Owasp-Zap -Demo

This MCP server provides a WebSocket-driven interface to control and monitor OWASP ZAP security scans in real time. It exposes a server component that coordinates with ZAP, while the accompanying CLI (mcp_cli.py) and SDK (mcp_client.py) allow you to kick off scans, monitor progress, and fetch results programmatically. Typical workflows involve starting ZAP in daemon mode, launching the MCP server, and then issuing scan commands via the CLI or your own tooling to perform spider, active, and full scans across one or more domains. Expect real-time updates, centralized orchestration, and the ability to integrate results into CI/CD pipelines or alerting systems.

Prerequisites

• Python 3.8+
• OWASP ZAP 2.12.0+ installed and accessible
• Java Runtime Environment (JRE) 8+ installed
• Sudo/Administrator privileges to start ZAP when required

1. Set up a Python virtual environment

python -m venv venv
# macOS/Linux
source venv/bin/activate
# Windows
.\venv\Scripts\activate

2. Install requirements

pip install -r requirements.txt

3. Ensure OWASP ZAP is installed and runnable (daemon mode recommended):

• macOS/Linux: sudo /Applications/ZAP.app/Contents/Java/zap.sh -daemon -port 8080
• Windows (Administrator): "C:\Program Files\OWASP\Zed Attack Proxy\zap.bat" -daemon -port 8080

4. Run the MCP server

python mcp_server.py

5. (Optional) Run the CLI for quick scans

# Quick spider scan (passive)
python mcp_cli.py scan example.com

# Full active scan (comprehensive)
python mcp_cli.py fullscan example.com

Environment and configuration tips:

• ZAP typically uses port 8080; MCP server defaults to port 3000. Ensure these ports are free or configure accordingly.
• If you encounter "Address already in use" for ZAP or MCP, identify the process using the port (e.g., lsof -i :8080) and terminate it.
• Running ZAP with sudo/admin privileges is required on some systems; the MCP server itself does not require elevated privileges, but it will connect to ZAP which may.
• The MCP components include mcp_server.py (engine), mcp_cli.py (command-line interface), and mcp_client.py (SDK) for building custom tooling. Use mcp_cli.py for common scans or integrate mcp_client.py in your pipelines.
• Typical scan types: Spider Scan (default), Active Scan, and Full Scan (Spider + Active). Configure scan options via CLI where supported or via the SDK to tailor risk thresholds and reporting.
• If you plan to run multiple domains concurrently, consider using the API/SDK to manage concurrency and monitor via the real-time progress feeds.