add more tests

Author: nayanakto

MCP-LT/MCPBrowserOrDriverVersionDisclosure.yml

@@ -0,0 +1,48 @@
+---
+id: MCP_BROWSER_DRIVER_VERSION_DISCLOSURE_LT
+info:
+  name: Browser and Driver Version Disclosure
+  description: |
+    The API response discloses exact browser and driver versions along with commit hash information.
+    Example evidence includes fields such as browserVersion "139.0.7258.139" and chromedriverVersion "139.0.7258.139 (… branch-heads/7258@{#2632})".
+  details: "Attackers can leverage disclosed browser and driver versions, including commit hash details, to identify version-specific CVEs or exploits. \nThis increases the risk of targeted exploitation if the exposed versions are outdated or vulnerable.\n"
+  impact: "Disclosing exact software versions and commit hash details provides attackers with valuable reconnaissance information. \nIt enables version-specific exploit development and makes it easier to identify vulnerabilities in the exposed components.\n"
+  category:
+    name: MCP_SENSITIVE_DATA_LEAKAGE
+    shortName: MCP_SENSITIVE_DATA_LEAKAGE
+    displayName: MCP - Data Leak
+  subCategory: MCP_BROWSER_DRIVER_VERSION_DISCLOSURE_LT
+  severity: MEDIUM
+  tags:
+  - information-disclosure
+  - browser
+  - driver
+  - reconnaissance
+  references:
+  - https://cwe.mitre.org/data/definitions/200.html
+  - https://chromedriver.chromium.org/
+  cwe:
+  - CWE-200
+  cve: []
+attributes:
+  nature: NON_INTRUSIVE
+  plan: PRO
+  duration: FAST
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    eq: POST
+  request_payload:
+    contains_all:
+    - id
+    - jsonrpc
+    - method
+execute:
+  type: single
+  requests:
+  - req: []
+validate:
+  response_payload:
+    magic_validate: "\"Analyze the response and check whether it contains any data related to web browser version (chromedriverVersion, geckodriverVersion, edgedriverVersion, safaridriverVersion, driverVersion) or any value that contains a broswwer software version (digits with dots). Ignore all other types of versions."

MCP-LT/MCPWebdriverSessionExpose.yml

@@ -0,0 +1,61 @@
+---
+id: MCP_WEBDRIVER_SESSIONID_EXPOSURE_LT
+info:
+  name: WebDriver Session Identifier Exposure in MCP Logs
+  description: |
+    This test checks whether the MCP server response contains raw WebDriver `sessionId`
+    values inside automation test logs or responses. Session IDs are sensitive and can
+    allow attackers to hijack active browser automation sessions.
+  details: |
+    The test invokes an MCP API that fetches automation test logs (e.g., WebDriver command
+    or session logs). If the response payload includes `"sessionId": "<value>"`, it indicates
+    that the MCP server is leaking session identifiers directly to clients. An attacker could
+    reuse these session IDs (if the hub or node is accessible) to control active sessions,
+    extract cookies, tokens, or perform malicious actions.
+  impact: |
+    Disclosure of WebDriver session identifiers allows potential session hijacking.
+    Attackers may drive the victim’s browser session, steal authentication tokens,
+    exfiltrate sensitive application data, or use the session as a pivot point into
+    other parts of the infrastructure. Severity may escalate to CRITICAL if the
+    WebDriver grid is reachable beyond the sandboxed environment.
+  category:
+    name: MCP
+    shortName: MCP
+    displayName: Model Context Protocol (MCP) Security
+  subCategory: MCP_WEBDRIVER_SESSIONID_EXPOSURE_LT
+  severity: HIGH
+  tags:
+  - information_disclosure
+  - session_hijacking
+  - webdriver
+  - mcp_security
+  references:
+  - https://cwe.mitre.org/data/definitions/200.html
+  - https://cwe.mitre.org/data/definitions/522.html
+  - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+  cwe:
+  - CWE-200
+  - CWE-522
+  cve: []
+attributes:
+  nature: NON_INTRUSIVE
+  plan: PRO
+  duration: FAST
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    eq: POST
+  request_payload:
+    contains_all:
+    - method
+    - id
+    - jsonrpc
+execute:
+  type: single
+  requests:
+  - req: []
+validate:
+  response_payload:
+    magic_validate: "Whenever WebDriver sessionIds are exposed in the response body then it is a serious vulnerability. check for any such data in the given response. IGNORE errors, ids, sessionIds, etc that are not related to webDrivers."