BurpMCP

Drive Burp Suite Professional from an AI agent. BurpMCP exposes Burp's capabilities as Model Context Protocol tools, so an MCP client like Claude Code can search proxy history, run scans, fire Repeater/Intruder attacks, poll Collaborator and more - 61 tools in total - as part of an authorized testing workflow.

       

Warning

Authorized testing only. BurpMCP is an offensive-security tool. Use it exclusively against systems you own or have explicit, written permission to test. Staying in scope and within the law is your responsibility.

How it works

Claude Code ──(MCP / stdio)──► burp_mcp server ──(HTTP + X-API-Key)──► Burp extension ──► Burp Suite Pro

1. A Java extension (Montoya API) runs inside Burp and serves a local, API-key-authenticated HTTP API on 127.0.0.1:8089.
2. A Python MCP server (burp_mcp, FastMCP over stdio) translates MCP tool calls into HTTP requests to that extension.

The API key is a random UUID generated on first load and printed to Burp's Output tab - nothing is hardcoded.

Tool coverage (61)

Area	Tools
Traffic	proxy history, WebSocket history, match/replace, send-via-proxy, traffic analysis
Repeater / Intruder	send to Repeater, build & send requests, Intruder attacks & results
Scanner	active/passive scan, crawl, audit-after-crawl, issues, BCheck load/validate
Recon	sitemap, scope include/exclude/check, content discovery, search requests/responses
OOB & crypto	Collaborator generate/poll, decoder/encoder, crypto utils, comparer, sequencer
Protocol	GraphQL introspection, Swagger/OpenAPI import, DNS resolve
Session & helpers	session rules/macros (config), helper login, cookie jar, persistence store
Meta	status, extensions list, render, export, authz test

See CHANGELOG.md for the full per-tool history.

Requirements

• Burp Suite Professional (Montoya API 2025.5)
• Java 21 - to build the extension
• Python 3.11+ - for the MCP server
• An MCP client, e.g. Claude Code

Install

1. Build and load the extension

cd extension
./gradlew jar          # Windows: gradlew.bat jar

Load extension/build/libs/burp-mcp-extension-2.0.0.jar in Burp via Extensions → Add → Java. The Output tab prints the API server address and your key:

[BurpMCP] API server started on 127.0.0.1:8089
[BurpMCP] API key: <uuid>

2. Install the MCP server

cd server
pip install -e .

3. Register with your MCP client

For Claude Code, add to your MCP config:

{
  "mcpServers": {
    "burp": {
      "command": "python",
      "args": ["-m", "burp_mcp"],
      "env": {
        "BURP_API_KEY": "<uuid-from-burp-output-tab>"
      }
    }
  }
}

Configuration

The server reads everything from the environment:

Variable	Default	Description
BURP_API_KEY	(empty)	API key from the Burp Output tab. Required.
BURP_API_URL	http://127.0.0.1:8089	Extension API base URL
BURP_TIMEOUT	30	Per-request timeout (seconds)
BURP_DEBUG	false	Log requests/responses to stderr

Verify

With Burp running and the extension loaded:

python test_integration.py                    # interactive smoke test (prompts for the API key)
cd server && BURP_API_KEY=<uuid> pytest -v    # full suite (needs Burp live)

License

MIT © Dennis Sepede (Den-Sec) - built at Securitix Solutions.