mcp-zap-server
Verified Safeby dtkmn
Overview
Orchestrates OWASP ZAP security scanning actions (spider, active scan, OpenAPI import, reporting) via the Model Context Protocol, enabling AI agents like Claude Desktop or Cursor to perform security testing.
Installation
./dev.shEnvironment Variables
- ZAP_API_KEY
- MCP_API_KEY
- LOCAL_ZAP_WORKPLACE_FOLDER
- MCP_SECURITY_MODE
- JWT_ENABLED
- JWT_SECRET
Security Notes
The project demonstrates strong security practices: it implements flexible authentication modes (API Key, JWT with refresh and blacklist), enforces robust URL validation to prevent scanning of internal/private networks and localhost by default, and mandates strong secret keys for JWT. CSRF protection is intentionally disabled with clear justification, as it's an API-only server using header-based token authentication (not cookies), aligning with OWASP API security best practices. There are no hardcoded secrets in the source code; sensitive configurations are loaded via environment variables, with 'changeme' defaults for development. Explicit warnings are provided for using 'none' security mode in production.
Similar Servers
context-engineering
Provides a Model Context Protocol (MCP) server that enables AI agents to control a web browser using Selenium for web automation tasks.
MCP-Agent
An autonomous AI agent designed to discover, connect to, and utilize tools and resources from various Model Context Protocol (MCP) servers to accomplish tasks.
azure-devops-mcp-server
Exposes Azure DevOps operations as tools for AI assistants, enabling AI agents to automate tasks like creating work items, managing pull requests, and queuing builds.
Mcpwn
Automated security testing framework for Model Context Protocol (MCP) servers, detecting RCE, path traversal, prompt injection, and protocol vulnerabilities.