# Burp Suite

## Burp MCP + Codex CLI

Everything is documented and updated at <https://github.com/six2dez/burp-mcp-agents>

This guide shows how to connect Burp Suite MCP Server to Codex CLI so that Codex can reason directly on your real HTTP traffic — no API keys, no scanning, no fuzzing.

You end up with a reasoning engine wired directly into your interception stack.

***

### What you get

• Passive vuln discovery

• IDOR / auth bypass / SSRF / logic flaw detection

• Report writing from real Burp evidence

• No API keys

• Full local traffic control

***

### 1. Install Burp MCP Server

Install MCP Server from Burp’s BApp Store.

Once installed, open its tab and click:

> Extract server proxy jar

![](/files/dFJcSWpkyYdTmJicYmIY)<br>

This downloads:

```
mcp-proxy.jar
```

This is the stdio MCP bridge Codex uses.

***

### 2. Configure Codex MCP

Edit:

```
~/.codex/config.toml
```

Append:

```
[mcp_servers.burp]
command = "java"
args = ["-jar", "/absolute/path/to/mcp-proxy.jar", "--sse-url", "http://127.0.0.1:19876"]
```

***

### 3. Install Caddy reverse proxy

Burp MCP currently enforces strict Origin validation and rejects extra headers sent by Codex, which causes handshake failures [see more here](https://github.com/PortSwigger/mcp-server/issues/34).

We solve this with a local reverse proxy.

Install Caddy:

```
brew install caddy
```

***

### 4. Create the Caddyfile

Create:

```
~/burp-mcp/Caddyfile
```

Paste:

```
:19876

reverse_proxy 127.0.0.1:9876 {
  # Match Origin and Host exactly (anti-DNS rebinding)
  header_up Host "127.0.0.1:9876"
  header_up Origin "http://127.0.0.1:9876"

  # Workaround for current Burp MCP SSE 403 bug
  header_up -User-Agent
  header_up -Accept
  header_up -Accept-Encoding
  header_up -Connection
}
```

***

### 5. Start everything

```
caddy run --config ~/burp-mcp/Caddyfile &
codex
```

Verify:

```
/mcp
```

You should see:

<figure><img src="/files/hs0FofS0xuEFcbi6WDWv" alt=""><figcaption></figcaption></figure>

***

### 6. Test it

Examples:

```
From Burp history, find all endpoints that use numeric IDs and lack Authorization headers.
```

```
Using Burp MCP, identify potential IDOR endpoints and suggest safe confirmation steps.
```

```
From Burp data, write a vulnerability report with reproduction, impact and remediation.
```

***

### 7. One-command launcher (optional)

\
Add to your \~/.zshrc (check your paths first):

```bash
burpcodex() {
  emulate -L zsh
  setopt pipefail

  local CADDYFILE="$HOME/burp-mcp/Caddyfile"
  local LOG="/tmp/burp-mcp-caddy.log"
  local CADDY_PID=""

  if ! command -v caddy >/dev/null 2>&1; then
    echo "[!] caddy not found (brew install caddy)"
    return 1
  fi
  if ! command -v codex >/dev/null 2>&1; then
    echo "[!] codex not found in PATH"
    return 1
  fi
  if [[ ! -f "$CADDYFILE" ]]; then
    echo "[!] Caddyfile not found: $CADDYFILE"
    return 1
  fi

  cleanup() {
    # 1) Kill captured PID (if still alive)
    if [[ -n "$CADDY_PID" ]] && kill -0 "$CADDY_PID" 2>/dev/null; then
      kill -TERM "$CADDY_PID" 2>/dev/null
      sleep 0.2
      kill -KILL "$CADDY_PID" 2>/dev/null
      wait "$CADDY_PID" 2>/dev/null
    fi

    # 2) Fallback: kill anything still listening on 19876
    local pids
    pids="$(lsof -ti tcp:19876 2>/dev/null | tr '\n' ' ')"
    if [[ -n "$pids" ]]; then
      kill -TERM $pids 2>/dev/null
      sleep 0.2
      kill -KILL $pids 2>/dev/null
    fi
  }

  trap 'cleanup; return 130' INT TERM
  trap 'cleanup' EXIT

  # Start caddy
  caddy run --config "$CADDYFILE" >"$LOG" 2>&1 &
  CADDY_PID=$!
  echo "[*] Caddy started (pid=$CADDY_PID) - log: $LOG"

  # Run codex (foreground)
  command codex "$@"

  # Ensure cleanup even if trap didn't trigger for some reason
  cleanup
  trap - INT TERM EXIT
}
```

