Web Scraping APIs

What Is the Burp Suite MCP Server?

What Is the Burp Suite MCP Server? — conceptual illustration
On this page

The Burp Suite MCP Server is an official PortSwigger extension (released 3 April 2025) that exposes Burp's HTTP history, Repeater, Intruder, Collaborator, and proxy controls as Model Context Protocol tools. Point Claude Code, Cursor, or any MCP client at it and you can analyse a Burp capture with a single prompt — what previously took hours of manual click-through to trace a cookie lifecycle, identify sensor payload endpoints, and pick the right bypass step becomes a 2-minute interaction. It is the recon tool that makes Step 0 of the scraping decision flow practical at scale.

Quick facts

Released3 April 2025 by PortSwigger
LanguageKotlin — runs as a Burp extension
ArchitectureSSE server inside Burp + stdio proxy bridge for MCP clients
MCP clients supportedClaude Desktop, Claude Code, Cursor, any MCP-compatible client
Free?Community Edition works; Collaborator requires Burp Professional

What the MCP tools expose

The extension surfaces Burp's core capabilities as MCP tool calls. From a Claude Code prompt you can:

  • Send HTTP/1.1 and HTTP/2 requests directly with TLS impersonation managed by Burp.
  • Search and filter proxy history (HTTP + WebSocket) with regex.
  • Generate and poll Burp Collaborator payloads for out-of-band testing (Professional only).
  • Create Repeater tabs and send requests to Intruder for fuzzing.
  • Export and modify project + user configuration via JSON.
  • Control proxy intercept and the task execution engine.
  • Use built-in encoders (URL, Base64) and random string generation.

An automatic Claude Desktop installer is packaged with the extension, so the typical setup is "install Burp extension → restart Claude Desktop → MCP tools appear" with no manual configuration.

Why this matters for scraping recon

Before this extension, identifying which cookie unlocks which route, when the sensor payload fires, and what gets re-validated on POST required a 1–4 hour manual walk through HTTP history. Most of that work is pattern matching against a human-readable timeline — exactly what LLMs are good at. With the MCP server you can prompt: "I have a Burp session captured against retailer.com. Trace the cookie lifecycle for _abck. When does it flip from ~-1~ to ~0~? Which endpoint fires the sensor POST? Which subsequent endpoints check the cookie state?" The LLM walks the history and answers in minutes.

The practical effect: Step 0 of the scraping decision flow — "identify the anti-bot and the bypass step that will work" — collapses from a half-day to a single conversation.

Build a reusable recon skill

The highest-leverage move is to author a single burp-antibot-recon.md skill file with the prompts you find yourself rerunning against new targets. Typical contents:

  1. Identify the anti-bot vendor from cookies and response headers.
  2. Map the cookie lifecycle for the vendor's primary session token.
  3. Find the sensor / challenge POST endpoint.
  4. Identify routes that enforce vs. ignore the cookie state.
  5. Recommend a step from the scraping decision flow.

Run the same skill against every new target. The recon output feeds directly into your scraper architecture decisions — which TLS library, which proxy type, whether to invest in a patched browser, or whether to skip straight to a managed API.

Code example

bash
# 1. Install the extension into Burp (Bapp Store → search "MCP Server")
# 2. Point Claude Code at the MCP server (PortSwigger ships an installer)
# 3. Example prompts you can run from Claude Code with the MCP attached:

#   "Show me every Set-Cookie header from the last 30 requests to retailer.com,
#    grouped by domain and TTL."

#   "Trace the _abck cookie lifecycle. Identify the request where it transitions
#    from ~-1~ to ~0~ and show that request's body."

#   "Identify all POST endpoints that include the parameter sensor_data and
#    return their response status codes."

#   "Given the anti-bot signals you've found, recommend a step from the
#    scraping decision flow (Mobile API / XHR / JSON-in-HTML / curl_cffi /
#    patched browser / managed API)."

Related terms

What Is the Web Scraping Decision Flow?
The web scraping decision flow is a six-step priority order experienced practitioners follow on any new target. Walk steps in order. Stop at…
What Is Mobile API Scraping?
Mobile API scraping is the technique of intercepting traffic between a vendor's mobile app and its backend, then replicating those API calls…
What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is Akamai Bot Manager?
Akamai Bot Manager is an enterprise bot-protection product used by roughly 30% of the Fortune 500 — airlines, banks, retailers, ticketing. I…
What Is Crawl4AI?
Crawl4AI is the most-starred open-source LLM-friendly web crawler on GitHub — 66.3k stars under Apache 2.0 license, maintained by UncleCode.…

Concept map

How Burp Suite MCP for Scraping Recon connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Web Scraping APIs
Building map…

Tools & solutions for this topic

Frequently asked questions

Do I need Burp Professional?

The core MCP tools work with Burp Community Edition. Burp Collaborator features (out-of-band testing) require Professional, but for scraping recon you rarely need Collaborator — the proxy history, Repeater, and search tools are the load-bearing functionality.

How is this different from just opening DevTools?

DevTools sees one tab's requests in real time. Burp captures every request across every tab, retains them for searchable analysis, lets you replay them through Repeater with parameter changes, and exposes the whole history to MCP. For recon on a session you have already captured, Burp + MCP is an order of magnitude faster than re-running the session in DevTools and clicking through manually.

Can I use this with Cursor or other MCP clients?

Yes — the extension exposes a standard MCP server. The included installer is for Claude Desktop, but Cursor, Codex, and any MCP-compatible client can connect. The transport is SSE inside Burp with a stdio proxy that bridges to MCP clients.

Is this for offensive security or for scraping?

PortSwigger built it as a security-testing tool, but the recon workflow is identical to what serious scraping engineers do before writing a single line of code — identify the anti-bot, trace cookies, classify endpoints. The same prompts that find security vulnerabilities also find scraping bypass paths.

Last updated: 2026-05-26