VulneraMCP

Instructions

Implementation Reference

• src/tools/zap.ts:329-378 (handler)

  Handler function for the 'zap.proxy_process' tool. Processes the request through MCPProxyLayer, saves findings to database, and formats the response with extracted findings.
  async ({ method, url, headers = {}, body }: any): Promise<ToolResult> => { try { const proxy = getProxyLayer(); const result = await proxy.processRequest(method, url, headers, body); // Save findings to database for (const finding of result.findings) { if (finding.customFinding) { await safeSaveTestResult( finding.customFinding.url, finding.customFinding.type, finding.verified, finding.customFinding, undefined, (finding.aiScore || finding.correlationScore) * 10, finding.customFinding.evidence, JSON.stringify(finding) ); } else if (finding.zapAlert) { await safeSaveTestResult( finding.zapAlert.url, finding.zapAlert.name, finding.verified, finding.zapAlert, undefined, finding.correlationScore * 10, finding.zapAlert.attack || '', JSON.stringify(finding.zapAlert) ); } } return formatToolResult(true, { request: result.request, response: result.response, findings: result.findings.map(f => ({ type: f.zapAlert?.name || f.customFinding?.type || 'unknown', severity: f.zapAlert?.risk || f.customFinding?.severity || 'low', confidence: f.zapAlert?.confidence || f.customFinding?.confidence || 0, url: f.zapAlert?.url || f.customFinding?.url || '', correlationScore: f.correlationScore, aiScore: f.aiScore, verified: f.verified, })), findingsCount: result.findings.length, }); } catch (error: any) { return formatToolResult(false, null, error.message || 'Failed to process request'); } }
• src/integrations/zap-proxy.ts:53-101 (helper)

  Core helper method in MCPProxyLayer that implements the proxy processing logic: routes request through ZAP, performs custom vulnerability analysis, retrieves ZAP alerts, correlates findings, and returns enhanced results.
  async processRequest( method: string, url: string, headers: Record<string, string>, body?: string ): Promise<{ request: ProxyRequest; response?: ProxyResponse; findings: EnhancedFinding[] }> { const request: ProxyRequest = { method, url, headers, body, timestamp: Date.now(), }; // Store request this.requestHistory.push(request); const requestId = `${method}_${url}_${Date.now()}`; // Send through ZAP const zapResponse = await this.zapClient.sendRequest(url, method, headers, body); // Extract response if available let response: ProxyResponse | undefined; if (zapResponse.success && zapResponse.data) { // Parse ZAP response format response = { statusCode: zapResponse.data.statusCode || 200, headers: zapResponse.data.headers || {}, body: zapResponse.data.body || '', timestamp: Date.now(), }; this.responseHistory.set(requestId, response); } // Analyze for custom findings const customFindings = await this.analyzeRequest(request, response); // Get ZAP alerts for this URL const zapAlerts = await this.getZAPAlertsForURL(url); // Correlate findings const findings = this.correlateFindings(zapAlerts, customFindings, url); return { request, response, findings, }; }
• src/tools/zap.ts:304-327 (schema)

  Schema definition for the 'zap.proxy_process' tool, including description and inputSchema for validation.
  { description: 'Process a request through the MCP proxy layer (enhances with AI intelligence)', inputSchema: { type: 'object', properties: { method: { type: 'string', description: 'HTTP method', }, url: { type: 'string', description: 'Target URL', }, headers: { type: 'object', description: 'HTTP headers (optional)', }, body: { type: 'string', description: 'Request body (optional)', }, }, required: ['method', 'url'], },
• src/tools/zap.ts:301-379 (registration)

  Registration of the 'zap.proxy_process' tool on the MCP server, including name, schema, and handler function.
  // Process request through MCP proxy layer server.tool( 'zap.proxy_process', { description: 'Process a request through the MCP proxy layer (enhances with AI intelligence)', inputSchema: { type: 'object', properties: { method: { type: 'string', description: 'HTTP method', }, url: { type: 'string', description: 'Target URL', }, headers: { type: 'object', description: 'HTTP headers (optional)', }, body: { type: 'string', description: 'Request body (optional)', }, }, required: ['method', 'url'], }, }, async ({ method, url, headers = {}, body }: any): Promise<ToolResult> => { try { const proxy = getProxyLayer(); const result = await proxy.processRequest(method, url, headers, body); // Save findings to database for (const finding of result.findings) { if (finding.customFinding) { await safeSaveTestResult( finding.customFinding.url, finding.customFinding.type, finding.verified, finding.customFinding, undefined, (finding.aiScore || finding.correlationScore) * 10, finding.customFinding.evidence, JSON.stringify(finding) ); } else if (finding.zapAlert) { await safeSaveTestResult( finding.zapAlert.url, finding.zapAlert.name, finding.verified, finding.zapAlert, undefined, finding.correlationScore * 10, finding.zapAlert.attack || '', JSON.stringify(finding.zapAlert) ); } } return formatToolResult(true, { request: result.request, response: result.response, findings: result.findings.map(f => ({ type: f.zapAlert?.name || f.customFinding?.type || 'unknown', severity: f.zapAlert?.risk || f.customFinding?.severity || 'low', confidence: f.zapAlert?.confidence || f.customFinding?.confidence || 0, url: f.zapAlert?.url || f.customFinding?.url || '', correlationScore: f.correlationScore, aiScore: f.aiScore, verified: f.verified, })), findingsCount: result.findings.length, }); } catch (error: any) { return formatToolResult(false, null, error.message || 'Failed to process request'); } } );
• src/tools/zap.ts:26-32 (helper)

  getProxyLayer helper function that lazily initializes and returns the MCPProxyLayer instance used by the tool handler.
  function getProxyLayer(): MCPProxyLayer { if (!proxyLayer) { const zapClient = initZAP(); proxyLayer = new MCPProxyLayer(zapClient); } return proxyLayer; }