MCP.so
Sign In

OWASP MCP Server

@shadsidd

About OWASP MCP Server

No overview available yet

Basic information

Category

Other

Runtime

python

Transports

stdio

Publisher

shadsidd

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "Owasp-Zap-MCP-Server-Demo": {
      "command": "python",
      "args": [
        "-m",
        "venv",
        "venv"
      ]
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is OWASP MCP Server?

OWASP MCP Server is a WebSocket-based Mission Control Protocol server for OWASP ZAP security scanning. It enables real-time control and monitoring of security assessments, designed for security professionals and CI/CD pipelines who need automated, scalable scanning.

How to use OWASP MCP Server?

Install Python 3.8+, OWASP ZAP 2.12.0+, and JRE 8+. Clone the repository, create a virtual environment, and install dependencies. Start ZAP in daemon mode on port 8080 with sudo/administrator privileges, then run python mcp_server.py. Use the included CLI (mcp_cli.py) with commands like scan <domain> or fullscan <domain>, supporting options for scan type, output format, multiple domains, and file input.

Key features of OWASP MCP Server

  • WebSocket-based real-time updates for scan progress and alerts
  • Native CI/CD integration for automated security testing
  • Concurrent scanning of multiple domains
  • Robust error handling with clear diagnostic messages
  • Batch processing via domain list files
  • Supports spider, active, and full scan types
  • Generates HTML reports and integrates with notification services

Use cases of OWASP MCP Server

  • Automating security scans in CI/CD pipelines
  • Real-time monitoring of live security assessments
  • Concurrent scanning of multiple web applications
  • Authenticated scanning with form-based and other authentication methods
  • Team notifications via email, Slack, and Microsoft Teams

FAQ from OWASP MCP Server

What are the prerequisites to run OWASP MCP Server?

You need Python 3.8+, OWASP ZAP 2.12.0+, Java Runtime Environment 8+, and sudo/administrator privileges. The project uses standard Python packages installed via pip install -r requirements.txt.

Why use OWASP MCP Server instead of the ZAP UI or API?

Compared to the ZAP UI, OWASP MCP Server offers full automation, native CI/CD integration, batch processing, and concurrent multiple-domain scanning. Compared to the ZAP API, it provides real-time WebSocket updates instead of polling, easier CI/CD integration, and more robust error handling.

How do I start ZAP and the MCP server?

Start ZAP in daemon mode with sudo /Applications/ZAP.app/Contents/Java/zap.sh -daemon -port 8080 (macOS/Linux) or the equivalent Windows command. Then run python mcp_server.py. Ensure ports 8080 (ZAP) and 3000 (MCP) are free.

What scan types are available?

Spider Scan (passive crawling, fastest), Active Scan (performs security attacks, finds more vulnerabilities), and Full Scan (spider + active for comprehensive testing). These are selectable via the CLI.

What are common issues and how to resolve them?

If you see "Address already in use", check the port with sudo lsof -i :8080 and kill the process. If ZAP fails to start, clear existing ZAP processes with pkill -f zap. ZAP requires sudo/administrator privileges to run.

Comments

More Other MCP servers