BurpMCP is a Burp Suite extension that augments application security testers, vulnerability researchers, and bug bounty hunters with the capabilities of modern AI. Every day, large language models gain larger context windows, faster response times, and greater knowledge and reasoning skills. BurpMCP lets you take advantage of this inevitable technology while testing HTTP-based applications, providing a super-intelligent sidekick to help navigate unfamiliar attack surfaces and chase down complex vulnerabilities.
While other MCP servers for Burp Suite exist, they only provide generic access to Burp Suite tools and data, such as running scans, viewing issues, and reading proxy history. BurpMCP focuses on enhancing manual testing with the help of LLMs, implementing a clean user interface to easily provide AI with specific requests as context and monitor MCP messages and AI-generated requests. Additionally, HTTP 1.1 and 2 are tested for reliability, and out-of-band testing is supported with access to Burp Collaborator.
Download the jar file from the releases and load it into Burp to install.
The MCP server runs by default on localhost port 8181 over SSE. The configuration syntax varies depending on your MCP client, but here are a few examples:
{
"mcpServers": {
"burpmcp": {
"autoApprove": [],
"disabled": false,
"timeout": 30,
"url": "http://localhost:8181/mcp/sse",
"transportType": "sse"
}
}
}Dive:
{
"mcpServers": {
"BurpMCP": {
"transport": "sse",
"url": "http://localhost:8181/mcp/sse"
}
}
}To use BurpMCP with STDIO-only clients like Claude Desktop, download the stdio-bridge.py script and install the required dependencies:
pip3 install typer mcpThen, add the following configuration to your claude_desktop_config.json. Make sure the host and port match what you configure in BurpMCP.
{
"mcpServers": {
"BurpMCP": {
"command": "python3",
"args": ["path/to/stdio-bridge.py", "http://localhost:8181/mcp/sse"],
"env": {}
}
}
}To send requests to BurpMCP, right-click any request and click `Extensions -> Send to BurpMCP".
The request will then be visible in the "Saved Requests" tab in BurpMCP. Each saved request includes a Notes column to provide LLMs with additional context. LLMs can also update the notes in each saved request to keep track of important details or save requests for future analysis.
Using your favorite MCP Client, you can prompt the LLM to retrieve saved requests and send follow-up requests to assist with testing.
Claude attempting to solve the lab:
Check out the Showcase for examples of chat logs where BurpMCP is successfully used.
Thank you to the following people for providing examples:
- The LLMs sometimes forget to add important components to requests like Content-Length headers or URL encoding. This is not an issue with the extension but rather a failure on the LLM's part. You may need to let the LLM know if it forgets something and cannot resolve the issue independently.
- The tool parameter specifies that forbidden headers should not be included in HTTP/2 requests, but the LLMs may sometimes ignore it. If an HTTP/2 request fails, check the request for any invalid headers.
- Sometimes, the LLM cannot send CRLFs ("\r\n") over MCP. CRLF is required for compliant HTTP/1.1 requests. To fix this, automatic LF to CRLF replacement can be enabled. However, this changes the Content-Length of the request, requiring the Content-Length header to be automatically updated. Thus, when LF to CRLF replacement is enabled, testing vulnerabilities like HTTP Request Smuggling - which requires tampering with the Content-Length header - will be difficult to perform with LLMs using HTTP/1.1.
- Some MCP clients will not acknowledge an error response after an extended period of time and go on generating forever. Adding a custom timeout on the server side does not fix this issue. At the moment, the best solution is to use a client that supports timeouts, such as Cline.
The tool specifications can be found in src/main/java/burpmcp/tools and describe exactly what data the MCP server expects from the LLMs. This information is important to understand so you know what the LLMs are sending. Depending on your use case, you can modify the property descriptions, which would require rebuilding the extension.
git clone https://github.com/swgee/burpmcp.git
cd burpmcp
mvn clean packagePlease open an issue for issues, feature requests, or questions. If you would like to contribute, submit a PR. If you have used the tool to find vulnerabilities or anything else interesting, please send screenshots or chat logs, and I would love to include them in the Showcase. Thank you for trying out BurpMCP, and happy hacking!