Tools Reference (Detailed)

For category overview and default tool exposure, see MCP Tools Reference.

Burp Control

proxy_intercept

• Title: Set proxy intercept state

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Enables or disables Proxy intercept.

• Input fields:

task_engine_state

• Title: Set task execution engine state

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Sets Burp's task execution engine to paused or running.

• Input fields:

Collaborator

collaborator_generate

• Title: Generate Collaborator payload

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Generates a Burp Collaborator payload.

• Input fields:

collaborator_poll

• Title: Poll Collaborator interactions

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Fetches interactions for a Collaborator secret key.

• Input fields:

Config

project_options_get

• Title: Output project options

• Unsafe: No

• Default enabled: No

• Pro only: No

• Description: Outputs project-level configuration as JSON.

• Input fields: none

project_options_set

• Title: Set project options

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Sets project-level configuration from JSON.

• Input fields:

user_options_get

• Title: Output user options

• Unsafe: No

• Default enabled: No

• Pro only: No

• Description: Outputs user-level configuration as JSON.

• Input fields: none

user_options_set

• Title: Set user options

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Sets user-level configuration from JSON.

• Input fields:

Editor

editor_get

• Title: Get active editor contents

• Unsafe: No

• Default enabled: No

• Pro only: No

• Description: Outputs the contents of the active message editor.

• Input fields: none

editor_set

• Title: Set active editor contents

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Sets the content of the active message editor.

• Input fields:

Issues

issue_create

• Title: Create audit issue

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Creates a custom audit issue in Burp's issue list for AI-discovered findings.

• Input fields:

Extension

status

• Title: Extension status

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Returns basic extension and Burp version status.

• Input fields: none

History

proxy_history_annotate

• Title: Annotate proxy history

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Adds notes/highlights to proxy history items matching a regex.

• Input fields:

proxy_http_history

• Title: Proxy HTTP history

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Displays items within the proxy HTTP history.

• Input fields:

proxy_http_history_regex

• Title: Proxy HTTP history (regex)

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Displays proxy HTTP history items matching a regex.

• Input fields:

proxy_ws_history

• Title: Proxy WebSocket history

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Displays items within the proxy WebSocket history.

• Input fields:

proxy_ws_history_regex

• Title: Proxy WebSocket history (regex)

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Displays WebSocket history items matching a regex.

• Input fields:

response_body_search

• Title: Search response bodies

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Searches response bodies in proxy history using a regex.

• Input fields:

Requests

comparer_send

• Title: Send to Comparer

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Sends one or more items to Burp Comparer.

• Input fields:

diff_requests

• Title: Diff requests

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Produces a line diff between two requests.

• Input fields:

find_reflected

• Title: Find reflected values

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Finds reflected parameter values in a response.

• Input fields:

http1_request

• Title: Send HTTP/1.1 request

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Issues an HTTP/1.1 request and returns the response.

• Input fields:

http2_request

• Title: Send HTTP/2 request

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Issues an HTTP/2 request and returns the response.

• Input fields:

insertion_points

• Title: List insertion points

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Lists insertion point offsets for a request.

• Input fields:

intruder

• Title: Send to Intruder

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Sends a request to Intruder.

• Input fields:

intruder_prepare

• Title: Prepare Intruder tab

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Creates an Intruder tab with explicit insertion points.

• Input fields:

params_extract

• Title: Extract parameters

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Extracts parameters from a request.

• Input fields:

repeater_tab

• Title: Create repeater tab

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Creates a new Repeater tab with the specified HTTP request.

• Input fields:

repeater_tab_with_payload

• Title: Create repeater tab with payload

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Creates a Repeater tab after applying placeholder replacements.

• Input fields:

request_parse

• Title: Parse request

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Parses a raw HTTP request into method, path, headers, parameters, and body.

• Input fields:

response_parse

• Title: Parse response

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Parses a raw HTTP response into status, headers, and body.

• Input fields:

Scanner

scan_audit_start

• Title: Start scanner audit

• Unsafe: Yes

• Default enabled: No

• Pro only: Yes

• Description: Starts a Burp Scanner audit.

• Input fields:

scan_audit_start_mode

• Title: Start scanner audit (mode)

• Unsafe: Yes

• Default enabled: No

• Pro only: Yes

• Description: Starts a scanner audit using active or passive mode.

• Input fields:

scan_audit_start_requests

• Title: Start audit with requests

• Unsafe: Yes

• Default enabled: No

• Pro only: Yes

• Description: Starts an audit and adds HTTP requests.

• Input fields:

scan_crawl_start

• Title: Start crawl

• Unsafe: Yes

• Default enabled: No

• Pro only: Yes

• Description: Starts a Burp Scanner crawl.

• Input fields:

scan_report

• Title: Generate scanner report

• Unsafe: Yes

• Default enabled: No

• Pro only: Yes

• Description: Generates a scanner report to a path.

• Input fields:

scan_task_delete

• Title: Delete scan task

• Unsafe: Yes

• Default enabled: No

• Pro only: Yes

• Description: Deletes a crawl/audit task started via MCP.

• Input fields:

scan_task_status

• Title: Get scan task status

• Unsafe: No

• Default enabled: No

• Pro only: Yes

• Description: Gets status for a crawl/audit task.

• Input fields:

scanner_issues

• Title: Scanner issues

• Unsafe: No

• Default enabled: Yes

• Pro only: Yes

• Description: Displays scanner issues (Burp Pro only).

• Input fields:

Scope

scope_check

• Title: Scope check

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Checks whether a URL is in scope.

• Input fields:

scope_exclude

• Title: Exclude from scope

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Excludes a URL from scope.

• Input fields:

scope_include

• Title: Include in scope

• Unsafe: Yes

• Default enabled: No

• Pro only: No

• Description: Includes a URL in scope.

• Input fields:

Site Map

site_map

• Title: Site map

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Displays items within the Burp site map.

• Input fields:

site_map_regex

• Title: Site map (regex)

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Displays site map items matching a regex.

• Input fields:

Utilities

base64_decode

• Title: Base64 decode

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Base64 decodes the input string.

• Input fields:

base64_encode

• Title: Base64 encode

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Base64 encodes the input string.

• Input fields:

cookie_jar_get

• Title: Cookie jar

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Returns cookies from Burp's cookie jar (values redacted unless privacy is OFF).

• Input fields:

decode_as

• Title: Decode content

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Decodes base64 content using compression codecs (gzip/deflate/brotli).

• Input fields:

hash_compute

• Title: Compute hash

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Computes a hash for input text (MD5/SHA1/SHA256/SHA512).

• Input fields:

jwt_decode

• Title: Decode JWT

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Decodes JWT header/payload without verifying the signature.

• Input fields:

random_string

• Title: Generate random string

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: Generates a random string of specified length and character set.

• Input fields:

url_decode

• Title: URL decode

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: URL decodes the input string.

• Input fields:

url_encode

• Title: URL encode

• Unsafe: No

• Default enabled: Yes

• Pro only: No

• Description: URL encodes the input string.

• Input fields: