## WAST Tool Expands to Scan MCP Servers for AI Agent Security Vulnerabilities
The WAST security tool is set to implement a new `wast mcpscan` command, explicitly targeting the emerging and largely unaudited attack surface of Model Context Protocol (MCP) servers. These servers, which expose tools to AI agents via JSON-RPC 2.0 over stdio, SSE, and HTTP, represent a critical new frontier for security flaws as AI tooling proliferates. The planned scanner will hunt for vulnerabilities including parameter injection, prompt injection within tool descriptions, excessive permissions, and missing authentication, directly extending WAST's established web vulnerability detection into the AI-agent ecosystem.

The feature is documented as the next major capability in the project's roadmap, indicating a strategic shift to address risks inherent in AI infrastructure. WAST itself is already MCP-enabled, with internal server and execution code, meaning the new scanner will also be exposed as an `wast_mcpscan` MCP tool. This allows AI agents to directly invoke security scans on other MCP servers they interact with, creating a self-referential security layer within the AI toolchain.

This development signals growing scrutiny on the security posture of AI agent protocols. As MCP adoption increases for connecting AI models to external tools and data, unaddressed vulnerabilities could lead to significant compromise vectors. The move to build scanning directly into a tool like WAST, which is already trusted for web application testing, highlights the industry's recognition of MCP servers as a potential soft target requiring immediate and automated security assessment.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: AI Security, MCP Protocol, Vulnerability Scanning, JSON-RPC, Tooling
- **Credibility**: unverified
- **Published**: 2026-04-01 16:27:19
- **ID**: 45744
- **URL**: https://whisperx.ai/en/intel/45744