playbooks

home / mcp / xss mcp tester server

XSS MCP Tester Server

Provides AI-assisted XSS testing capabilities by executing tests via an MCP client and dedicated tooling.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "0xtrk-xss-mcp-tester": {
      "command": "uv",
      "args": [
        "run",
        "--with",
        "mcp[cli]",
        "--with",
        "playwright",
        "mcp",
        "run",
        "/path/to/your/project/main.py"
      ]
    }
  }
}

You have a dedicated MCP server that performs XSS tests with AI capabilities. It exposes a focused set of testing tools you can run from an MCP client, enabling practical security testing workflows and automation for web applications.

How to use

To use this MCP server, connect a compatible MCP client and run the server configuration that delegates execution to the uv tool. Set up the client to launch the server with the specified command and arguments, then interact with the available testing tools to probe web pages for XSS behaviors. Start by ensuring your client can reach the local or remote MCP server, then begin testing URLs with payloads, inspecting HTTP responses, and retrieving relevant assets for analysis.

How to install

Prerequisites
- Python 3.8+
- uv package manager

Install uv (if not already installed)
``` 

```
curl -LsSf https://astral.sh/uv/install.sh | sh
``` 

```
Setup
``` 
```
Clone the repository
``` 
```
git clone https://github.com/yourusername/xss-tester-mcp.git
```
```
cd xss-tester-mcp
```

```
Initialize the project
define
``` 
```
uv init
```

```
Install dependencies
``` 
```
uv add mcp playwright fastmcp
```

```
Install Playwright browsers
``` 
```
uv run playwright install chromium
```

```
Verify installation
``` 
```
uv pip list

Additional sections

Configuration details and concrete usage steps are provided below to help you wire everything up and begin testing right away. Follow these steps to ensure smooth operation and predictable results.

Configuration is done by pointing your MCP client at the XSS tester server configuration. Use the following snippet to register the MCP server in your clientโ€™s configuration. This config uses uv to run the server and includes the necessary arguments to initialize the MCP workflow with Playwright support.

{
  "mcpServers": {
    "XSS tester": {
      "command": "uv",
      "args": [
        "run",
        "--with",
        "mcp[cli]",
        "--with",
        "playwright", 
        "mcp",
        "run",
        "/path/to/your/project/main.py"
      ]
    }
  }
}

Notes and tips

- No sensitive data should be transmitted to or from testing endpoints during automated runs. Use non-production URLs for testing whenever possible. - Ensure Playwright browsers are installed and available for the testing session. - When you run tests, you can engage the AI-enabled agent to guide the XSS analysis and propose payloads or interpretations. - If you need to adjust environment variables or runtime options, update the MCP client configuration accordingly and restart the server as needed.

Available tools

test_xss_url

Tests a URL for XSS vulnerabilities by checking if JavaScript execution is triggered.

get_raw_html_response

Fetches the raw HTML response from a URL using urllib.

search_in_html_response

Searches for specific content within HTML responses.

get_javascript_file

Fetches JavaScript files for manual vulnerability analysis.

get_http_headers

Retrieves HTTP response headers for security analysis.

make_custom_http_request

Makes HTTP requests with custom headers (authentication, cookies, sessions).