Switch to HTTP Sender script for MCP header injection

mabashian · mabashian · commit 5928b42c5d19 · 2025-11-20T15:40:34.000-05:00
Replaces the Replacer add-on with a custom HTTP Sender script to inject the Mcp-Session-Id header into all requests in ZAP. Updates the automation framework configuration to set the session ID as a global variable and load, run, and enable the new script for authenticated scanning.
diff --git a/scripts/zap/add-mcp-session-header.js b/scripts/zap/add-mcp-session-header.js
@@ -0,0 +1,29 @@
+/**
+ * ZAP HTTP Sender Script - Add MCP Session ID Header
+ *
+ * This script intercepts all outgoing HTTP requests from ZAP
+ * and adds the Mcp-Session-Id header to enable authenticated scanning.
+ *
+ * The session ID is stored as a global variable by the automation framework.
+ */
+
+function sendingRequest(msg, initiator, helper) {
+  // Get the MCP session ID from global variable
+  var sessionId = org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar('mcpSessionId');
+
+  if (sessionId != null && sessionId != '') {
+    // Add the Mcp-Session-Id header to the request
+    msg.getRequestHeader().setHeader('Mcp-Session-Id', sessionId);
+
+    // Also ensure we have the Accept header for MCP endpoints
+    var uri = msg.getRequestHeader().getURI().toString();
+    if (uri.indexOf('/mcp') !== -1) {
+      msg.getRequestHeader().setHeader('Accept', 'application/json, text/event-stream');
+      msg.getRequestHeader().setHeader('Content-Type', 'application/json');
+    }
+  }
+}
+
+function responseReceived(msg, initiator, helper) {
+  // No action needed on response
+}
diff --git a/scripts/zap/automation-framework.yml b/scripts/zap/automation-framework.yml
@@ -1,6 +1,6 @@
 ---
 # ZAP Automation Framework Configuration for MCP Protocol
-# Uses the Replacer add-on to inject Mcp-Session-Id header into all requests
+# Uses HTTP Sender script to inject Mcp-Session-Id header into all requests
 
 env:
   contexts:
@@ -17,13 +17,33 @@ env:
     progressToStdout: true
 
 jobs:
-  # Add the Mcp-Session-Id header to all requests using Replacer
-  - type: replacer
+  # Store the MCP session ID as a global variable for the HTTP Sender script
+  - type: script
     parameters:
-      rules:
-        - description: "Add MCP Session ID header"
-          enabled: true
-          matchType: REQ_HEADER
-          matchString: "Mcp-Session-Id"
-          replacement: "Mcp-Session-Id: MCP_SESSION_ID_PLACEHOLDER"
-          initiators: []
+      action: add
+      type: standalone
+      engine: "ECMAScript : Graal.js"
+      name: set-mcp-session-id
+      inline: |
+        org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar('mcpSessionId', 'MCP_SESSION_ID_PLACEHOLDER')
+
+  - type: script
+    parameters:
+      action: run
+      type: standalone
+      name: set-mcp-session-id
+
+  # Load and enable the HTTP Sender script to add headers to all requests
+  - type: script
+    parameters:
+      action: add
+      type: httpsender
+      engine: "Oracle Nashorn"
+      name: add-mcp-session-header
+      file: /opt/rapidast/work/scripts/zap/add-mcp-session-header.js
+
+  - type: script
+    parameters:
+      action: enable
+      type: httpsender
+      name: add-mcp-session-header
