OWASP MCP Server

A WebSocket-based Mission Control Protocol (MCP) server for OWASP ZAP security scanning, enabling real-time control and monitoring of security assessments.

Prerequisites

• Python 3.8+
• OWASP ZAP 2.12.0+
• Java Runtime Environment (JRE) 8+
• Sudo/Administrator privileges (required for ZAP)

Why MCP Server?

Feature	MCP Server	ZAP UI	ZAP API
Automation	✅ Full	❌ Limited	✅ Basic
Real-time Updates	✅ WebSocket	✅ Visual	❌ Polling
CI/CD Integration	✅ Native	❌ Manual	✅ Complex
Batch Processing	✅ Yes	❌ No	✅ Limited
Learning Curve	🟡 Medium	🟢 Easy	🔴 Hard
Progress Tracking	✅ Real-time	✅ Visual	❌ Manual
Multiple Domains	✅ Concurrent	❌ Sequential	🟡 Limited
Error Handling	✅ Robust	✅ Basic	❌ Manual

Core Components

• mcp_server.py - The engine that powers everything. Start this first - it's your security scanning powerhouse that connects to OWASP ZAP.

• mcp_client.py - The brains behind the operation. A powerful SDK that other components use to talk to the server (you won't use this directly).

• mcp_cli.py - Your go-to command line tool for scanning. Think of it as your Swiss Army knife for security scanning - simple to use, yet powerful.

• test_client.py - A learning tool that shows you the ropes. Perfect for understanding how everything works or testing your setup.

Quick Start

1. Install OWASP ZAP: Download from https://www.zaproxy.org/download/

2. Setup Project:

   git clone https://github.com/shadsidd/Owasp-Zap-MCP-Server-Demo.git
   cd Owasp-Zap-MCP-Server-Demo
   python -m venv venv
   source venv/bin/activate  # Windows: .\venv\Scripts\activate
   pip install -r requirements.txt

3. Start ZAP (requires sudo/admin privileges):

   # macOS/Linux
   sudo /Applications/ZAP.app/Contents/Java/zap.sh -daemon -port 8080
   
   # Windows (as Administrator)
   "C:\Program Files\OWASP\Zed Attack Proxy\zap.bat" -daemon -port 8080

4. Start MCP Server:

   python mcp_server.py

5. Use the CLI:

   # Quick spider scan (passive)
   python mcp_cli.py scan example.com
   
   # Full active scan (comprehensive)
   python mcp_cli.py fullscan example.com
   
   # Specific scan type with HTML report
   python mcp_cli.py scan --scan-type=active --output=html example.com
   
   # Multiple domains scan
   python mcp_cli.py scan domain1.com domain2.com
   
   # Scan from file
   python mcp_cli.py scan -f domains.txt

Example Files

The examples/ directory contains scripts demonstrating key features:

Security Scanning

• basic_scan.py - Core scanning with error handling
• authenticated_scan.py - Form-based and other authentication methods
• scan_domains.py - Concurrent scanning of multiple domains
• custom_scan_policy.py - Custom rules and thresholds

Integration & Monitoring

• ci_cd_integration.py - CI/CD pipeline integration
• real_time_monitor.py - Live progress and alert monitoring
• team_notifications.py - Email, Slack, and Teams notifications
• custom_rules.py - Specialized security rules

Important Notes

1. Sudo Requirements:

   • OWASP ZAP requires sudo/administrator privileges to run
   • You will be prompted for your password when starting ZAP

2. Port Configuration:

   • ZAP uses port 8080 by default
   • MCP Server uses port 3000
   • Ensure these ports are not in use before starting

3. Common Issues:

   • If you see "Address already in use" error:

     # Check what's using port 8080
     sudo lsof -i :8080
     # Kill the process if needed
     sudo kill -9 <PID>

   • If ZAP fails to start, try:

     # Clear any existing ZAP processes
     pkill -f zap

Scan Types

The MCP Server supports multiple scan types:

• Spider Scan (Default): Crawls the website to discover content, fastest but finds fewer issues
• Active Scan: Performs security testing with actual attacks, finds more vulnerabilities
• Full Scan: Comprehensive scanning (spider + active), provides the most thorough results