Burp MCP Security Analysis Toolkit

Burp MCP Security Analysis Toolkit - SnailSploit Edition
A skills-based security analysis framework by SnailSploit that combines Burp Suite's traffic capture with Claude Code's reasoning via MCP (Model Context Protocol). Instead of ad-hoc prompts, this toolkit encodes expert penetration testing methodology into reusable skill files.
Philosophy
| Principle | Description | |-----------|-------------| | Skills over Prompts | Expert methodology encoded in skill files, not thrown-together prompts | | Phased Analysis | Scope > Triage > Analyze > Report (not everything at once) | | Evidence-Required | No finding without proof from actual HTTP traffic |
Quick Start
Installation (macOS / Linux)
# Clone the repository
git clone https://github.com/SnailSploit/Burp-MCP-Security-Analysis-Toolkit.git
cd Burp-MCP-Security-Analysis-Toolkit
Install Python dependencies
pip install -r requirements.txt
Run the installer (macOS)
chmod +x install.sh
./install.sh
Configure your scope
cp templates/scope-template.yaml scope.yaml
Edit scope.yaml with your target information
Launch
./launch.sh
CLI Usage
The toolkit includes a unified CLI for standalone operations:
# Validate scope configuration
python -m lib validate scope.yaml
Generate report from findings
python -m lib report ./output
Run interactive demo
python -m lib demo
Show version
python -m lib version
Claude Code Commands
Once Burp Suite is running with MCP enabled:
# In Claude Code:
"load scope" # Validate configuration
"triage" # Classify endpoints
"analyze all" # Run all indicator tests
"report" # Generate final report
Directory Structure
Burp-MCP-Security-Analysis-Toolkit/
โโโ CLAUDE.md # Orchestration instructions (auto-loaded)
โโโ README.md # This file
โโโ install.sh # macOS installer
โโโ launch.sh # Launcher script (created by installer)
โโโ scope.yaml # Your engagement config (create from template)
โ
โโโ skills/ # Methodology files (~80KB of expertise)
โ โโโ SKILL-burp-mcp.md # MCP query patterns
โ โโโ SKILL-endpoint-triage.md # Endpoint classification
โ โโโ SKILL-idor-testing.md # IDOR detection methodology
โ โโโ SKILL-bola-testing.md # Broken Object Level Authorization
โ โโโ SKILL-auth-analysis.md # Auth bypass testing
โ โโโ SKILL-ssrf-testing.md # SSRF detection
โ โโโ SKILL-injection-points.md# SQLi/XSS vector identification
โ โโโ SKILL-report-format.md # Report generation format
โ
โโโ lib/ # Python helpers
โ โโโ init.py # Package exports (v2.1.0)
โ โโโ main.py # CLI entry point
โ โโโ scope_validator.py # Validate scope.yaml
โ โโโ endpoint_filter.py # Filter/prioritize endpoints
โ โโโ finding_formatter.py # Format findings to markdown
โ โโโ report_generator.py # Aggregate findings into report
โ
โโโ tests/ # Test suite
โ โโโ testscopevalidator.py # Scope validation tests
โ โโโ testendpointfilter.py # Endpoint filtering tests
โ โโโ testfindingformatter.py# Finding formatting tests
โ โโโ testreportgenerator.py # Report generation tests
โ
โโโ templates/
โ โโโ scope-template.yaml # Blank scope configuration
โ โโโ finding-template.md # Finding documentation format
โ
โโโ output/ # Generated during analysis
โโโ endpoints.json # Triaged endpoint list
โโโ findings/ # Per-indicator findings
โโโ report.md # Final consolidated report
Supported Indicators
| Indicator | Skill File | What It Finds | |-----------|------------|---------------| | idor | SKILL-idor-testing.md | Insecure Direct Object References | | bola | SKILL-bola-testing.md | Broken Object Level Authorization | | auth_bypass | SKILL-auth-analysis.md | Authentication/session vulnerabilities | | ssrf | SKILL-ssrf-testing.md | Server-Side Request Forgery | | injection | SKILL-injection-points.md | SQLi/XSS/Command injection vectors |
Commands Reference
| Command | Phase | Description | |---------|-------|-------------| | load scope | 1 | Parse and validate scope.yaml | | triage | 2 | Classify and prioritize endpoints | | analyze {indicator} | 3 | Run specific indicator (e.g., analyze idor) | | analyze all | 3 | Run all enabled indicators | | report | 4 | Generate consolidated report | | full scan | 1-4 | Run complete pipeline | | status | - | Show current progress | | show endpoints | - | Display triaged endpoints | | inspect {path} | - | Deep dive on specific endpoint |
Prerequisites
- macOS (Intel or Apple Silicon) or Linux
- Python 3.9+
- Burp Suite Community or Professional
- Claude Code (npm package)
- Captured HTTP Traffic through Burp proxy
- Multiple auth contexts (for IDOR/BOLA testing)
Installation Guide
Option 1: Automated (macOS)
./install.sh
This installs: Homebrew, Burp Suite, Caddy, Node.js, Claude Code, and configures MCP.
