Owasp Zap Mcp Server Demo
What is Owasp Zap Mcp Server Demo
Owasp-Zap-MCP-Server-Demo is a WebSocket-based Mission Control Protocol (MCP) server designed for OWASP ZAP security scanning, allowing for real-time control and monitoring of security assessments.
Use cases
Use cases include automated security assessments in CI/CD pipelines, real-time monitoring of security scans, and batch processing of multiple security tests across different domains.
How to use
To use Owasp-Zap-MCP-Server-Demo, install OWASP ZAP, clone the project repository, set up a Python virtual environment, install the required dependencies, and start the ZAP server with appropriate privileges.
Key features
Key features include full automation, real-time updates via WebSocket, native CI/CD integration, batch processing capabilities, robust error handling, and support for concurrent scanning across multiple domains.
Where to use
Owasp-Zap-MCP-Server-Demo can be used in various fields such as software development, cybersecurity, and continuous integration/continuous deployment (CI/CD) environments for automated security testing.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Overview
What is Owasp Zap Mcp Server Demo
Owasp-Zap-MCP-Server-Demo is a WebSocket-based Mission Control Protocol (MCP) server designed for OWASP ZAP security scanning, allowing for real-time control and monitoring of security assessments.
Use cases
Use cases include automated security assessments in CI/CD pipelines, real-time monitoring of security scans, and batch processing of multiple security tests across different domains.
How to use
To use Owasp-Zap-MCP-Server-Demo, install OWASP ZAP, clone the project repository, set up a Python virtual environment, install the required dependencies, and start the ZAP server with appropriate privileges.
Key features
Key features include full automation, real-time updates via WebSocket, native CI/CD integration, batch processing capabilities, robust error handling, and support for concurrent scanning across multiple domains.
Where to use
Owasp-Zap-MCP-Server-Demo can be used in various fields such as software development, cybersecurity, and continuous integration/continuous deployment (CI/CD) environments for automated security testing.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Content
OWASP MCP Server
A WebSocket-based Mission Control Protocol (MCP) server for OWASP ZAP security scanning, enabling real-time control and monitoring of security assessments.
Prerequisites
- Python 3.8+
- OWASP ZAP 2.12.0+
- Java Runtime Environment (JRE) 8+
- Sudo/Administrator privileges (required for ZAP)
Why MCP Server?
| Feature | MCP Server | ZAP UI | ZAP API |
|---|---|---|---|
| Automation | ✅ Full | ❌ Limited | ✅ Basic |
| Real-time Updates | ✅ WebSocket | ✅ Visual | ❌ Polling |
| CI/CD Integration | ✅ Native | ❌ Manual | ✅ Complex |
| Batch Processing | ✅ Yes | ❌ No | ✅ Limited |
| Learning Curve | 🟡 Medium | 🟢 Easy | 🔴 Hard |
| Progress Tracking | ✅ Real-time | ✅ Visual | ❌ Manual |
| Multiple Domains | ✅ Concurrent | ❌ Sequential | 🟡 Limited |
| Error Handling | ✅ Robust | ✅ Basic | ❌ Manual |
Core Components
-
mcp_server.py- The engine that powers everything. Start this first - it’s your security scanning powerhouse that connects to OWASP ZAP. -
mcp_client.py- The brains behind the operation. A powerful SDK that other components use to talk to the server (you won’t use this directly). -
mcp_cli.py- Your go-to command line tool for scanning. Think of it as your Swiss Army knife for security scanning - simple to use, yet powerful. -
test_client.py- A learning tool that shows you the ropes. Perfect for understanding how everything works or testing your setup.
Quick Start
-
Install OWASP ZAP:
Download from https://www.zaproxy.org/download/ -
Setup Project:
git clone https://github.com/shadsidd/Owasp-Zap-MCP-Server-Demo.git cd Owasp-Zap-MCP-Server-Demo python -m venv venv source venv/bin/activate # Windows: .\venv\Scripts\activate pip install -r requirements.txt -
Start ZAP (requires sudo/admin privileges):
# macOS/Linux sudo /Applications/ZAP.app/Contents/Java/zap.sh -daemon -port 8080 # Windows (as Administrator) "C:\Program Files\OWASP\Zed Attack Proxy\zap.bat" -daemon -port 8080 -
Start MCP Server:
python mcp_server.py -
Use the CLI:
# Quick spider scan (passive) python mcp_cli.py scan example.com # Full active scan (comprehensive) python mcp_cli.py fullscan example.com # Specific scan type with HTML report python mcp_cli.py scan --scan-type=active --output=html example.com # Multiple domains scan python mcp_cli.py scan domain1.com domain2.com # Scan from file python mcp_cli.py scan -f domains.txt
Example Files
The examples/ directory contains scripts demonstrating key features:
Security Scanning
basic_scan.py- Core scanning with error handlingauthenticated_scan.py- Form-based and other authentication methodsscan_domains.py- Concurrent scanning of multiple domainscustom_scan_policy.py- Custom rules and thresholds
Integration & Monitoring
ci_cd_integration.py- CI/CD pipeline integrationreal_time_monitor.py- Live progress and alert monitoringteam_notifications.py- Email, Slack, and Teams notificationscustom_rules.py- Specialized security rules
Important Notes
-
Sudo Requirements:
- OWASP ZAP requires sudo/administrator privileges to run
- You will be prompted for your password when starting ZAP
-
Port Configuration:
- ZAP uses port 8080 by default
- MCP Server uses port 3000
- Ensure these ports are not in use before starting
-
Common Issues:
- If you see “Address already in use” error:
# Check what's using port 8080 sudo lsof -i :8080 # Kill the process if needed sudo kill -9 <PID> - If ZAP fails to start, try:
# Clear any existing ZAP processes pkill -f zap
- If you see “Address already in use” error:
Scan Types
The MCP Server supports multiple scan types:
- Spider Scan (Default): Crawls the website to discover content, fastest but finds fewer issues
- Active Scan: Performs security testing with actual attacks, finds more vulnerabilities
- Full Scan: Comprehensive scanning (spider + active), provides the most thorough results
Dev Tools Supporting MCP
The following are the main code editors that support the Model Context Protocol. Click the link to visit the official website for more information.
