-birthday-vapt-agent.hf.space/",
         "<UPLOAD_DIRECTORY>"
       ]
     }
 ### STDIO Transport
+For clients like **Claude Desktop** that only support STDIO, first [install Node.js](https://nodejs.org/en/download/), then use:
 ```json
 {
   "mcpServers": {
+    "vapt_agent": {
       "command": "npx",
       "args": [
         "mcp-remote",
+        "https://mcp-1st-birthday-vapt-agent.hf.space/gradio_api/mcp/",
         "--transport",
         "streamable-http"
       ]
         "gradio[mcp]",
         "gradio",
         "upload-mcp",
+        "https://mcp-1st-birthday-vapt-agent.hf.space/",
         "<UPLOAD_DIRECTORY>"
       ]
     }
 }
 ```
+### 📁 File Upload Support
+The `upload_files_to_gradio` tool uploads files from your local `<UPLOAD_DIRECTORY>` (or any subdirectories) to the Gradio app. This is needed because MCP servers require files to be provided as URLs. You can omit this tool if you prefer to upload files manually.
 **Requirements**: [uv](https://docs.astral.sh/uv/getting-started/installation/) must be installed.
+---
+## 🎓 Use Cases
+### For AI Assistants (Claude Desktop)
+```
+User: "Test the API at https://api.myapp.com/v1/products (GET method)
+       with API key Bearer abc123"
+Claude: *Invokes vapt_agent_run_security_test*
+        "I've initiated a security test. The VAPT agent is now scanning
+        for vulnerabilities including injection attacks, authentication
+        issues, and security misconfigurations..."
+```
+### For CI/CD Pipelines
+```bash
+# Automated security testing in deployment pipeline
+mcp-client call vapt_agent_run_security_test \
+  --api_endpoint "https://staging.api.com/auth/login" \
+  --http_method "POST" \
+  --api_key "$STAGING_API_KEY"
+```
+### For Security Teams
+```
+# Remote security assessment without opening the web interface
+# Get comprehensive reports programmatically
+# Integrate with existing security workflow tools
+```
+---
+## 📚 Resources
+- **[Building MCP Servers with Gradio](https://huggingface.co/blog/gradio-mcp)** - The guide we followed to convert our Gradio app to an MCP server
+- **[Gradio MCP Documentation](https://www.gradio.app/guides/building-mcp-server-with-gradio)** - Official Gradio MCP documentation
+- **[Model Context Protocol Specification](https://modelcontextprotocol.io/)** - Understanding MCP architecture
+- **[Hugging Face Spaces Configuration](https://huggingface.co/docs/hub/spaces-config-reference)** - Deploy your own MCP-enabled Gradio apps
 ---