Skip to content

Burp MCP + Codex CLI #1755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
carlospolop wants to merge 1 commit into from
Closed

Burp MCP + Codex CLI #1755

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 123 additions & 1 deletion src/AI/AI-MCP-Servers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,127 @@ For more information about Prompt Injection check:
AI-Prompts.md
{{#endref}}

## Burp Suite MCP bridge for intercepted HTTP analysis

You can wire **Burp Suite’s MCP Server** into any MCP-capable LLM client (e.g., Codex CLI) so the model reasons over *actual* intercepted HTTP traffic while keeping everything local.

**Workflow**

1. Install **MCP Server** from the Burp BApp Store and in its tab click **Extract server proxy jar** to save `mcp-proxy.jar` (this binary bridges stdio to Burp’s SSE MCP endpoint).
2. Configure the MCP client to launch the jar over stdio and point it to Burp:

```toml
# ~/.codex/config.toml
[mcp_servers.burp]
command = "java"
args = ["-jar", "/absolute/path/to/mcp-proxy.jar", "--sse-url", "http://127.0.0.1:19876"]
```

### Fix strict Origin / header validation with a local reverse proxy

Burp MCP currently rejects Codex’ MCP handshake because of strict `Origin` checks and extra headers ([issue](https://github.com/PortSwigger/mcp-server/issues/34)). Place a local proxy in front of Burp to normalize the request and remove the problematic headers.

Install Caddy and create a `Caddyfile`:

<details>
<summary>Caddy reverse proxy for Burp MCP</summary>

```bash
brew install caddy
cat >~/burp-mcp/Caddyfile <<'EOF'
:19876

reverse_proxy 127.0.0.1:9876 {
# lock Host/Origin to the Burp listener
header_up Host "127.0.0.1:9876"
header_up Origin "http://127.0.0.1:9876"

# strip Codex headers that trigger Burp’s 403 during SSE init
header_up -User-Agent
header_up -Accept
header_up -Accept-Encoding
header_up -Connection
}
EOF
```

</details>

Start the stack and verify the MCP handshake:

```bash
caddy run --config ~/burp-mcp/Caddyfile &
codex # then run /mcp inside Codex to list Burp tools
```

### Optional one-command launcher

<details>
<summary>zsh helper to start Caddy and Codex together</summary>

```bash
burpcodex() {
emulate -L zsh
setopt pipefail

local CADDYFILE="$HOME/burp-mcp/Caddyfile"
local LOG="/tmp/burp-mcp-caddy.log"
local CADDY_PID=""

if ! command -v caddy >/dev/null 2>&1; then
echo "[!] caddy not found (brew install caddy)"
return 1
fi
if ! command -v codex >/dev/null 2>&1; then
echo "[!] codex not found in PATH"
return 1
fi
if [[ ! -f "$CADDYFILE" ]]; then
echo "[!] Caddyfile not found: $CADDYFILE"
return 1
fi

cleanup() {
if [[ -n "$CADDY_PID" ]] && kill -0 "$CADDY_PID" 2>/dev/null; then
kill -TERM "$CADDY_PID" 2>/dev/null
sleep 0.2
kill -KILL "$CADDY_PID" 2>/dev/null
wait "$CADDY_PID" 2>/dev/null
fi

local pids
pids="$(lsof -ti tcp:19876 2>/dev/null | tr '\n' ' ')"
if [[ -n "$pids" ]]; then
kill -TERM $pids 2>/dev/null
sleep 0.2
kill -KILL $pids 2>/dev/null
fi
}

trap 'cleanup; return 130' INT TERM
trap 'cleanup' EXIT

caddy run --config "$CADDYFILE" >"$LOG" 2>&1 &
CADDY_PID=$!
echo "[*] Caddy started (pid=$CADDY_PID) - log: $LOG"

command codex "$@"

cleanup
trap - INT TERM EXIT
}
```
</details>

### Proxy-level tagging for attribution

To mark Codex/Burp-driven traffic in logs, add a request header rewrite in your proxy (or Burp Match/Replace):

```text
Match: ^User-Agent: (.*)$
Replace: User-Agent: $1 BugBounty-Username
```

## MCP Vulns

> [!CAUTION]
Expand Down Expand Up @@ -225,12 +346,13 @@ The command-template variant exercised by JFrog (CVE-2025-8943) does not even ne
```

## References
- [Burp MCP + Codex CLI integration and Caddy handshake fix](https://pentestbook.six2dez.com/others/burp)
- [PortSwigger MCP server strict Origin/header validation issue](https://github.com/PortSwigger/mcp-server/issues/34)
- [CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/)
- [Metasploit Wrap-Up 11/28/2025 – new Flowise custom MCP & JS injection exploits](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025)
- [GHSA-3gcm-f6qx-ff7p / CVE-2025-59528 – Flowise CustomMCP JavaScript code injection](https://github.com/advisories/GHSA-3gcm-f6qx-ff7p)
- [GHSA-2vv2-3x8x-4gv7 / CVE-2025-8943 – Flowise custom MCP command execution](https://github.com/advisories/GHSA-2vv2-3x8x-4gv7)
- [JFrog – Flowise OS command remote code execution (JFSA-2025-001380578)](https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578)
- [CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/)
- [An Evening with Claude (Code): sed-Based Command Safety Bypass in Claude Code](https://specterops.io/blog/2025/11/21/an-evening-with-claude-code/)

{{#include ../banners/hacktricks-training.md}}