Is BurpMCP Ultra safe to use?

BurpMCP Ultra has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install BurpMCP Ultra?

BurpMCP Ultra supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What can BurpMCP Ultra do?

BurpMCP Ultra provides 54 tools: proxy_history, proxy_history_search, proxy_websocket_history, proxy_websocket_history_search, proxy_intercept_enable and 49 more. See the full tools list on the server page for descriptions and parameters.

What AI clients work with BurpMCP Ultra?

BurpMCP Ultra is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.

Is BurpMCP Ultra actively maintained?

BurpMCP Ultra is recently maintained — last commit was 57 days ago. It has 34 GitHub stars.

BurpMCP Ultra

Name: BurpMCP Ultra
Author: Cy-S3c

by Cy-S3c

The most comprehensive MCP server for Burp Suite Professional — 137 tools, real-time dashboard, custom scan checks, inline fuzzer, race condition testing, auth diffing, and more.

34 54 tools GitHub

No known CVEs

No license

Maintained

Last commit 57d ago

Works with most clients

Transport: stdio, sse

54 tools · ~2.3k tok

Grade C · 1.1% of 200K ctx

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "burp": {
      "url": "http://127.0.0.1:9876/sse",
      "type": "sse"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/burpmcp-ultra)](https://mcppedia.org/s/burpmcp-ultra)

Read me

What BurpMCP Ultra does

137 Tools • 14 Resources • 12 Event Types • Real-time Dashboard • Full Montoya API Coverage

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

55/100across 5 weighted dimensions

How we score →

0255075100

−45

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Inventory

Tools (54)

Click any tool to inspect its schema.

~2.3k tokens total

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is BurpMCP Ultra safe to use?: BurpMCP Ultra has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install BurpMCP Ultra?: BurpMCP Ultra supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can BurpMCP Ultra do?: BurpMCP Ultra provides 54 tools: proxy_history, proxy_history_search, proxy_websocket_history, proxy_websocket_history_search, proxy_intercept_enable and 49 more. See the full tools list on the server page for descriptions and parameters.
What AI clients work with BurpMCP Ultra?: BurpMCP Ultra is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.
Is BurpMCP Ultra actively maintained?: BurpMCP Ultra is recently maintained — last commit was 57 days ago. It has 34 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

io.github.jasonxkensei/xproof92

Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.

1 1

Mcpki Server92

mcpki-server is the backend infrastructure for https://www.mcpki.org, enabling secure public key management and autonomous certificate handling for large language models (LLMs).

MCP Security Weekly

Get CVE alerts and security updates for BurpMCP Ultra and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "burp": {
      "url": "http://127.0.0.1:9876/sse",
      "type": "sse"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/burpmcp-ultra)](https://mcppedia.org/s/burpmcp-ultra)

Read me

What BurpMCP Ultra does

137 Tools • 14 Resources • 12 Event Types • Real-time Dashboard • Full Montoya API Coverage

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

README

BurpMCP-Ultra

The most powerful MCP server for Burp Suite Professional

137 Tools • 14 Resources • 12 Event Types • Real-time Dashboard • Full Montoya API Coverage

Quick Start • All Tools • Features • Dashboard • Setup Guides

BurpMCP-Ultra is a native Kotlin Burp Suite extension with an embedded MCP (Model Context Protocol) server. Drop a single JAR into Burp, connect Claude Code or any MCP client, and control every aspect of Burp Suite programmatically through AI agents.

Why BurpMCP-Ultra?

	BurpMCP-Ultra	burp-ai-agent	PortSwigger Official
MCP Tools	137	53	12
Custom Scan Checks	BCheck + Script	-	-
WebSocket Testing	Full lifecycle	-	-
Inline Fuzzer	3 modes (FUZZ/Marker/Offset)	-	-
Race Condition Testing	Single-packet attack	-	-
Auth Level Diffing	IDOR/privesc detection	-	-
API Schema Import	OpenAPI/Swagger	-	-
Passive Intel Extraction	30+ patterns	-	-
Real-time Dashboard	Web + Swing	-	-
Event Streaming	12 event types	-	-
Response Variation Analysis	Blind injection detect	-	-
Request Chain Macros	Multi-step with token extraction	-	-
Collaborator OOB	Full create/poll/correlate	Partial	Partial

Quick Start

1. Build

git clone https://github.com/Cy-S3c/BurpMCP-Ultra.git
cd BurpMCP-Ultra
./gradlew shadowJar

Output: build/libs/burpmcp-ultra-2.0.1.jar (13 MB)

2. Load into Burp

Burp Suite Pro > Extensions > Add
Select the JAR
BurpMCP-Ultra tab appears with green "Running" status

3. Connect Claude Code

{
  "mcpServers": {
    "burp": {
      "type": "sse",
      "url": "http://127.0.0.1:9876/sse"
    }
  }
}

Add to ~/.claude.json or your project's .mcp.json.

4. Open Dashboard

Browse to http://127.0.0.1:9878 for the real-time web dashboard.

Setup Guides

Claude Code (Direct SSE)

The simplest setup. Add to your MCP config:

{
  "mcpServers": {
    "burp": {
      "type": "sse",
      "url": "http://127.0.0.1:9876/sse"
    }
  }
}

Config file locations:

Global: ~/.claude.json
Per-project: .mcp.json in project root

Claude Code via Caddy (Recommended for Stability)

Caddy prevents SSE timeout disconnections and provides reliable buffering.

Install Caddy:

sudo apt install caddy

Create /etc/caddy/Caddyfile:

:9900 {
    reverse_proxy 127.0.0.1:9876 {
        transport http {
            read_timeout 0
            write_timeout 0
            response_header_timeout 0
        }
        flush_interval -1
        header_up Connection {>Connection}
        header_up Upgrade {>Upgrade}
    }
}

sudo systemctl restart caddy

Then use port 9900 in your MCP config:

{
  "mcpServers": {
    "burp": {
      "type": "sse",
      "url": "http://127.0.0.1:9900/sse"
    }
  }
}

Pre-built Caddyfile included: configs/Caddyfile

Claude Desktop (stdio via proxy)

Claude Desktop only supports stdio transport. Use supergateway as a bridge:

{
  "mcpServers": {
    "burp": {
      "command": "npx",
      "args": ["-y", "supergateway", "--sse", "http://127.0.0.1:9876/sse"]
    }
  }
}

Automated Setup Script

chmod +x configs/setup.sh
./configs/setup.sh
`

... [View full README on GitHub](https://github.com/Cy-S3c/BurpMCP-Ultra#readme)

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

55/100across 5 weighted dimensions

How we score →

0255075100

−45

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Inventory

Tools (54)

Click any tool to inspect its schema.

~2.3k tokens total

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is BurpMCP Ultra safe to use?: BurpMCP Ultra has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install BurpMCP Ultra?: BurpMCP Ultra supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can BurpMCP Ultra do?: BurpMCP Ultra provides 54 tools: proxy_history, proxy_history_search, proxy_websocket_history, proxy_websocket_history_search, proxy_intercept_enable and 49 more. See the full tools list on the server page for descriptions and parameters.
What AI clients work with BurpMCP Ultra?: BurpMCP Ultra is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.
Is BurpMCP Ultra actively maintained?: BurpMCP Ultra is recently maintained — last commit was 57 days ago. It has 34 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

io.github.jasonxkensei/xproof92

Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.

1 1

Mcpki Server92

mcpki-server is the backend infrastructure for https://www.mcpki.org, enabling secure public key management and autonomous certificate handling for large language models (LLMs).

MCP Security Weekly

Get CVE alerts and security updates for BurpMCP Ultra and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?