burp-scan

# Burp Scan Skill

Tactical scanning engine for Burp Suite via MCP. Operates Burp's tools programmatically to discover, confirm, and report vulnerabilities.

**Prerequisites**: Burp Suite running with the AI Agent extension loaded and MCP server enabled.

---

## 1. MCP TOOL REFERENCE

Tools organized by scanning action. Tools marked `[unsafe]` require Unsafe Mode enabled. Tools marked `[pro]` require Burp Professional.

### Discover Scope & Attack Surface

| Tool | Purpose |
|---|---|
| `scope_check` | Check if a URL is in scope |
| `site_map` | Browse Burp's site map |
| `site_map_regex` | Search site map by regex |
| `proxy_http_history` | List proxy HTTP history items |
| `proxy_http_history_regex` | Search proxy history by regex |
| `proxy_ws_history` | List WebSocket history |
| `proxy_ws_history_regex` | Search WebSocket history by regex |
| `response_body_search` | Regex search across all response bodies |

### Analyze Traffic

| Tool | Purpose |
|---|---|
| `params_extract` | Extract parameters from a request |
| `find_reflected` | Find reflected parameter values in a response |
| `insertion_points` | List insertion point offsets for a request |
| `request_parse` | Parse raw HTTP request into structured fields |
| `response_parse` | Parse raw HTTP response into structured fields |
| `diff_requests` | Line diff between two requests |

### Send Test Payloads

| Tool | Purpose |
|---|---|
| `http1_request` `[unsafe]` | Send HTTP/1.1 request through Burp and get response |
| `http2_request` `[unsafe]` | Send HTTP/2 request through Burp and get response |
| `repeater_tab` `[unsafe]` | Create a Repeater tab with a request |
| `repeater_tab_with_payload` `[unsafe]` | Create Repeater tab with placeholder replacement |
| `intruder` `[unsafe]` | Send request to Intruder |
| `intruder_prepare` `[unsafe]` | Create Intruder tab with explicit insertion points |

### Out-of-Band (OOB) Verification

| Tool | Purpose |
|---|---|
| `collaborator_generate` | Generate a Burp Collaborator payload (unique subdomain) |
| `collaborator_poll` | Poll for Collaborator interactions (DNS/HTTP callbacks) |

### Encoding & Utility

| Tool | Purpose |
|---|---|
| `url_encode` / `url_decode` | URL encoding/decoding |
| `base64_encode` / `base64_decode` | Base64 encoding/decoding |
| `hash_compute` | Hash text (MD5/SHA1/SHA256/SHA512) |
| `jwt_decode` | Decode JWT header + payload (no signature verification) |
| `decode_as` | Decompress content (gzip/deflate/brotli) |
| `cookie_jar_get` | Read Burp's cookie jar |
| `random_string` | Generate random strings |

### Report Findings

| Tool | Purpose |
|---|---|
| `issue_create` | Create a custom audit issue in Burp's issue list |
| `scanner_issues` `[pro]` | View existing scanner issues |

### Control Burp Scanner

| Tool | Purpose |
|---|---|
| `scan_audit_start` `[pro][unsafe]` | Start a Burp Scanner audit |
| `scan_crawl_start` `[pro][unsafe]` | Start a Burp Scanner crawl |
| `scan_task_status` `[pro]` | Get status of a scan task |

---

## 2. PASSIVE ANALYSIS PROTOCOL

Analyze proxy traffic WITHOUT sending additional requests. This is the first phase of any scan.

### Step 1: Pull Traffic

```
Use proxy_http_history or proxy_http_history_regex to retrieve in-scope traffic.
Filter: exclude static assets (.css, .js, .png, .jpg, .gif, .svg, .ico, .woff, .woff2, .ttf, .eot, .map).
Focus on: HTML, JSON, XML, text responses.
```

### Step 2: Local Pattern Checks (No AI Needed)

Run these deterministic checks on every request/response pair BEFORE any deeper analysis:

**Request Smuggling Indicators**:
- Both `Content-Length` and `Transfer-Encoding: chunked` present
- Multiple `Content-Length` headers with different values
- Severity: Medium, Confidence: 90

**CSRF Absence**:
- State-changing method (POST/PUT/PATCH/DELETE) + cookie-based auth (session/auth/token cookies)
- No CSRF token in parameters or headers, no Origin/Referer header
- No SameSite=Strict/Lax on auth cookies
- Severity: Low, Confidence: 85

**Deserialization Surface**:
- Parameters or body containing Java serialized data markers: `rO0AB` or `aced0005`
- Content-Type: `java-serialized` or `octet-stream` with serialized markers
- Severity: Information, Confidence: 90

**Unrestricted File Upload**:
- Multipart upload with dangerous extension (php, phtml, asp, aspx, jsp, jspx, cgi, py, rb, exe, dll)
- Response 2xx AND response references the uploaded filename
- Severity: Medium, Confidence: 90

### Step 3: Extract Context for Deep Analysis

For each request/response pair, extract:

1. **URL, Method, Status, MIME type**
2. **Request headers** (focus on: Authorization, Cookie, X-API-Key, Content-Type, Origin, Referer, Host, X-Forwarded-For/Host)
3. **Response headers** (focus on: Server, X-Powered-By, Set-Cookie, Access-Control-Allow-Origin, Content-Security-Policy, X-Frame-Options)
4. **Parameters** (name, value, type: URL/BODY/COOKIE/JSON)
5. **Potential Object IDs** in URL path or parameters (numeric IDs, UUIDs, MongoDB ObjectIds)
6. **Auth mechanisms** (session cookies vs Bearer token vs API key)
7. **Tech stack hints** (Server header, X-Powered-By, framework-specific headers)

### Step 4: Analysis Checklist

For each request/response pair, check for:

**Injection**: XSS, SQLi, CMDI, SSTI, SSRF, XXE, NoSQL injection, GraphQL injection
**Auth/Access Control**: IDOR/BOLA, BAC (horizontal/vertical), CSRF, JWT weaknesses
**Information Disclosure**: Secrets in responses, debug endpoints, source code exposure
**Configuration**: CORS misconfiguration, open redirect, missing security headers
**High-Value**: Account takeover paths, cache poisoning, request smuggling, host header injection
**API**: Version bypass, GraphQL introspection enabled

### Step 5: Severity Definitions

| Severity | Examples |
|---|---|
| **Critical** | RCE, authentication bypass, full account takeover |
| **High** | SQLi, stored XSS, SSRF with internal access, deserialization, command injection |
| **Medium** | Reflected XSS, IDOR/BOLA