ZAP-MCP

ZAP-MCP

5
securityai_chatbot

ZAP-MCP integrates OWASP ZAP with AI models through the Model Context Protocol to enable AI-driven security testing. It serves as a server exposing functions for security scans and analysis, offering features like real-time monitoring and automated report generation.

ZAP-MCP: Model Context Protocol for OWASP ZAP

A powerful integration between OWASP ZAP and AI models through the Model Context Protocol (MCP). This project enables AI-driven security testing by allowing AI models to directly interact with ZAP's scanning capabilities.

Overview

ZAP-MCP provides a bridge between AI models (like Claude) and OWASP ZAP, enabling automated security testing and analysis. It uses a client-server architecture where ZAP-MCP acts as the server, exposing standardized functions that can be called by AI models through the MCP protocol.

Features

  • AI-Driven Security Testing: Enable AI models to perform security scans and analysis
  • Real-time Scan Monitoring: Track scan progress and get instant alerts
  • Automated Analysis: Generate security reports and recommendations
  • Flexible Integration: Works with various AI models through the MCP protocol
  • WebSocket Communication: Real-time updates and interactions

Prerequisites

  • Python 3.8+
  • OWASP ZAP running locally or remotely
  • Claude Desktop App (or other MCP-compatible client)

Installation

  1. Clone the repository:
git clone https://github.com/tazer/ZAP-MCP.git
cd ZAP-MCP
  1. Install dependencies:
pip install -r requirements.txt
  1. Set up the MCP server:
./setup_mcp.sh
  1. Configure ZAP-MCP:
    • Copy claude_desktop_config.json to your Claude app's config directory
    • Update the ZAP API key and URL in the config file

Usage

  1. Start the MCP server:
mcp-server --config claude_desktop_config.json --model-dir ./models

  1. Configure your Claude desktop app:

    • Open Claude app settings
    • Enable MCP server integration
    • Set the WebSocket URL to: ws://localhost:7456/ws

  2. Start using ZAP-MCP:

    • The Claude app will now have access to ZAP scanning tools
    • You can request security scans, get alerts, and generate reports

Available Tools

The MCP server exposes these ZAP-specific tools:

  • start_scan: Start a new ZAP scan on a target URL
  • get_scan_status: Check the status of a running scan
  • get_alerts: Get all alerts from the current scan
  • get_scan_summary: Get a summary of the current scan

Configuration

The claude_desktop_config.json file contains all necessary settings:

{
    "mcp_server": {
        "host": "localhost",
        "port": 7456,
        "model": "claude-instant-v1",
        "max_tokens": 1000,
        "temperature": 0.7,
        "zap_api_key": "your-zap-api-key",
        "zap_url": "http://localhost:8080"
    },
    "local_models": {
        "path": "./models",
        "prefer_local": true
    },
    "zap_settings": {
        "scan_timeout": 300,
        "max_concurrent_scans": 5,
        "alert_threshold": "HIGH",
        "scan_policy": "default"
    }
}

Development

This project was developed using Cursor AI, an intelligent coding assistant that helped streamline the development process and ensure code quality.

Author

  • TAZER - Initial work and maintenance

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

  • OWASP ZAP team for their excellent security testing tool
  • Anthropic for Claude AI
  • Cursor AI for their assistance in development