A skills-based security analysis framework that combines Burp Suite's traffic capture with Claude Code's reasoning via MCP (Model Context Protocol). Instead of ad-hoc prompts, this toolkit encodes expert penetration testing methodology into reusable skill files.
| Principle | Description |
|---|---|
| Skills over Prompts | Expert methodology encoded in skill files, not thrown-together prompts |
| Phased Analysis | Scope β Triage β Analyze β Report (not everything at once) |
| Evidence-Required | No finding without proof from actual HTTP traffic |
# Clone the repository
git clone https://github.com/yourusername/burp-mcp-toolkit.git
cd burp-mcp-toolkit
# Run the installer
chmod +x install.sh
./install.sh
# Configure your scope
cp templates/scope-template.yaml scope.yaml
# Edit scope.yaml with your target information
# Launch
./launch.shSee Installation Guide below for step-by-step manual setup.
Once Burp Suite is running with MCP enabled:
# In Claude Code:
"load scope" # Validate configuration
"triage" # Classify endpoints
"analyze all" # Run all indicator tests
"report" # Generate final reportburp-mcp-toolkit/
βββ CLAUDE.md # Orchestration instructions (auto-loaded)
βββ README.md # This file
βββ install.sh # macOS installer
βββ launch.sh # Launcher script (created by installer)
βββ scope.yaml # Your engagement config (create from template)
β
βββ skills/ # π§ Methodology files (~80KB of expertise)
β βββ SKILL-burp-mcp.md # MCP query patterns
β βββ SKILL-endpoint-triage.md # Endpoint classification
β βββ SKILL-idor-testing.md # IDOR detection methodology
β βββ SKILL-bola-testing.md # Broken Object Level Authorization
β βββ SKILL-auth-analysis.md # Auth bypass testing
β βββ SKILL-ssrf-testing.md # SSRF detection
β βββ SKILL-injection-points.md# SQLi/XSS vector identification
β βββ SKILL-report-format.md # Report generation format
β
βββ lib/ # π Python helpers
β βββ scope_validator.py # Validate scope.yaml
β βββ endpoint_filter.py # Filter/prioritize endpoints
β βββ finding_formatter.py # Format findings to markdown
β βββ report_generator.py # Aggregate findings into report
β
βββ templates/
β βββ scope-template.yaml # Blank scope configuration
β βββ finding-template.md # Finding documentation format
β
βββ output/ # π Generated during analysis
βββ endpoints.json # Triaged endpoint list
βββ findings/ # Per-indicator findings
βββ report.md # Final consolidated report
| Indicator | Skill File | What It Finds |
|---|---|---|
idor |
SKILL-idor-testing.md | Insecure Direct Object References |
bola |
SKILL-bola-testing.md | Broken Object Level Authorization |
auth_bypass |
SKILL-auth-analysis.md | Authentication/session vulnerabilities |
ssrf |
SKILL-ssrf-testing.md | Server-Side Request Forgery |
injection |
SKILL-injection-points.md | SQLi/XSS/Command injection vectors |
| Command | Phase | Description |
|---|---|---|
load scope |
1 | Parse and validate scope.yaml |
triage |
2 | Classify and prioritize endpoints |
analyze {indicator} |
3 | Run specific indicator (e.g., analyze idor) |
analyze all |
3 | Run all enabled indicators |
report |
4 | Generate consolidated report |
full scan |
1-4 | Run complete pipeline |
status |
- | Show current progress |
show endpoints |
- | Display triaged endpoints |
inspect {path} |
- | Deep dive on specific endpoint |
- macOS (Intel or Apple Silicon)
- Burp Suite Community or Professional
- Claude Code (npm package)
- Captured HTTP Traffic through Burp proxy
- Multiple auth contexts (for IDOR/BOLA testing)
./install.shThis installs: Homebrew, Burp Suite, Caddy, Node.js, Claude Code, and configures MCP.
-
Install Burp Suite
brew install --cask burp-suite
-
Install MCP Server Extension
- Open Burp β Extender β BApp Store
- Search "MCP Server" β Install
- Export
mcp-proxy.jarto~/.burp-mcp-extension/
-
Install Caddy (reverse proxy)
brew install caddy
-
Install Claude Code
npm install -g @anthropic-ai/claude-code
-
Configure MCP
Create
~/.claude.json:{ "mcpServers": { "burp": { "command": "/path/to/java", "args": ["-jar", "/path/to/mcp-proxy.jar", "--", "http://localhost:9877/mcp"] } } } -
Configure Caddy
Create
~/.config/caddy/Caddyfile::9877 { reverse_proxy localhost:9876 { header_up -Origin } }
Copy and edit the scope template:
cp templates/scope-template.yaml scope.yamlKey sections:
- target: Primary domain and additional hosts
- scope: Include/exclude path patterns
- indicators: Which vulnerability types to test
- auth: Multi-user tokens for IDOR/BOLA testing
See templates/scope-template.yaml for full documentation with examples.
All findings are written to output/:
| File | Description |
|---|---|
endpoints.json |
Triaged endpoints with scores and indicators |
findings/idor.md |
IDOR-specific findings |
findings/bola.md |
BOLA-specific findings |
findings/auth.md |
Auth bypass findings |
findings/ssrf.md |
SSRF findings |
findings/injection.md |
Injection point findings |
report.md |
Consolidated final report |
The lib/ directory contains standalone Python utilities:
# Validate scope configuration
python lib/scope_validator.py scope.yaml
# Generate report from findings
python lib/report_generator.py output/- Create
skills/SKILL-{indicator}-testing.mdwith methodology - Add to
indicators.enabledin scope-template.yaml - Update CLAUDE.md with new skill reference
Follow the structure of existing skills:
- Purpose and scope
- Prerequisites
- Step-by-step methodology
- Evidence requirements
- Output format
- Scope files contain tokens - Add
scope.yamlto.gitignore - Use only on authorized targets - Standard pentest rules apply
- Evidence is redacted by default - Configure in scope.yaml
MIT License - See LICENSE
Contributions welcome! See CONTRIBUTING.md
- Burp Suite MCP Server
- Claude Code
- AATMF - Adversarial AI Threat Modeling Framework
Disclaimer: Use responsibly and only on systems you have explicit permission to test.