{"id":"andromeda254-burp-mcp-server","name":"burp-mcp-server","homepage":null,"repo_url":"https://github.com/Andromeda254/burp-mcp-server","category":"security","subcategories":[],"tags":["mcp","burpsuite","montoya-api","security-testing","json-rpc","claude-desktop","java","stdio","http-mode"],"what_it_does":"Provides an MCP server (stdio for Claude Desktop, and an HTTP mode for testing) that integrates with BurpSuite via the Montoya API to trigger scans, retrieve scan results, and access proxy/traffic history and scan queue/issue resources.","use_cases":["Use Claude Desktop (MCP) to initiate BurpSuite passive/active/full scans","Fetch scan results and discovered vulnerabilities from BurpSuite","Inspect proxy HTTP request/response history through a conversational interface","Monitor scan queue status and active tasks via MCP resources"],"not_for":["Internet-exposed deployment without network controls (server is stated as localhost-only by default)","Use as a general-purpose API for third-party apps without understanding BurpSuite/Montoya access requirements","Automated large-scale scanning from untrusted prompts without guardrails/authorization"],"best_when":"You have BurpSuite and want an agent/workflow (Claude Desktop via MCP) to drive scanning and then retrieve results programmatically on a local machine.","avoid_when":"You need strong authentication/authorization for multi-user access, or you must comply with strict operational controls (because no auth model or rate limiting details are documented).","alternatives":["Use BurpSuite extension(s) or Montoya API directly from your own code","Use BurpSuite's built-in reporting/export and a separate ingestion pipeline into your tooling","Other MCP servers that expose security tooling (if available) with documented auth/rate limits"],"af_score":44.0,"security_score":33.8,"reliability_score":22.5,"package_type":"mcp_server","discovery_source":["github"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T20:03:13.153592+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:5001/mcp (HTTP mode)","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["None documented (local stdio/localhost operation implied)"],"oauth":false,"scopes":false,"notes":"No authentication mechanism is described for the MCP server or HTTP mode in the provided README. Configuration appears to be local/controlled via CLI and environment variables."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Open-source MIT license; no service pricing described."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":44.0,"security_score":33.8,"reliability_score":22.5,"mcp_server_quality":75.0,"documentation_accuracy":60.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":20.0,"rate_limit_clarity":10.0,"tls_enforcement":20.0,"auth_strength":25.0,"scope_granularity":20.0,"dependency_hygiene":50.0,"secret_handling":60.0,"security_notes":"Security-relevant points from the README: server runs on localhost only by default; environment variable BURP_MCP_LOG_LEVEL suggests logging can be verbose and logs may contain sensitive information (review log retention). No explicit TLS/authentication, scope/permission model, or data-handling guarantees are documented. Dependency hygiene cannot be verified from provided content; Jackson/SLF4J are listed but no CVE status is available.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":20.0,"error_recovery":30.0,"idempotency_support":"false","idempotency_notes":"Scan initiation tools may create new tasks; README does not specify idempotency behavior for repeated requests.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["No documented rate limits for the MCP/HTTP endpoints","No documented authentication/authorization—assume local-only security boundaries","Scan actions can be stateful/expensive; repeated calls may queue multiple scan tasks","HTTP mode and stdio mode differ; tool behavior may vary depending on transport"]}}