Run:

```
burpcodex
```

***

## Tips

```
- If Render Page crash:
sudo sysctl -w kernel.unprivileged_userns_clone=1

- If embedded browser crash due sandbox:
find .BurpSuite -name chrome-sandbox -exec chown root:root {} \; -exec chmod 4755 {} \;

- Scope with all subdomains:
.*\.test\.com$

- Use Intruder to target specific parameters for scanning 
  - Right click: actively scan defined insertion points 

# Configuration
- Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
- User Options -> Misc -> Proxy Interception -> Always disabled
- Target -> Site Map -> Show all && Show only in-scope items

# XSS Validator extension
1) Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js
2) Send Request to Intruder
3) Mark Position 
4) Import xss-payload-list from $Tools into xssValidator
5) Change Payload Type to Extension Generated
6) Change Payload Process to Invoke-Burp Extension - XSS Validator
7) Add Grep-Match rule as per XSS Validator
8) Start.

# Filter the noise
https://gist.github.com/vsec7/d5518a432b70714bedad79e4963ff320

# Filter the noise TLDR
# TLS Pass Through
.*\.google\.com
.*\.gstatic\.com
.*\.googleapis\.com
.*\.pki\.goog
.*\.mozilla\.com

# Send swagger to burp
https://github.com/RhinoSecurityLabs/Swagger-EZ
# Hosted: 
https://rhinosecuritylabs.github.io/Swagger-EZ/

# If some request/response breaks or slow down Burp
- Project options -> HTTP -> Streaming responses -> Add url and uncheck "Store streaming responses...."

# Burp Extension rotate IP yo avoid IP restrictions
https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension

# Collab/SSRF/pingback alternative
interactsh.com
ceye.io
requestcatcher.com
canarytokens.org
webhook.site
ngrok.com
pingb.in
swin.es
requestbin.net
ssrftest.com
rbnd.gl0.eu
dnslog.cn
beeceptor.com

# Run private collaborator instance in AWS
https://github.com/Leoid/AWSBurpCollaborator

# Run your own collab server
https://github.com/yeswehack/pwn-machine

# Wordlist from burp project file
cat project.burp | strings | tok | sort -u > custom_wordlist.txt

# Autorize:
  1. Copy cookies from low priv user and paste in Autorize
  2. Set filters (scope, regex)
  3. Set Autorize ON
  4. Navigate as high priv user
  
# Turbo Intruder
basic.py -> Set %s in the injection point and specify wordlist in script
multipleParameters.py -> Set %s in all the injection points and specify the wordlists in script

# Match and Replace
https://github.com/daffainfo/match-replace-burp

# Customize Audit Scans
Configure your audit profile -> Issues reported -> Individual issues -> right-click on "Extension generated issues" -> "Edit detection methods"
Works on most of issues like SQLi

# Send to local Burp from VPS
# In local computer
ssh -R 8080:127.0.0.1:8080 root@VPS_IP -f -N
# In VPS
curl URL -x http://127.0.0.1:8080

# Ip rotation
https://github.com/ustayready/fireprox
```

## Proxy options

Append something to the user-agent

Match \`^User-Agent: (.\*)$\`

Replace \`User-Agent: $1 BugBounty-Username\`

<figure><img src="/files/Vqz1buZzDEl2XozZNTos" alt=""><figcaption></figcaption></figure>

## Preferred extensions

{% embed url="<https://portswigger.net/blog/make-burp-suite-your-own-high-powered-extensibility-to-customize-and-enhance-your-testing>" %}

{% embed url="<https://github.com/Ignitetechnologies/BurpSuite-For-Pentester>" %}

