burp

This MCP server acts as a bridge between Claude Desktop and BurpSuite, enabling conversational control over BurpSuite security scanning capabilities via the Montoya API. It exposes MCP tools to initiate scans, fetch results, and inspect proxy history, while also giving you access to scan queues and discovered issues. The server supports two transport modes: stdio for Claude Desktop integration and HTTP for standalone testing. Tools such as scan_target, get_scan_results, and proxy_history are provided to manage security workflows through natural language prompts or direct MCP calls. In practice, you can ask Claude to start a full Burp scan on a URL, then retrieve results or browse the proxy history for context around findings. For testing or development, you can run the HTTP server and interact with it via JSON-RPC requests at http://localhost:5001/mcp.

Prerequisites:

• Java 17+ (OpenJDK) installed on your system
• Gradle 8.1+ (for building from source)
• BurpSuite (Professional or Community) with Montoya API (or mock mode for testing)
• Claude Desktop (for stdio integration) if using the stdio workflow

1. Clone the repository and build

git clone <your-repo-url>
cd burp-mcp-server
./gradlew shadowJar

2. Install Java 17 (if not already installed)

sudo apt update
sudo apt install openjdk-17-jdk

3. Configure Claude Desktop (example config is included in README)

• Run the automated setup script if provided:

./setup-claude-desktop.sh

• Or manually configure by editing ~/.config/claude-desktop/claude_desktop_config.json as shown in the README, ensuring the command is java and the jar path points to the built shadow JAR, with --stdio included if using stdio mode.

4. Run the server (stdio mode)

./start-server.sh stdio

5. (Optional) Run the server in HTTP mode for testing

./start-server.sh http
# Server will be available at http://localhost:5001/mcp

6. Validate with a quick MCP initialize call (HTTP mode)

curl -X POST http://localhost:5001/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'

Tips and caveats:

• The server by default binds to localhost for security; adjust networking only if you understand the exposure implications.
• Logging level is controlled via BURP_MCP_LOG_LEVEL; set to DEBUG during troubleshooting.
• Ensure JAVA_HOME points to a valid Java 17+ installation when starting the server.
• The provided MCP tools are scan_target (to start scans), get_scan_results (to fetch results), and proxy_history (to inspect Burp proxy traffic). Use the HTTP endpoint for automated tests or the stdio mode for Claude Desktop integration.
• If you encounter Java version issues, verify that java -version matches the required version and that JAVA_HOME is correctly exported.
• When running in standalone HTTP mode, you can mock Burp interactions for development, but in production you should connect to a live BurpSuite Montoya-enabled instance.