Content
# OWASP MCP Server
A WebSocket-based Mission Control Protocol (MCP) server for OWASP ZAP security scanning, enabling real-time control and monitoring of security assessments.
## Prerequisites
- Python 3.8+
- OWASP ZAP 2.12.0+
- Java Runtime Environment (JRE) 8+
- Sudo/Administrator privileges (required for ZAP)
## Why MCP Server?
| Feature | MCP Server | ZAP UI | ZAP API |
|---------|------------|---------|---------|
| Automation | ✅ Full | ❌ Limited | ✅ Basic |
| Real-time Updates | ✅ WebSocket | ✅ Visual | ❌ Polling |
| CI/CD Integration | ✅ Native | ❌ Manual | ✅ Complex |
| Batch Processing | ✅ Yes | ❌ No | ✅ Limited |
| Learning Curve | 🟡 Medium | 🟢 Easy | 🔴 Hard |
| Progress Tracking | ✅ Real-time | ✅ Visual | ❌ Manual |
| Multiple Domains | ✅ Concurrent | ❌ Sequential | 🟡 Limited |
| Error Handling | ✅ Robust | ✅ Basic | ❌ Manual |
## Core Components
- `mcp_server.py` - The engine that powers everything. Start this first - it's your security scanning powerhouse that connects to OWASP ZAP.
- `mcp_client.py` - The brains behind the operation. A powerful SDK that other components use to talk to the server (you won't use this directly).
- `mcp_cli.py` - Your go-to command line tool for scanning. Think of it as your Swiss Army knife for security scanning - simple to use, yet powerful.
- `test_client.py` - A learning tool that shows you the ropes. Perfect for understanding how everything works or testing your setup.
## Quick Start
1. **Install OWASP ZAP**:
Download from https://www.zaproxy.org/download/
2. **Setup Project**:
```bash
git clone https://github.com/shadsidd/Owasp-Zap-MCP-Server-Demo.git
cd Owasp-Zap-MCP-Server-Demo
python -m venv venv
source venv/bin/activate # Windows: .\venv\Scripts\activate
pip install -r requirements.txt
```
3. **Start ZAP** (requires sudo/admin privileges):
```bash
# macOS/Linux
sudo /Applications/ZAP.app/Contents/Java/zap.sh -daemon -port 8080
# Windows (as Administrator)
"C:\Program Files\OWASP\Zed Attack Proxy\zap.bat" -daemon -port 8080
```
4. **Start MCP Server**:
```bash
python mcp_server.py
```
5. **Use the CLI**:
```bash
# Quick spider scan (passive)
python mcp_cli.py scan example.com
# Full active scan (comprehensive)
python mcp_cli.py fullscan example.com
# Specific scan type with HTML report
python mcp_cli.py scan --scan-type=active --output=html example.com
# Multiple domains scan
python mcp_cli.py scan domain1.com domain2.com
# Scan from file
python mcp_cli.py scan -f domains.txt
```
## Example Files
The `examples/` directory contains scripts demonstrating key features:
### Security Scanning
- `basic_scan.py` - Core scanning with error handling
- `authenticated_scan.py` - Form-based and other authentication methods
- `scan_domains.py` - Concurrent scanning of multiple domains
- `custom_scan_policy.py` - Custom rules and thresholds
### Integration & Monitoring
- `ci_cd_integration.py` - CI/CD pipeline integration
- `real_time_monitor.py` - Live progress and alert monitoring
- `team_notifications.py` - Email, Slack, and Teams notifications
- `custom_rules.py` - Specialized security rules
## Important Notes
1. **Sudo Requirements**:
- OWASP ZAP requires sudo/administrator privileges to run
- You will be prompted for your password when starting ZAP
2. **Port Configuration**:
- ZAP uses port 8080 by default
- MCP Server uses port 3000
- Ensure these ports are not in use before starting
3. **Common Issues**:
- If you see "Address already in use" error:
```bash
# Check what's using port 8080
sudo lsof -i :8080
# Kill the process if needed
sudo kill -9 <PID>
```
- If ZAP fails to start, try:
```bash
# Clear any existing ZAP processes
pkill -f zap
```
## Scan Types
The MCP Server supports multiple scan types:
- **Spider Scan** (Default): Crawls the website to discover content, fastest but finds fewer issues
- **Active Scan**: Performs security testing with actual attacks, finds more vulnerabilities
- **Full Scan**: Comprehensive scanning (spider + active), provides the most thorough results
Connection Info
You Might Also Like
MarkItDown MCP
Converting files and office documents to Markdown.
Time
Obtaining current time information and converting time between different...
Filesystem
Model Context Protocol Servers
ZeroZen
Your hyper-personal, always-on, open-source AI companion.
ZeroZen
ZeroZen is an open-source AI companion for managing personal and professional tasks.
mcpd
Declaratively define and run required tools across environments, from local...