|
| 1 | +# Burp MCP: LLM-assisted traffic review |
| 2 | + |
| 3 | +{{#include ../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +Burp's **MCP Server** extension can expose intercepted HTTP(S) traffic to MCP-capable LLM clients so they can **reason over real requests/responses** for passive vulnerability discovery and report drafting. The intent is evidence-driven review (no fuzzing or blind scanning), keeping Burp as the source of truth. |
| 8 | + |
| 9 | +## Architecture |
| 10 | + |
| 11 | +- **Burp MCP Server (BApp)** listens on `127.0.0.1:9876` and exposes intercepted traffic via MCP. |
| 12 | +- **MCP proxy JAR** bridges stdio (client side) to Burp's MCP SSE endpoint. |
| 13 | +- **Optional local reverse proxy** (Caddy) normalizes headers for strict MCP handshake checks. |
| 14 | +- **Clients/backends**: Codex CLI (cloud), Gemini CLI (cloud), or Ollama (local). |
| 15 | + |
| 16 | +## Setup |
| 17 | + |
| 18 | +### 1) Install Burp MCP Server |
| 19 | + |
| 20 | +Install **MCP Server** from the Burp BApp Store and verify it is listening on `127.0.0.1:9876`. |
| 21 | + |
| 22 | +### 2) Extract the proxy JAR |
| 23 | + |
| 24 | +In the MCP Server tab, click **Extract server proxy jar** and save `mcp-proxy.jar`. |
| 25 | + |
| 26 | +### 3) Configure an MCP client (Codex example) |
| 27 | + |
| 28 | +Point the client to the proxy JAR and Burp's SSE endpoint: |
| 29 | + |
| 30 | +```toml |
| 31 | +# ~/.codex/config.toml |
| 32 | +[mcp_servers.burp] |
| 33 | +command = "java" |
| 34 | +args = ["-jar", "/absolute/path/to/mcp-proxy.jar", "--sse-url", "http://127.0.0.1:19876"] |
| 35 | +``` |
| 36 | + |
| 37 | +Then run Codex and list MCP tools: |
| 38 | + |
| 39 | +```bash |
| 40 | +codex |
| 41 | +# inside Codex: /mcp |
| 42 | +``` |
| 43 | + |
| 44 | +### 4) Fix strict Origin/header validation with Caddy (if needed) |
| 45 | + |
| 46 | +If the MCP handshake fails due to strict `Origin` checks or extra headers, use a local reverse proxy to normalize headers (this matches the workaround for the Burp MCP strict validation issue). |
| 47 | + |
| 48 | +```bash |
| 49 | +brew install caddy |
| 50 | +mkdir -p ~/burp-mcp |
| 51 | +cat >~/burp-mcp/Caddyfile <<'EOF' |
| 52 | +:19876 |
| 53 | +
|
| 54 | +reverse_proxy 127.0.0.1:9876 { |
| 55 | + # lock Host/Origin to the Burp listener |
| 56 | + header_up Host "127.0.0.1:9876" |
| 57 | + header_up Origin "http://127.0.0.1:9876" |
| 58 | +
|
| 59 | + # strip client headers that trigger Burp's 403 during SSE init |
| 60 | + header_up -User-Agent |
| 61 | + header_up -Accept |
| 62 | + header_up -Accept-Encoding |
| 63 | + header_up -Connection |
| 64 | +} |
| 65 | +EOF |
| 66 | +``` |
| 67 | + |
| 68 | +Start the proxy and the client: |
| 69 | + |
| 70 | +```bash |
| 71 | +caddy run --config ~/burp-mcp/Caddyfile & |
| 72 | +codex |
| 73 | +``` |
| 74 | + |
| 75 | +## Using different clients |
| 76 | + |
| 77 | +### Codex CLI |
| 78 | + |
| 79 | +- Configure `~/.codex/config.toml` as above. |
| 80 | +- Run `codex`, then `/mcp` to verify the Burp tools list. |
| 81 | + |
| 82 | +### Gemini CLI |
| 83 | + |
| 84 | +The **burp-mcp-agents** repo provides launcher helpers: |
| 85 | + |
| 86 | +```bash |
| 87 | +source /path/to/burp-mcp-agents/gemini-cli/burpgemini.sh |
| 88 | +burpgemini |
| 89 | +``` |
| 90 | + |
| 91 | +### Ollama (local) |
| 92 | + |
| 93 | +Use the provided launcher helper and select a local model: |
| 94 | + |
| 95 | +```bash |
| 96 | +source /path/to/burp-mcp-agents/ollama/burpollama.sh |
| 97 | +burpollama deepseek-r1:14b |
| 98 | +``` |
| 99 | + |
| 100 | +Example local models and approximate VRAM needs: |
| 101 | + |
| 102 | +- `deepseek-r1:14b` (~16GB VRAM) |
| 103 | +- `gpt-oss:20b` (~20GB VRAM) |
| 104 | +- `llama3.1:70b` (48GB+ VRAM) |
| 105 | + |
| 106 | +## Prompt pack for passive review |
| 107 | + |
| 108 | +The **burp-mcp-agents** repo includes prompt templates for evidence-driven analysis of Burp traffic: |
| 109 | + |
| 110 | +- `passive_hunter.md`: broad passive vulnerability surfacing. |
| 111 | +- `idor_hunter.md`: IDOR/BOLA/object/tenant drift and auth mismatches. |
| 112 | +- `auth_flow_mapper.md`: compare authenticated vs unauthenticated paths. |
| 113 | +- `ssrf_redirect_hunter.md`: SSRF/open-redirect candidates from URL fetch params/redirect chains. |
| 114 | +- `logic_flaw_hunter.md`: multi-step logic flaws. |
| 115 | +- `session_scope_hunter.md`: token audience/scope misuse. |
| 116 | +- `rate_limit_abuse_hunter.md`: throttling/abuse gaps. |
| 117 | +- `report_writer.md`: evidence-focused reporting. |
| 118 | + |
| 119 | +## Optional attribution tagging |
| 120 | + |
| 121 | +To tag Burp/LLM traffic in logs, add a header rewrite (proxy or Burp Match/Replace): |
| 122 | + |
| 123 | +```text |
| 124 | +Match: ^User-Agent: (.*)$ |
| 125 | +Replace: User-Agent: $1 BugBounty-Username |
| 126 | +``` |
| 127 | + |
| 128 | +## Safety notes |
| 129 | + |
| 130 | +- Prefer **local models** when traffic contains sensitive data. |
| 131 | +- Only share the minimum evidence needed for a finding. |
| 132 | +- Keep Burp as the source of truth; use the model for **analysis and reporting**, not scanning. |
| 133 | + |
| 134 | +## References |
| 135 | + |
| 136 | +- [Burp MCP + Codex CLI integration and Caddy handshake fix](https://pentestbook.six2dez.com/others/burp) |
| 137 | +- [Burp MCP Agents (workflows, launchers, prompt pack)](https://github.com/six2dez/burp-mcp-agents) |
| 138 | +- [Burp MCP Server BApp](https://portswigger.net/bappstore/9952290f04ed4f628e624d0aa9dccebc) |
| 139 | +- [PortSwigger MCP server strict Origin/header validation issue](https://github.com/PortSwigger/mcp-server/issues/34) |
| 140 | + |
| 141 | +{{#include ../banners/hacktricks-training.md}} |
0 commit comments