Add BurpSuite MCP Bridge#191
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the BurpSuite MCP Bridge plugin, adding its registration, configuration examples, documentation, and a Python MCP server implementation. The code review identified critical runtime compatibility issues with the official mcp Python SDK in the server implementation, specifically regarding unsupported FastMCP constructor arguments, invalid transport options, and a potential JSONDecodeError when handling empty HTTP response bodies.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| mcp = FastMCP( | ||
| "BurpSuite MCP Bridge", | ||
| instructions=( | ||
| "Use these tools to read and operate Burp proxy traffic from Windows Burp in WSL mirrored mode. " | ||
| "Prefer burp_target_overview(host=...) when working one target, or burp_live_overview/burp_live_poll for incremental triage, then burp_flow_get for a decisive request/response pair. " | ||
| "Use burp_replay_flow or burp_send_raw_request when you need AI-driven request mutation and replay. " | ||
| "Use burp_rule_upsert to install automatic request/response rewrite rules for proxied traffic; rule action is modify, drop, or spoof." | ||
| ), | ||
| host=MCP_SERVER_HOST, | ||
| port=MCP_SERVER_PORT, | ||
| streamable_http_path=MCP_SERVER_PATH, | ||
| ) |
There was a problem hiding this comment.
The FastMCP constructor in the official mcp Python SDK (version 1.0.0+) does not accept the streamable_http_path argument. Including it will cause a TypeError at runtime, preventing the server from starting. Please remove this argument to ensure compatibility with the standard mcp library.
mcp = FastMCP(
"BurpSuite MCP Bridge",
instructions=(
"Use these tools to read and operate Burp proxy traffic from Windows Burp in WSL mirrored mode. "
"Prefer burp_target_overview(host=...) when working one target, or burp_live_overview/burp_live_poll for incremental triage, then burp_flow_get for a decisive request/response pair. "
"Use burp_replay_flow or burp_send_raw_request when you need AI-driven request mutation and replay. "
"Use burp_rule_upsert to install automatic request/response rewrite rules for proxied traffic; rule action is modify, drop, or spoof."
),
host=MCP_SERVER_HOST,
port=MCP_SERVER_PORT,
)| if __name__ == "__main__": | ||
| try: | ||
| parser = argparse.ArgumentParser(description="BurpSuite MCP Bridge server") | ||
| parser.add_argument("--transport", choices=["stdio", "streamable-http", "sse"], default=MCP_TRANSPORT) | ||
| parser.add_argument("--host", default=MCP_SERVER_HOST, help="Host for HTTP MCP transports") | ||
| parser.add_argument("--port", type=int, default=MCP_SERVER_PORT, help="Port for HTTP MCP transports") | ||
| parser.add_argument("--path", default=MCP_SERVER_PATH, help="Path for Streamable HTTP MCP transport") | ||
| args = parser.parse_args() | ||
|
|
||
| mcp.settings.host = args.host | ||
| mcp.settings.port = args.port | ||
| mcp.settings.streamable_http_path = args.path | ||
| mcp.run(transport=args.transport) | ||
| except Exception as exc: # pragma: no cover | ||
| print(f"[burpsuite-mcp-bridge] fatal: {exc}", file=os.sys.stderr) | ||
| raise |
There was a problem hiding this comment.
The official mcp Python SDK's FastMCP class does not expose a mutable settings attribute with streamable_http_path, nor does mcp.run() support "streamable-http" as a transport option. Attempting to run the server with these options will result in runtime errors. Let's update the argument parser and transport options to align with the official SDK's supported transports ("stdio" and "sse").
