BurpMCP (swgee) — agentic threat model
BurpMCP acts as a highly privileged bridge between autonomous LLMs and local web-application testing environments, presenting significant risk of unauthorized local network scanning, data exfiltration, or destructive testing if the driving model is compromised or manipulated.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.80 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external client-side models (e.g., Claude Desktop, Cursor) which are susceptible to prompt injection, adversarial reprogramming, and mis-aligned outputs that could trigger unintended offensive actions via the proxy.
Not certain from the listing — the agent processes live HTTP/S traffic, request/response history, and local project state, but the listing does not specify how this data is stored, vectorised, or protected against local data exfiltration.
The agent framework exposes Burp Suite's powerful intercepting-proxy capabilities as MCP tools. This introduces severe tool misuse risks, where an LLM could be manipulated into executing unauthorized web attacks, scanning internal hosts, or leaking sensitive session tokens.
The agent runs locally as a Burp extension and MCP server. It inherits the host's network privileges and lacks sandboxing, meaning a compromised model could perform lateral movement or access local loopback services.
The listing highlights 'visibility' and manual workflow augmentation, suggesting the user can monitor actions in real-time via Burp Suite or the MCP client, though automated guardrails or execution-blocking policies are not explicitly detailed.
Not certain from the listing — as an open-source offensive security tool, it lacks built-in enterprise compliance controls, relying entirely on the operator's local environment security and manual oversight.
Integrates directly with developer ecosystems like Cursor and Claude Desktop. Vulnerabilities or malicious extensions within these host ecosystems could abuse the BurpMCP trust relationship to execute arbitrary web requests.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).