Option 2: Manual
- Install Burp Suite
brew install --cask burp-suite
- Install MCP Server Extension
mcp-proxy.jar to ~/.burp-mcp-extension/
- Install Caddy (reverse proxy)
brew install caddy
- Install Claude Code
npm install -g @anthropic-ai/claude-code
- Configure MCP
~/.claude.json:
{
"mcpServers": {
"burp": {
"command": "/path/to/java",
"args": ["-jar", "/path/to/mcp-proxy.jar", "--", "http://localhost:9877/mcp"]
}
}
}
- Configure Caddy
~/.config/caddy/Caddyfile:
:9877 {
reverse_proxy localhost:9876 {
header_up -Origin
}
}
Configuration
Copy and edit the scope template:
cp templates/scope-template.yaml scope.yaml
Key sections:
- target: Primary domain and additional hosts
- scope: Include/exclude path patterns
- indicators: Which vulnerability types to test
- auth: Multi-user tokens for IDOR/BOLA testing
templates/scope-template.yaml for full documentation with examples.
Output
All findings are written to output/:
| File | Description | |------|-------------| | endpoints.json | Triaged endpoints with scores and indicators | | findings/idor.md | IDOR-specific findings | | findings/bola.md | BOLA-specific findings | | findings/auth.md | Auth bypass findings | | findings/ssrf.md | SSRF findings | | findings/injection.md | Injection point findings | | report.md | Consolidated final report |
Python Helpers
The lib/ directory contains standalone Python utilities accessible via CLI:
# Unified CLI
python -m lib validate scope.yaml
python -m lib report output/
python -m lib demo
python -m lib version
Direct module usage
python lib/scope_validator.py scope.yaml
python lib/report_generator.py output/
Testing
Run the full test suite:
pip install pytest
python -m pytest tests/ -v
Extending
Add New Indicator
- Create
skills/SKILL-{indicator}-testing.mdwith methodology - Add to
indicators.enabledin scope-template.yaml - Update CLAUDE.md with new skill reference
Custom Skills
Follow the structure of existing skills:
- Purpose and scope
- Prerequisites
- Step-by-step methodology
- Evidence requirements
- Output format
Security Notes
- Scope files contain tokens - Add
scope.yamlto.gitignore - Use only on authorized targets - Standard pentest rules apply
- Evidence is redacted by default - Configure in scope.yaml
License
MIT License - See LICENSE
Contributing
Contributions welcome! See CONTRIBUTING.md
Credits
- SnailSploit - Framework author and maintainer
- Kai Aizen - Original toolkit concept
- Built with Burp Suite MCP Server and Claude Code
Disclaimer: Use responsibly and only on systems you have explicit permission to test.
๐ Documentation & Author
This project's full writeup, methodology, and related research lives at:
Created by Kai Aizen โ independent offensive security researcher.
snailsploit.com ยท Research ยท Frameworks ยท GitHub ยท LinkedIn ยท ResearchGate ยท X/Twitter
Same attack. Different substrate.