> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Security testing

> Test authentication flows, access controls, and vulnerability resistance of your MCP server

## What is Security Testing?

Security testing validates that your MCP server properly implements authentication, authorization, and protection against common vulnerabilities. It ensures your server can safely handle untrusted inputs and enforce access controls correctly.

### Key Benefits

* **Authentication validation** - Verify auth flows work correctly
* **Access control testing** - Ensure permissions are enforced
* **Vulnerability detection** - Find injection attacks and other security issues
* **Rate limiting verification** - Test DoS protection mechanisms

## How It Works

```mermaid theme={null}
graph TD
    A[Security Test Start] --> B[Auth Flow Test]
    B --> C[Permission Validation]
    C --> D[Input Sanitization]
    D --> E[Rate Limit Testing] 
    E --> F[Vulnerability Scanning]
    F --> G[Security Report]
```

## Configuration

### Basic Security Test Suite

```json theme={null}
{
  "suite_id": "basic_security_tests",
  "name": "Essential Security Validation",
  "suite_type": "security",
  "auth_required": true,
  "test_cases": [
    {
      "test_id": "auth_validation",
      "auth_method": "oauth",
      "rate_limit_threshold": 100,
      "vulnerability_checks": ["auth"],
      "severity_threshold": "medium"
    }
  ],
  "include_penetration_tests": false
}
```

### Test Configuration Fields

| Field                  | Type    | Default   | Description                                                                 |
| ---------------------- | ------- | --------- | --------------------------------------------------------------------------- |
| `auth_method`          | string  | required  | Authentication method to test (oauth, token, etc.)                          |
| `vulnerability_checks` | array   | \["auth"] | Security checks: \["auth", "rate\_limit", "injection", "token\_validation"] |
| `rate_limit_threshold` | integer | 100       | Expected rate limit (requests per minute)                                   |
| `severity_threshold`   | string  | "medium"  | Minimum severity to report (low, medium, high, critical)                    |

### Suite-Level Settings

| Setting                     | Type    | Default | Description                         |
| --------------------------- | ------- | ------- | ----------------------------------- |
| `auth_required`             | boolean | true    | Whether authentication is required  |
| `include_penetration_tests` | boolean | false   | Include aggressive security testing |

## Authentication Methods

### 1. OAuth Authentication

Test OAuth flows and token security:

```json theme={null}
{
  "test_id": "oauth_flow_security",
  "auth_method": "oauth",
  "vulnerability_checks": ["oauth_validation", "token_validation"],
  "severity_threshold": "high"
}
```

**Tests:**

* OAuth token validation
* Authorization flow security
* Token refresh handling
* Scope enforcement

### 2. Token Authentication

Test bearer token security:

```json theme={null}
{
  "test_id": "token_security",
  "auth_method": "token",
  "vulnerability_checks": ["token_validation", "authentication_bypass"],
  "severity_threshold": "medium"
}
```

**Tests:**

* Bearer token validation
* Token expiration handling
* Token manipulation detection
* Authentication bypass prevention

## Vulnerability Testing

### Available Vulnerability Checks

```json theme={null}
{
  "vulnerability_checks": [
    "input_validation",
    "injection_attacks",
    "authentication_bypass",
    "oauth_validation",
    "token_validation",
    "mcp_prompt_injection",
    "mcp_data_leakage"
  ]
}
```

### MCP-Specific Security Tests

* **Prompt Injection** (`mcp_prompt_injection`): Tests resistance to prompt manipulation attacks
* **Data Leakage** (`mcp_data_leakage`): Detects sensitive information exposure through responses
* **Authentication Bypass** (`authentication_bypass`): Validates permission enforcement

### Input Validation Tests

```json theme={null}
{
  "test_id": "input_validation_security",
  "auth_method": "oauth",
  "vulnerability_checks": ["input_validation", "injection_attacks"],
  "severity_threshold": "high"
}
```

## Security Test Examples

### 1. OAuth Security Testing

```json theme={null}
{
  "test_id": "oauth_comprehensive",
  "auth_method": "oauth",
  "vulnerability_checks": ["oauth_validation", "token_validation"],
  "rate_limit_threshold": 50,
  "severity_threshold": "high",
  "metadata": {
    "category": "oauth_security",
    "priority": "critical"
  }
}
```

### 2. Input Sanitization Testing

```json theme={null}
{
  "test_id": "injection_resistance",
  "auth_method": "oauth",
  "vulnerability_checks": ["input_validation", "injection_attacks"],
  "severity_threshold": "medium",
  "metadata": {
    "category": "vulnerability_assessment",
    "priority": "high"
  }
}
```

## Running Security Tests

### Create Security Test Suite

```bash theme={null}
# Interactive security suite creation
mcp-t create suite
# Select option "2" for security testing
```

### Run Security Tests

```bash theme={null}
# Run security test suite
mcp-t run security-tests server-id

# Run with verbose output
mcp-t run security-tests server-id --verbose
```

### Example Command Flow

```bash theme={null}
# 1. Create security test suite
mcp-t create suite

# 2. Run security assessment  
mcp-t run my-security-suite server-id

# 3. Review results in test_results/ directory
```

## Configuration Files

The framework includes example security configurations:

### Pre-built Security Suite

**Location**: `configs/suites/security-tests.json`

```json theme={null}
{
  "suite_id": "security-tests",
  "name": "Security Test Suite",
  "description": "Authentication and vulnerability testing",
  "suite_type": "security",
  "test_cases": [
    {
      "test_id": "auth_validation",
      "auth_method": "oauth",
      "vulnerability_checks": ["auth"],
      "severity_threshold": "medium"
    },
    {
      "test_id": "injection_testing",
      "auth_method": "oauth",
      "vulnerability_checks": ["injection"],
      "severity_threshold": "medium"
    }
  ],
  "auth_required": true,
  "include_penetration_tests": true
}
```

### OAuth-Specific Security Suite

**Location**: `configs/suites/oauth-security-tests.json`

```json theme={null}
{
  "suite_id": "oauth-security-tests",
  "name": "OAuth Security Test Suite",
  "description": "Comprehensive OAuth security validation",
  "suite_type": "security",
  "test_cases": [
    {
      "test_id": "oauth_token_validation",
      "auth_method": "oauth",
      "vulnerability_checks": ["oauth_validation", "token_validation"],
      "severity_threshold": "high"
    }
  ],
  "auth_required": true,
  "include_penetration_tests": false
}
```

## Security Issue Severity Levels

### Critical Issues

* Remote code execution vulnerabilities
* Authentication bypass flaws
* Complete authorization bypass
* Data exposure vulnerabilities

### High Severity

* Privilege escalation vectors
* Token manipulation vulnerabilities
* OAuth flow vulnerabilities
* Sensitive information disclosure

### Medium Severity

* Input validation gaps
* Minor authentication issues
* Configuration weaknesses
* Rate limiting issues

### Low Severity

* Information leakage (non-sensitive)
* Logging and monitoring gaps
* Documentation security concerns

## Next Steps

1. **[CLI Reference](../cli-reference.md)**
2. **[Server Configuration](../concepts/servers.md)** for auth setup
3. **[Compliance Testing](compliance.md)** for protocol validation
4. **[Conversational Testing](conversational.md)** for user experience