WASS-MCP

A Model Context Protocol (MCP) server for web application security scanning.

Features

• MCP Protocol Support - Full compatibility with MCP clients (Claude, etc.)
• Nikto Integration - Web server vulnerability scanning
• Wapiti Integration - Web application vulnerability scanning
• Execution History - Persistent storage of scan results
• Stateless Design - Survives server restarts without session errors
• RESTful HTTP Transport - Streamable HTTP-based MCP protocol
• Comprehensive Test Suite - Full test coverage for all packages

Requirements

• Go 1.25+
• Nikto (apt install nikto or equivalent)
• Wapiti (apt install wapiti or equivalent)
• SQLite3

Installation

# Clone the repository
git clone https://github.com/tb0hdan/wass-mcp.git
cd wass-mcp

# Build
make build

# Run
./build/wass-mcp

Usage

Starting the Server

# Default (localhost:8989)
./build/wass-mcp

# Custom bind address
./build/wass-mcp --bind 0.0.0.0:8080

# Custom database path
./build/wass-mcp --db /var/lib/wass-mcp/data.db

# Debug mode
./build/wass-mcp --debug

Configuration Options

MCP Client Configuration

Add to your MCP client configuration:

{
  "mcpServers": {
    "wass-mcp": {
      "url": "http://localhost:8989/mcp"
    }
  }
}

Available Tools

nikto

Perform web server vulnerability scans using Nikto.

Parameters:

Example:

{
  "host": "192.168.1.100",
  "port": 443
}

wapiti

Perform comprehensive web application vulnerability scans using Wapiti.

Parameters:

Vulnerabilities Detected:

• SQL Injection / Blind SQL Injection
• Cross-Site Scripting (XSS)
• File Inclusion / Path Traversal
• Command Execution
• CRLF Injection
• Server-Side Request Forgery (SSRF)
• Open Redirects
• HTTP Security Headers
• Content Security Policy issues

Example:

{
  "host": "192.168.1.100",
  "port": 8080
}

full_scan

Perform a comprehensive security scan using all available scanners in parallel.

Parameters:

Features:

• Runs nikto and wapiti scanners in parallel
• Merges results into a unified report
• Includes timing and status for each scanner
• Gracefully handles missing scanner binaries

Example:

{
  "host": "192.168.1.100",
  "port": 8080
}

history

Browse and manage tool execution history.

Parameters:

Actions:

• list - List execution history with pagination
• get - Get full details of a specific execution
• delete - Delete a specific execution by ID
• clear - Delete all execution history

API Endpoints

Development

Building

make build

Linting

make lint

Testing

make test

Project Structure

wass-mcp/
├── cmd/wass-mcp/        # Application entry point
├── pkg/
│   ├── server/          # MCP server wrapper
│   ├── storage/         # Database layer (SQLite/GORM)
│   ├── models/          # Data models
│   ├── tools/           # MCP tool implementations
│   │   ├── nikto/       # Nikto web server scanner
│   │   ├── wapiti/      # Wapiti web app scanner
│   │   ├── fullscan/    # Parallel full scan
│   │   └── history/     # History management
│   └── types/           # Shared types and constants
├── docs/                # Documentation
└── build/               # Build output and coverage reports

Security Notice

This tool is intended for authorized security testing only. Ensure you have proper authorization before scanning any systems. Unauthorized scanning may be illegal in your jurisdiction.

License

BSD 3-Clause License - Copyright (c) 2026, Bohdan Turkynevych. See LICENSE for details.

Contributing

1. Fork the repository
2. Create a feature branch (git checkout -b feature/new-tool)
3. Commit your changes (git commit -am 'Add new scanning tool')
4. Push to the branch (git push origin feature/new-tool)
5. Create a Pull Request

Acknowledgments

• Model Context Protocol - Protocol specification
• Nikto - Web server scanner
• Wapiti - Web application vulnerability scanner
• GORM - Go ORM library