Skip to main content
Glama
sklnhunt

Burp Suite MCP Analyzer

by sklnhunt
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

๐Ÿ”ฅ Burp Suite MCP Analyzer

An MCP (Model Context Protocol) server that lets AI assistants analyze Burp Suite XML exports โ€” offline, no Burp running required.

Ask AI (or any MCP-compatible AI) to map endpoints, find secrets, detect vulnerabilities, analyze headers, export curl commands, and generate pentest reports โ€” all from a Burp XML export file.

โœจ Features โ€” 19 Tools

Category

Tools

Core

load_burp_file, explore_file_structure, get_statistics, generate_report

Traffic

get_proxy_history, analyze_request, search_requests, find_errors

Recon

find_endpoints, find_parameters, get_cookies, detect_technologies, find_interesting_paths, find_file_uploads

Security

get_vulnerabilities, find_sensitive_data, analyze_security_headers, find_injection_points, export_as_curl

Related MCP server: pentestMCP

๐Ÿ“‹ Prerequisites

  • Python 3.10+

  • Any MCP-compatible AI client (Claude Desktop, Claude Code, OpenCode, Cursor, GitHub Copilot, Windsurf)

  • Burp Suite (any version โ€” just for exporting XML)

๐Ÿš€ Installation

1. Clone the repo

git clone https://github.com/YOUR_USERNAME/burp-mcp-analyzer.git
cd burp-mcp-analyzer

2. Install dependencies

pip install -r requirements.txt

3. Configure your AI client โ€” see Configuration below

๐Ÿ“ค Exporting from Burp Suite

The server works with Burp XML exports (not raw .burp project files).

Option A โ€” Proxy history only (quickest):

Proxy tab โ†’ HTTP History โ†’ Ctrl+A (select all)
โ†’ Right-click โ†’ Save items โ†’ save as export.xml

Option B โ€” Site map scanner issues:

Target tab โ†’ Site map โ†’ Select URL โ†’ Under Contents โ†’ Right-click โ†’ Save items โ†’ save as export.xml

โš™๏ธ Configuration

Claude Desktop

Edit %APPDATA%\Claude\claude_desktop_config.json (Windows) or ~/Library/Application Support/Claude/claude_desktop_config.json (Mac):

{
  "mcpServers": {
    "burp-analyzer": {
      "command": "python3",
      "args": ["/path/to/burp_mcp_server.py"]
    }
  }
}

Windows with WSL:

{
  "mcpServers": {
    "burp-analyzer": {
      "command": "wsl.exe",
      "args": ["python3", "/home/YOUR_USERNAME/burp-mcp-analyzer/burp_mcp_server.py"]
    }
  }
}

Claude Code

claude mcp add burp-analyzer python3 /path/to/burp_mcp_server.py

Or import from Claude Desktop if already configured:

claude mcp add-from-claude-desktop

OpenCode

Edit ~/.config/opencode/config.json:

{
  "mcpServers": {
    "burp-analyzer": {
      "command": "python3",
      "args": ["/path/to/burp_mcp_server.py"],
      "type": "stdio"
    }
  }
}

GitHub Copilot (VS Code)

Create .vscode/mcp.json in your project:

{
  "servers": {
    "burp-analyzer": {
      "type": "stdio",
      "command": "python3",
      "args": ["/path/to/burp_mcp_server.py"]
    }
  }
}

Cursor

Edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "burp-analyzer": {
      "command": "python3",
      "args": ["/path/to/burp_mcp_server.py"]
    }
  }
}

Windsurf

Edit ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "burp-analyzer": {
      "command": "python3",
      "args": ["/path/to/burp_mcp_server.py"]
    }
  }
}

Restart your AI client after editing config files.

๐Ÿ’ฌ Usage

Once configured, load a Burp XML export and start asking:

Load this file: /path/to/export.xml

Example Prompts

Recon

Show me all unique endpoints and paths discovered

Security Analysis

Scan all traffic for secrets, API keys, and credentials
Check all responses for missing or misconfigured security headers

Traffic

Show me all POST requests that returned 200
Find all 500 errors with the full response body

Reporting

Generate a full penetration test report with all findings

Chained

Load the file, map all endpoints, find injection points, then tell me the top 3 things to test
Find all sensitive data exposed in responses and group by risk level

For a full list of example prompts, see PROMPTS.md.

๐Ÿ” Sensitive Data Patterns Detected

The server automatically scans for 20+ patterns:

  • JWT Tokens, Bearer Tokens, Basic Auth

  • AWS Access Keys & Secret Keys

  • Google API Keys, GitHub Tokens, Slack Tokens, Stripe Keys, SendGrid Keys

  • Passwords in URLs and request bodies

  • Database connection strings

  • Private keys (RSA, EC)

  • Session cookies (PHPSESSID, JSESSIONID, connect.sid)

  • SQL errors and stack traces

  • Internal IP addresses

  • Email addresses, Credit card numbers

๐Ÿ›ก๏ธ Security Headers Checked

Strict-Transport-Security ยท Content-Security-Policy ยท X-Frame-Options ยท X-Content-Type-Options ยท Referrer-Policy ยท Permissions-Policy ยท Cache-Control ยท Access-Control-Allow-Origin

๐Ÿ—‚๏ธ Supported File Formats

Format

How to get it

Burp XML export (.xml)

Proxy โ†’ HTTP History โ†’ Save items

Gzip-compressed XML

Project โ†’ Save copy (some Burp versions)

Raw .burp project files are not supported โ€” they use a proprietary binary format. Use the XML export instead.

โš ๏ธ Legal & Ethical Use

This tool is intended for authorized security testing only.

  • Only analyze traffic from systems you have explicit permission to test

  • Unauthorized interception or analysis of network traffic may be illegal

  • The authors are not responsible for misuse of this tool

This server cannot be installed

F
license - not found
-
quality - not tested
C
maintenance

How are these scores calculated?

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
โ€“Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/sklnhunt/burp-mcp-analyzer'

If you have feedback or need assistance with the MCP directory API, please join our Discord server