* [Burp Bounty Pro](https://burpbounty.net/): Active and passive checks customizable based on patterns.
* [Active Scan ++](https://portswigger.net/bappstore/3123d5b5f25c4128894d97ea1acc4976) More active and passive scans.
* [Software Vulnerability Scanner](https://portswigger.net/bappstore/c9fb79369b56407792a7104e3c4352fb) Passive scan to detect vulnerable software versions
* [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) Passive scan to detect hidden or unlinked parameters, cache poisoning
* [Backslash Powered Scanner](https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8) Active scan for SSTI detection
* [CSRF Scanner](https://portswigger.net/bappstore/60f172f27a9b49a1b538ed414f9f27c3) Passive CSRF detection
* [Freddy](https://portswigger.net/bappstore/ae1cce0c6d6c47528b4af35faebc3ab3) Active and Passive scan for Java and .NET deserialization
* [JSON Web Tokens](https://portswigger.net/bappstore/f923cbf91698420890354c1d8958fee6) decode and manipulate JSON web tokens
* [Reissue Request Scripter](https://portswigger.net/bappstore/6e0b53d8c801471c9dc614a016d8a20d) generates scripts for Python, Ruby, Perl, PHP and PowerShell
* [Burp-exporter](https://github.com/artssec/burp-exporter) other extension for export request to multiple languages
* [Retire.js](https://portswigger.net/bappstore/36238b534a78494db9bf2d03f112265c) Passive scan to find vulnerable JavaScript libraries
* [Web Cache Deception Scanner](https://portswigger.net/bappstore/7c1ca94a61474d9e897d307c858d52f0) Active scan for Web Cache Deception vulnerability
* [Cookie decrypter](https://portswigger.net/bappstore/76c500c3fdba4a37a6fca46fe18d8ada) Passive check for decrypt/decode Netscaler, F5 BigIP, and Flask cookies
* [Reflector](https://github.com/elkokc/reflector) Passive scan to find reflected XSS
* [J2EEScan](https://portswigger.net/bappstore/7ec6d429fed04cdcb6243d8ba7358880) Active checks to discover different kind of J2EE vulnerabilities
* [HTTP Request Smuggler](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) Active scanner and launcher for HTTP Request Smuggling attacks
* [Flow](https://portswigger.net/bappstore/ee1c45f4cc084304b2af4b7e92c0a49d) History of all burp tools, extensions and tests
* [Taborator](https://portswigger.net/bappstore/c9c37e424a744aa08866652f63ee9e0f) Allows Burp Collaborator in a new tab
* [Turbo Intruder](https://portswigger.net/bappstore/9abaa233088242e8be252cd4ff534988) Useful for sending large numbers of HTTP requests (Race cond, fuzz, user enum)
* [Auto Repeater](https://portswigger.net/bappstore/f89f2837c22c4ab4b772f31522647ed8) Automatically repeats requests with replacement rules and response diffing
* [Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa) Tests multiple upload vulnerabilities
* [poi Slinger](https://github.com/portswigger/poi-slinger): Active scan check to find PHP object injection
* [Java Deserialization Scanner](https://portswigger.net/bappstore/228336544ebe4e68824b5146dbbd93ae) Active and passive scanner to find Java deserialization vulnerabilities
* [Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) Used to detect IDORs
* [Match/Replace Session Action](https://portswigger.net/bappstore/9b5c532966ca4d5eb13c09c72ba7aac2) Provides a match and replace function as a Session Handling Rule.
* [.NET Beautifier](https://portswigger.net/bappstore/e2a137ad44984ccb908375fa5b2c618d) Easy view for VIEWSTATE parameter
* [Wsdler](https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f) generates SOAP requests from WSDL request
* [Collaborator Everywhere](https://portswigger.net/bappstore/2495f6fb364d48c3b6c984e226c02968) Inject headers to reveal backend systems by causing pingbacks
* [Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) Exfiltrate blind remote code execution output over DNS
* [Bypass WAF](https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c) Add some headers to bypass some WAFs
* [SAMLRaider](https://github.com/CompassSecurity/SAMLRaider) for testing SAML infrastructures, messages and certificates
* [GoldenNuggets-1](https://github.com/GainSec/GoldenNuggets-1) create wordlists from target
* [Logger++](https://portswigger.net/bappstore/470b7057b86f41c396a97903377f3d81) Log for every burp tool and allows highlight, filter, grep, export...
* [OpenAPI Parser](https://portswigger.net/bappstore/6bf7574b632847faaaa4eb5e42f1757c) Parse and fetch OpenAPI documents directly from a URL
* [CO2](https://github.com/portswigger/co2): Multiple functions such sqlmapper, cewler
* [XSSValidator](https://github.com/PortSwigger/xss-validator): XSS intruder payload generator and checker
* [Shelling](https://github.com/ewilded/shelling): command injection payload generator
* [burp-send-to](https://github.com/bytebutcher/burp-send-to): Adds a customizable "Send to..."-context-menu.
* [ssrf-king](https://github.com/ethicalhackingplayground/ssrf-king?s=09): Automates SSRF detection

## Private collaborator server

{% embed url="<https://github.com/putsi/privatecollaborator>" %}

{% embed url="<https://blog.roughwire.com/?p=24>" %}

{% embed url="<https://teamrot.fi/self-hosted-burp-collaborator-with-custom-domain>" %}

## Burp macros

{% embed url="<https://akshita-infosec.medium.com/burp-macros-what-why-how-151df8901641>" %}

## Collaborator SSRF explotation [mindmap](https://github.com/iustin24/SSRF)

![](/files/-MLBtpjgyra0n8WwTYDL)

### DOM Invader

{% embed url="<https://caramel-calcium-f39.notion.site/DOM-Invader-1a78e4ba7acc4ca3987b8136bcf1ddd5>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/others/burp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.