Automate MCP session initialization for ZAP

Adds a script to initialize MCP sessions and updates the GitHub workflow to inject the session ID into the ZAP automation framework. Refactors the ZAP automation config to use the Replacer add-on for header injection, removing custom authentication and session management scripts.

Author: mabashian

.github/workflows/rapidast.yml

@@ -120,6 +120,18 @@ jobs:
           mkdir -p results
           chmod 777 results
 
+      - name: Initialize MCP session for ZAP
+        run: |
+          echo "Initializing MCP session..."
+          MCP_SESSION_ID=$(node scripts/init-mcp-session.cjs http://localhost:3000/mcp test-token)
+          echo "MCP_SESSION_ID=$MCP_SESSION_ID" >> $GITHUB_ENV
+          echo "Session ID: $MCP_SESSION_ID"
+
+          # Update the automation framework with the actual session ID
+          sed -i "s/MCP_SESSION_ID_PLACEHOLDER/$MCP_SESSION_ID/" scripts/zap/automation-framework.yml
+
+          echo "Updated ZAP automation framework with session ID"
+
       - name: Run RapiDAST scan
         id: rapidast
         continue-on-error: true

scripts/init-mcp-session.cjs

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+
+/**
+ * Initialize MCP Session for ZAP Security Scanning
+ *
+ * This script:
+ * 1. Sends an MCP initialization request to the MCP server
+ * 2. Extracts the Mcp-Session-Id from the response header
+ * 3. Outputs the session ID to stdout for use in the workflow
+ *
+ * Usage:
+ *   node scripts/init-mcp-session.cjs [mcp-url] [bearer-token]
+ *
+ * Environment Variables:
+ *   MCP_URL - MCP server URL (default: http://localhost:3000/mcp)
+ *   BEARER_TOKEN - Bearer token for authentication (default: test-token)
+ */
+
+const http = require('http');
+const https = require('https');
+const { URL } = require('url');
+
+// Get configuration from args or environment
+const MCP_URL = process.argv[2] || process.env.MCP_URL || 'http://localhost:3000/mcp';
+const BEARER_TOKEN = process.argv[3] || process.env.BEARER_TOKEN || 'test-token';
+
+// MCP initialization request payload
+const initRequest = JSON.stringify({
+  jsonrpc: '2.0',
+  id: 1,
+  method: 'initialize',
+  params: {
+    protocolVersion: '2024-11-05',
+    capabilities: {},
+    clientInfo: {
+      name: 'ZAP-Security-Scanner',
+      version: '1.0.0'
+    }
+  }
+});
+
+/**
+ * Send MCP initialization request
+ */
+function initializeMcpSession() {
+  const url = new URL(MCP_URL);
+  const isHttps = url.protocol === 'https:';
+  const client = isHttps ? https : http;
+
+  const options = {
+    hostname: url.hostname,
+    port: url.port || (isHttps ? 443 : 80),
+    path: url.pathname + url.search,
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${BEARER_TOKEN}`,
+      'Accept': 'application/json, text/event-stream',
+      'Content-Length': Buffer.byteLength(initRequest)
+    }
+  };
+
+  console.error(`Initializing MCP session at ${MCP_URL}...`);
+
+  const req = client.request(options, (res) => {
+    let data = '';
+
+    res.on('data', (chunk) => {
+      data += chunk;
+    });
+
+    res.on('end', () => {
+      const sessionId = res.headers['mcp-session-id'];
+
+      if (res.statusCode === 200 && sessionId) {
+        console.error(`✓ Successfully obtained MCP session ID: ${sessionId}`);
+        console.error(`Response status: ${res.statusCode}`);
+
+        // Output just the session ID to stdout (for capture in workflow)
+        console.log(sessionId);
+        process.exit(0);
+      } else {
+        console.error(`✗ Failed to obtain MCP session ID`);
+        console.error(`Response status: ${res.statusCode}`);
+        console.error(`Response headers:`, res.headers);
+        console.error(`Response body:`, data);
+        process.exit(1);
+      }
+    });
+  });
+
+  req.on('error', (error) => {
+    console.error(`✗ Request failed:`, error.message);
+    process.exit(1);
+  });
+
+  // Send the request
+  req.write(initRequest);
+  req.end();
+}
+
+// Run the initialization
+initializeMcpSession();

scripts/zap/automation-framework.yml

@@ -1,7 +1,6 @@
 ---
 # ZAP Automation Framework Configuration for MCP Protocol
-# This configures custom authentication and session management scripts
-# for the MCP (Model Context Protocol) used by AAP MCP Server
+# Uses the Replacer add-on to inject Mcp-Session-Id header into all requests
 
 env:
   contexts:
@@ -11,44 +10,20 @@ env:
       includePaths:
         - "http://localhost:3000/.*"
       excludePaths: []
-      authentication:
-        method: "script"
-        parameters:
-          script: "MCP Authentication"
-          scriptEngine: "ECMAScript : Graal.js"
-          Login URL: "http://localhost:3000/mcp"
-        verification:
-          method: "response"
-          loggedInRegex: "\\Q{\"result\":\\E"
-          loggedOutRegex: "\\Qerror\\E"
-      sessionManagement:
-        method: "script"
-        parameters:
-          script: "MCP Session Management"
-          scriptEngine: "ECMAScript : Graal.js"
-      users:
-        - name: "test-user"
-          credentials:
-            token: "test-token"
 
   parameters:
     failOnError: true
     failOnWarning: false
     progressToStdout: true
 
 jobs:
-  - type: script
+  # Add the Mcp-Session-Id header to all requests using Replacer
+  - type: replacer
     parameters:
-      action: add
-      name: "MCP Authentication"
-      type: authentication
-      engine: "ECMAScript : Graal.js"
-      file: "/opt/rapidast/work/scripts/zap/mcp-authentication.js"
-
-  - type: script
-    parameters:
-      action: add
-      name: "MCP Session Management"
-      type: session
-      engine: "ECMAScript : Graal.js"
-      file: "/opt/rapidast/work/scripts/zap/mcp-session-management.js"
+      rules:
+        - description: "Add MCP Session ID header"
+          enabled: true
+          matchType: REQ_HEADER
+          matchString: "Mcp-Session-Id"
+          replacement: "Mcp-Session-Id: MCP_SESSION_ID_PLACEHOLDER"
+          initiators: []