Skip to content

Added new template to detect MCP SSE endpoint #12268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 11, 2025
Merged

Added new template to detect MCP SSE endpoint #12268

merged 3 commits into from
Jun 11, 2025

Conversation

domwhewell-sage
Copy link
Contributor

@domwhewell-sage domwhewell-sage commented Jun 7, 2025
edited
Loading

Template / PR Information

I've been having trouble getting the MCP template to detect the MCP servers I have tested it with. This is because you have to obtain the session_id first before sending the POST requests and those endpoints always returned a 202 response.

This template detects the HTTP with SSE in the old spec, typically on the /sse endpoint. As it is a streaming response I have set the response size to 100 to capture the first message, the spec states "When a client connects, the server MUST send an endpoint event containing a URI for the client to use for sending messages." so the matchers ensure it is an event stream and that the first event is an endpoint, the extractor then extracts the data in that first event which will be the endpoint you may send the JSON-RPC to.

This protocol is depreciated now which is why I have added this as a separate template

Template Validation

I've validated this template locally?

  • YES
  • NO

For validation I used the damn-vulnerable-MCP-server and bbot-server

Additional Details (leave it blank if not applicable)

Additional References:

@DhiyaneshGeek DhiyaneshGeek mentioned this pull request Jun 10, 2025
Closed
@ritikchaddha ritikchaddha added the Done Ready to merge label Jun 11, 2025
@DhiyaneshGeek DhiyaneshGeek merged commit b565662 into projectdiscovery:main Jun 11, 2025
3 checks passed
@domwhewell-sage domwhewell-sage deleted the detect-sse branch June 11, 2025 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DhiyaneshGeek DhiyaneshGeek DhiyaneshGeek approved these changes

Assignees

@ritikchaddha ritikchaddha

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@domwhewell-sage @DhiyaneshGeek @ritikchaddha @pussycat0x