I craft unique cereal names, stories, and ridiculously cute Cereal Baby images.
Public
Owasp-Zap-MCP-Server-Demo
2025-04-07
1
Github Watches
3
Github Forks
6
Github Stars
OWASP MCP Server
A WebSocket-based Mission Control Protocol (MCP) server for OWASP ZAP security scanning, enabling real-time control and monitoring of security assessments.
Prerequisites
- Python 3.8+
- OWASP ZAP 2.12.0+
- Java Runtime Environment (JRE) 8+
- Sudo/Administrator privileges (required for ZAP)
Why MCP Server?
| Feature | MCP Server | ZAP UI | ZAP API |
|---|---|---|---|
| Automation | ✅ Full | ❌ Limited | ✅ Basic |
| Real-time Updates | ✅ WebSocket | ✅ Visual | ❌ Polling |
| CI/CD Integration | ✅ Native | ❌ Manual | ✅ Complex |
| Batch Processing | ✅ Yes | ❌ No | ✅ Limited |
| Learning Curve | 🟡 Medium | 🟢 Easy | 🔴 Hard |
| Progress Tracking | ✅ Real-time | ✅ Visual | ❌ Manual |
| Multiple Domains | ✅ Concurrent | ❌ Sequential | 🟡 Limited |
| Error Handling | ✅ Robust | ✅ Basic | ❌ Manual |
Core Components
-
mcp_server.py- The engine that powers everything. Start this first - it's your security scanning powerhouse that connects to OWASP ZAP. -
mcp_client.py- The brains behind the operation. A powerful SDK that other components use to talk to the server (you won't use this directly). -
mcp_cli.py- Your go-to command line tool for scanning. Think of it as your Swiss Army knife for security scanning - simple to use, yet powerful. -
test_client.py- A learning tool that shows you the ropes. Perfect for understanding how everything works or testing your setup.
Quick Start
-
Install OWASP ZAP: Download from https://www.zaproxy.org/download/
-
Setup Project:
git clone https://github.com/shadsidd/Owasp-Zap-MCP-Server-Demo.git cd Owasp-Zap-MCP-Server-Demo python -m venv venv source venv/bin/activate # Windows: .\venv\Scripts\activate pip install -r requirements.txt -
Start ZAP (requires sudo/admin privileges):
# macOS/Linux sudo /Applications/ZAP.app/Contents/Java/zap.sh -daemon -port 8080 # Windows (as Administrator) "C:\Program Files\OWASP\Zed Attack Proxy\zap.bat" -daemon -port 8080 -
Start MCP Server:
python mcp_server.py -
Use the CLI:
# Quick spider scan (passive) python mcp_cli.py scan example.com # Full active scan (comprehensive) python mcp_cli.py fullscan example.com # Specific scan type with HTML report python mcp_cli.py scan --scan-type=active --output=html example.com # Multiple domains scan python mcp_cli.py scan domain1.com domain2.com # Scan from file python mcp_cli.py scan -f domains.txt
Example Files
The examples/ directory contains scripts demonstrating key features:
Security Scanning
-
basic_scan.py- Core scanning with error handling -
authenticated_scan.py- Form-based and other authentication methods -
scan_domains.py- Concurrent scanning of multiple domains -
custom_scan_policy.py- Custom rules and thresholds
Integration & Monitoring
-
ci_cd_integration.py- CI/CD pipeline integration -
real_time_monitor.py- Live progress and alert monitoring -
team_notifications.py- Email, Slack, and Teams notifications -
custom_rules.py- Specialized security rules
Important Notes
-
Sudo Requirements:
- OWASP ZAP requires sudo/administrator privileges to run
- You will be prompted for your password when starting ZAP
-
Port Configuration:
- ZAP uses port 8080 by default
- MCP Server uses port 3000
- Ensure these ports are not in use before starting
-
Common Issues:
- If you see "Address already in use" error:
# Check what's using port 8080 sudo lsof -i :8080 # Kill the process if needed sudo kill -9 <PID> - If ZAP fails to start, try:
# Clear any existing ZAP processes pkill -f zap
- If you see "Address already in use" error:
Scan Types
The MCP Server supports multiple scan types:
- Spider Scan (Default): Crawls the website to discover content, fastest but finds fewer issues
- Active Scan: Performs security testing with actual attacks, finds more vulnerabilities
- Full Scan: Comprehensive scanning (spider + active), provides the most thorough results
相关推荐
I find academic articles and books for research and literature reviews.
Confidential guide on numerology and astrology, based of GG33 Public information
Emulating Dr. Jordan B. Peterson's style in providing life advice and insights.
Your go-to expert in the Rust ecosystem, specializing in precise code interpretation, up-to-date crate version checking, and in-depth source code analysis. I offer accurate, context-aware insights for all your Rust programming questions.
Advanced software engineer GPT that excels through nailing the basics.
Converts Figma frames into front-end code for various mobile frameworks.
Take an adjectivised noun, and create images making it progressively more adjective!
Discover the most comprehensive and up-to-date collection of MCP servers in the market. This repository serves as a centralized hub, offering an extensive catalog of open-source and proprietary MCP servers, complete with features, documentation links, and contributors.
Micropython I2C-based manipulation of the MCP series GPIO expander, derived from Adafruit_MCP230xx
The all-in-one Desktop & Docker AI application with built-in RAG, AI agents, No-code agent builder, MCP compatibility, and more.
Mirror ofhttps://github.com/agentience/practices_mcp_server
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
Mirror ofhttps://github.com/bitrefill/bitrefill-mcp-server
🧑🚀 全世界最好的LLM资料总结(Agent框架、辅助编程、数据处理、模型训练、模型推理、o1 模型、MCP、小语言模型、视觉语言模型) | Summary of the world's best LLM resources.
Reviews
2
(1)
user_MCYNAAGN
2025-04-16
Owasp-Zap-MCP-Server-Demo by shadsidd is a fantastic tool for anyone looking to enhance their web security testing capabilities. The demo server is easy to set up and integrates seamlessly with OWASP ZAP, making the testing process more efficient. Highly recommend checking out the GitHub link for more details!