Burp Suite MCP Server

Overview Schema Related Servers Score Discussions

burp_suite_security_issue_definitions

Retrieve Burp Suite security issue definitions, remediation details, and references from the knowledge base to analyze vulnerabilities and implement fixes for web applications.

Instructions

Get all Burp Suite security issue definitions (name, description, remediation, references).

Input Schema

TableJSON Schema

Name	Required	Description	Default
No arguments

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

main.py:106-130 (handler)

The handler function for the 'burp_suite_security_issue_definitions' tool. It makes a GET request to /knowledge_base/issue_definitions endpoint and formats the security issue definitions (name, description, remediation, references, vulnerability classifications) into a readable string format.

@mcp.tool("burp_suite_security_issue_definitions")
async def get_knowledge_base_issue_definitions() -> str:
    """
    Get all Burp Suite security issue definitions (name, description, remediation, references).
    """
    security_definitions: list[str] = []
    resp = await make_api_request("GET", "/knowledge_base/issue_definitions")

    if resp is not None:
        data = resp.json()
        if isinstance(data, list):
            for item in data:
                security_definition = f"""
Issue Name: {item.get('name', 'Unknown')}
Description: {item.get('description', 'N/A')}
Remediation: {item.get('remediation', 'None')}
References: {item.get('references', 'None')}
Vulnerability Classifications: {item.get('vulnerability_classifications', 'None')}
"""
                security_definitions.append(security_definition)
    return (
        "\n---\n".join(security_definitions)
        if security_definitions
        else "No security definitions available."
    )

main.py:43-83 (helper)

Core helper function used by the burp_suite_security_issue_definitions tool (and other tools) to make HTTP requests to the Burp REST API. Handles authentication, request formatting, error handling, and response processing.

async def make_api_request(
    method: str, request_path: str, payload: dict[str, Any] | None = None
) -> httpx.Response | None:
    """
    Make a request to the Burp REST API.
    Returns None on failure; logs the error for debugging.
    """
    err = _validate_config()
    if err:
        logger.warning(err)
        return None

    path = request_path.lstrip("/")
    if BURP_REST_API_KEY:
        url = f"{BURP_REST_API_BASE}/{BURP_REST_API_KEY}/{BURP_REST_API_VERSION}/{path}"
    else:
        url = f"{BURP_REST_API_BASE}/{BURP_REST_API_VERSION}/{path}"
    async with httpx.AsyncClient() as client:
        try:
            response = await client.request(
                method,
                url,
                json=payload,
                headers=DEFAULT_HEADERS,
                timeout=30,
            )
            response.raise_for_status()
            return response
        except httpx.HTTPStatusError as e:
            logger.warning(
                "Burp API HTTP error: %s %s",
                e.response.status_code,
                e.response.text[:200],
            )
            return None
        except httpx.RequestError as e:
            logger.warning("Burp API request failed: %s", e)
            return None
        except Exception as e:
            logger.warning("Burp API unexpected error: %s", e)
            return None

Tool Definition Quality

A4/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full disclosure burden. It adds value by listing the returned data fields (name, description, remediation, references), but omits operational details like data volume ('all' implies large), caching behavior, or whether Burp must be running.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence with no redundant words. Every element serves a purpose: the action verb, the scope ('all'), the resource, and the output field preview.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's low complexity (no inputs) and existence of an output schema, the description is appropriately complete. It previews the return structure without redundantly documenting the full output schema, though noting it retrieves static reference data versus live findings would improve completeness.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema contains zero parameters, which establishes a baseline score of 4. The description appropriately does not fabricate parameter details, though the parenthetical field list could be misinterpreted as parameter documentation.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific verb ('Get') and resource ('Burp Suite security issue definitions'), distinguishing it from sibling scan-operation tools like scan_urls_for_vulnerabilities or get_scan_summary which handle dynamic scan execution and results.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

While the tool's purpose is distinct from operational scan management siblings (implied by 'definitions' vs 'scan'), there is no explicit guidance on when to use this versus get_scan_summary for actual findings, or prerequisites like requiring Burp connectivity.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jayluxferro/burp-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server