| if __name__ == "__main__": | |
| try: | |
| parser = argparse.ArgumentParser(description="BurpSuite MCP Bridge server") | |
| parser.add_argument("--transport", choices=["stdio", "streamable-http", "sse"], default=MCP_TRANSPORT) | |
| parser.add_argument("--host", default=MCP_SERVER_HOST, help="Host for HTTP MCP transports") | |
| parser.add_argument("--port", type=int, default=MCP_SERVER_PORT, help="Port for HTTP MCP transports") | |
| parser.add_argument("--path", default=MCP_SERVER_PATH, help="Path for Streamable HTTP MCP transport") | |
| args = parser.parse_args() | |
| mcp.settings.host = args.host | |
| mcp.settings.port = args.port | |
| mcp.settings.streamable_http_path = args.path | |
| mcp.run(transport=args.transport) | |
| except Exception as exc: # pragma: no cover | |
| print(f"[burpsuite-mcp-bridge] fatal: {exc}", file=os.sys.stderr) | |
| raise | |
| if __name__ == "__main__": | |
| try: | |
| parser = argparse.ArgumentParser(description="BurpSuite MCP Bridge server") | |
| parser.add_argument("--transport", choices=["stdio", "sse"], default=MCP_TRANSPORT) | |
| parser.add_argument("--host", default=MCP_SERVER_HOST, help="Host for HTTP MCP transports") | |
| parser.add_argument("--port", type=int, default=MCP_SERVER_PORT, help="Port for HTTP MCP transports") | |
| args = parser.parse_args() | |
| mcp.host = args.host | |
| mcp.port = args.port | |
| mcp.run(transport=args.transport) | |
| except Exception as exc: # pragma: no cover | |
| print(f"[burpsuite-mcp-bridge] fatal: {exc}", file=os.sys.stderr) | |
| raise |
| with _NO_PROXY_OPENER.open(request, timeout=30) as response: | ||
| data = json.loads(response.read().decode("utf-8")) |
There was a problem hiding this comment.
If the Burp bridge returns an empty response body (e.g., for successful DELETE or buffer clearing operations), response.read() will return an empty byte string. Calling json.loads() on an empty string will raise a json.JSONDecodeError. We should check if the response body is empty before attempting to parse it as JSON.
| with _NO_PROXY_OPENER.open(request, timeout=30) as response: | |
| data = json.loads(response.read().decode("utf-8")) | |
| with _NO_PROXY_OPENER.open(request, timeout=30) as response: | |
| res_bytes = response.read() | |
| data = json.loads(res_bytes.decode("utf-8")) if res_bytes else {"ok": True} |
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| @mcp.tool() | ||
| def burp_flow_get(flow_id: int, source: str = "live", include_bodies: bool = True) -> dict[str, Any]: | ||
| """读取单条流量的完整细节。source=live/history/selection。""" | ||
| if source not in {"live", "history", "selection"}: |
There was a problem hiding this comment.
CRITICAL: Missing 'logger' in source validation allows incorrect routing
The validation set {"live", "history", "selection"} does not include "logger", but other functions like burp_replay_flow (line 860), burp_send_to_repeater (line 441), and burp_export_flow_bundle (line 471) all accept "logger" as a valid source. If a caller passes source="logger", the function would incorrectly fall through to the else branch and route to /api/selection/flows/{flow_id} instead of the correct /api/logger/flows/{flow_id}.
This should be: if source not in {"live", "history", "logger", "selection"}
Code Review SummaryStatus: No Issues Found | Recommendation: Merge The previously reported CRITICAL issue (missing 'logger' in source validation allowing incorrect routing) has been fixed in this PR. All source validation checks now correctly include 'logger' in the allowed values set. This PR adds the BurpSuite MCP Bridge plugin with proper source validation across all tool functions. Files Reviewed (11 files)
Reviewed by laguna-m.1-20260312:free · 4,212,427 tokens |
|
Two concerns:\n\n1. Binary JAR files in the bundle. The PR includes |
|
Before this PR can be merged, your plugin repo needs the HOL AI Plugin Scanner running in CI. This is a mandatory requirement for all submissions. Add this workflow to your plugin repo at name: HOL Plugin Scanner
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: HOL Plugin Scanner
uses: hashgraph-online/ai-plugin-scanner-action@v1
with:
plugin_dir: "."
mode: scan
min_score: 80
fail_on_severity: high
format: sarif
upload_sarif: trueAlso run the scanner locally and include the score in your PR description: pipx install plugin-scanner
plugin-scanner scan . --format textYour plugin needs a score of 80/130 or higher with no critical or high severity findings. Link the CI run or paste the score in this PR description. See the full guide: SCANNER_GUIDE.md Additional issues: |
2 participants
Summary
Adds BurpSuite MCP Bridge to the Tools & Integrations section.
BurpSuite MCP Bridge connects Burp Suite traffic, replay, rewrite rules, UI selection handoff, BCheck/Bambda import,
and evidence export into Codex through MCP for WSL, Windows, and macOS workflows.
Checklist
plugins/6jeffr3y/burpsuite-mcp-bridge/..codex-plugin/plugin.jsonand icon assets.plugins.jsonand.agents/plugins/marketplace.json.Local validation
python3 scripts/check-alphabetical.py README.mdpython3 scripts/validate-plugin-pr.py --base-ref origin/main