What Is the Burp Suite MCP Server?

Paste into ChatGPT, Claude, or any LLM

On this page

The Burp Suite MCP Server is an official PortSwigger extension (released 3 April 2025) that exposes Burp's HTTP history, Repeater, Intruder, Collaborator, and proxy controls as Model Context Protocol tools. Burp Suite is a tool that records and replays the web traffic flowing through a site; MCP (Model Context Protocol) is a standard way for an AI assistant to call external tools. Connect Claude Code, Cursor, or any MCP client to this extension and you can analyse a captured Burp session with a single prompt. Work that used to take hours of clicking through requests by hand - tracing how a cookie changes over time, finding the endpoints that send anti-bot data, and choosing which approach fits - becomes a 2-minute interaction. It is the recon tool that makes Step 0 of the scraping decision flow practical at scale.

Released	3 April 2025 by PortSwigger
Language	Kotlin — runs as a Burp extension
Architecture	SSE server inside Burp + stdio proxy bridge for MCP clients
MCP clients supported	Claude Desktop, Claude Code, Cursor, any MCP-compatible client
Free?	Community Edition works; Collaborator requires Burp Professional

What the MCP tools expose

The extension turns Burp's main features into tools the AI can call. From a Claude Code prompt you can:

Send HTTP/1.1 and HTTP/2 requests directly, with Burp handling TLS impersonation (TLS is the encryption layer behind https, and impersonation makes the request look like it came from a real browser).
Search and filter proxy history (HTTP + WebSocket) with regex - pattern matching to find specific requests.
Generate and poll Burp Collaborator payloads for out-of-band testing, meaning checks that happen over a separate channel (Professional only).
Create Repeater tabs and send requests to Intruder for fuzzing - automatically resending a request with many varied inputs.
Export and modify project + user configuration via JSON.
Control proxy intercept and the task execution engine.
Use built-in encoders (URL, Base64) and random string generation.

An automatic Claude Desktop installer is packaged with the extension, so the typical setup is "install Burp extension → restart Claude Desktop → MCP tools appear" with no manual configuration.

Why this matters for scraping recon

Before this extension, figuring out which cookie unlocks which route, when the anti-bot's sensor data is sent, and what gets re-checked on a POST took a 1–4 hour manual walk through HTTP history. Most of that work is spotting patterns in a human-readable timeline - exactly what LLMs are good at. With the MCP server you can prompt: "I have a Burp session captured against retailer.com. Trace the cookie lifecycle for _abck. When does it flip from ~-1~ to ~0~? Which endpoint fires the sensor POST? Which subsequent endpoints check the cookie state?" Here _abck is the session cookie an anti-bot sets; the value flipping from -1 to 0 signals you have passed the check. The LLM reads through the history and answers in minutes.

The practical effect: Step 0 of the scraping decision flow — "identify the anti-bot and the approach that will work" — collapses from a half-day to a single conversation.

Build a reusable recon skill

The biggest payoff is to write a single burp-antibot-recon.md skill file holding the prompts you keep rerunning against new targets. Typical contents:

Identify the anti-bot vendor from cookies and response headers.
Map the cookie lifecycle for the vendor's primary session token.
Find the sensor / challenge POST endpoint.
Identify routes that enforce vs. ignore the cookie state.
Recommend a step from the scraping decision flow.

Run the same skill against every new target. The recon output feeds directly into your scraper architecture decisions - which TLS library, which proxy type, whether to invest in a patched browser, or whether to skip straight to a managed API.

Code example

bash

# 1. Install the extension into Burp (Bapp Store → search "MCP Server")
# 2. Point Claude Code at the MCP server (PortSwigger ships an installer)
# 3. Example prompts you can run from Claude Code with the MCP attached:

#   "Show me every Set-Cookie header from the last 30 requests to retailer.com,
#    grouped by domain and TTL."

#   "Trace the _abck cookie lifecycle. Identify the request where it transitions
#    from ~-1~ to ~0~ and show that request's body."

#   "Identify all POST endpoints that include the parameter sensor_data and
#    return their response status codes."

#   "Given the anti-bot signals you've found, recommend a step from the
#    scraping decision flow (Mobile API / XHR / JSON-in-HTML / curl_cffi /
#    patched browser / managed API)."

Related terms

What Is the Web Scraping Decision Flow?

The web scraping decision flow is a six-step checklist, ordered cheapest-first, that experienced engineers run through on every new target t…

What Is Mobile API Scraping?

Mobile API scraping means watching the traffic a vendor's phone app sends to its servers, then making those same requests yourself from Pyth…

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…

What Is Akamai Bot Manager?

Akamai Bot Manager is an enterprise tool that websites use to tell real visitors apart from bots, and it guards roughly 30% of the Fortune 5…

What Is Crawl4AI?

Crawl4AI is the most-starred open-source LLM-friendly web crawler on GitHub — 66.3k stars under Apache 2.0 license, maintained by UncleCode.…

Concept map

How Burp Suite MCP for Scraping Recon connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Web Scraping APIs

Tools & solutions for this topic

Frequently asked questions

Do I need Burp Professional?

No. The core MCP tools work with Burp Community Edition, which is free. Burp Collaborator features (out-of-band testing) require Professional, but for scraping recon you rarely need Collaborator - the proxy history, Repeater, and search tools do the heavy lifting.

How is this different from just opening DevTools?

DevTools (the browser's built-in inspector) shows one tab's requests in real time. Burp captures every request across every tab, keeps them for searchable analysis, lets you replay them through Repeater with changed parameters, and exposes the whole history to MCP. For recon on a session you have already captured, Burp + MCP is an order of magnitude faster than re-running the session in DevTools and clicking through by hand.

Can I use this with Cursor or other MCP clients?

Yes. The extension exposes a standard MCP server, so any MCP-compatible client can connect. The included installer is just for Claude Desktop, but Cursor, Codex, and others work too. Under the hood, Burp runs the server over SSE (server-sent events, a one-way streaming channel) and a small stdio proxy bridges it to the MCP clients.

Is this for offensive security or for scraping?

PortSwigger built it as a security-testing tool, but the recon workflow is identical to what serious scraping engineers do before writing a single line of code - identify the anti-bot, trace cookies, classify endpoints. The same prompts that find security vulnerabilities also map how a site's traffic and session flow work.

Last updated: 2026-05-31