Burp MCP + Codex CLI

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://pentestbook.six2dez.com/others/burp
• Blog Title: Burp MCP + Codex CLI
• Suggested Section: AI -> AI Security (LLM tooling) or Pentesting Web -> Burp Suite (new page/section: "Burp MCP / LLM assistants integration"), including a note on fixing MCP handshake via local reverse proxy and optional header rewrite attribution

🎯 Content Summary

Topic / goal
The post is a hands-on guide to connect Burp Suite traffic to an LLM “reasoning client” (Codex CLI) via the Burp Suite MCP Server extension (from the BApp Store). The intent is to let the LLM reason over real intercepted HTTP requests/responses (Burp evidence) for passive vulnerability discovery and report writing, without API keys, scanning, or fuzzing.

What you get (outcomes)
• Passive vuln discovery based on observ...

🔧 Technical Details

LLM reasoning directly on Burp-captured HTTP via MCP stdio bridge: Run Burp’s MCP Server extension and extract the “server proxy jar”. Configure an MCP client (Codex CLI) to launch that jar and speak MCP over stdio; the jar bridges to Burp MCP, enabling programmatic querying/reasoning over intercepted requests/responses for passive bug discovery and evidence-based reporting.

Fix strict-Origin/extra-header MCP handshake failures with a reverse proxy: If an MCP server rejects the client handshake due to strict Origin validation or unexpected headers, place a local reverse proxy (e.g., Caddy) in front of the MCP endpoint to normalize/forward requests so the handshake succeeds while keeping analysis local.

Attribution and traffic tracking using proxy header rewriting: Use regex-based header rewrite rules at the proxy layer to tag traffic (e.g., match ^User-Agent: (.*)$ and replace with User-Agent: $1 BugBounty-Username🤖 Agent Actions

Summary:

• Added detailed guidance on integrating Burp Suite’s MCP Server with Codex CLI, including proxy JAR setup and stdio MCP configuration.
• Documented Caddy-based workaround for Burp MCP strict Origin/header validation, start/verify steps, and an optional zsh helper to launch the stack.
• Included proxy-level header tagging tip for request attribution and updated references with the Burp MCP integration source and related issue.

Testing:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://pentestbook.six2dez.com/others/burp

Content Categories: Based on the analysis, this content was categorized under "AI -> AI Security (LLM tooling) or Pentesting Web -> Burp Suite (new page/section: "Burp MCP / LLM assistants integration"), including a note on fixing MCP handshake via local reverse proxy and optional header rewrite attribution".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0