burp

This MCP server bridges Burp Suite Professional with AI-assisted workflows by exposing a set of structured tools that operate over a lightweight, JSON-based protocol. The server consolidates common Burp actions—sending HTTP requests with protocol auto-detection, paging through proxy history, retrieving scanner findings, staging requests in Repeater or Intruder, and even conducting race condition tests—into a clean, consistent interface with sensible defaults (e.g., 2KB body limits and smart header filtering). It emits JSON payloads such as {statusCode, headers, body, bodySize, truncated} to streamline parsing by agents like Claude Code.

To use it, run the Burp MCP server (the binary produced by this project) and point your MCP client to the local SSE endpoint exposed by Burp’s extension (as configured in BURP_MCP_URL). The Quick Start guide shows how to enable MCP in Burp, configure the client in ~/.mcp.json, and then invoke tools like burp_send_request, burp_batch_send, burp_get_proxy_history, burp_get_scanner_issues, burp_create_repeater_tab, burp_send_to_intruder, and burp_race_request. Each tool accepts a concise parameter set and returns a structured JSON response that your agent can parse and reason about.

Prerequisites:

• Go toolchain (Go 1.20+ recommended)
• curl or wget for downloads
• Burp Suite Professional with MCP extension support enabled

Install from source or binary:

1. Build from source (recommended):

git clone https://github.com/c0tton-fluff/burp-mcp-server.git
cd burp-mcp-server
go build -o burp-mcp-server .

2. Download a prebuilt binary from Releases and place it in your PATH, e.g.:

# example, if you downloaded the binary to /usr/local/bin
chmod +x /usr/local/bin/burp-mcp-server

3. Run the server with the default configuration (as a background service if desired):

burp-mcp-server serve

4. Ensure Burp is configured to expose the MCP SSE endpoint as described in the Quick Start (BURP_MCP_URL environment variable).

Note:

• The project’s README shows using a shell script install.sh, but building from source is the primary development path. Adjust permissions and service management as needed for your environment.

Tips and known considerations:

• The server enforces 2KB default body limits and smart header filtering by default; use allHeaders: true or headersOnly: true where appropriate via client parameters.
• If you see connection issues, verify BURP_MCP_URL is reachable from the MCP server host and that Burp’s extension is listening on the expected port (default 9876).
• For batch and race operations, take advantage of parallelism to speed up tests (up to the tool’s supported limits).
• The output structure is designed for straightforward parsing: statusCode, headers, body (string or binary-encoded), bodySize, and truncated flags to indicate partial bodies.
• This MCP server focuses on Burp-related capabilities: HTTP sending, proxy history, scanner issues, staging for Repeater/Intruder, and race tests. Use the provided tools in the correct order to reproduce manual Burp workflows programmatically.
• If you customize Burp or the environment, consider adding environment variables for per-host or per-workflow limits (e.g., per-request bodyLimit, per-host rules).