Add Burp Suite integration#650
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| ignoreTlsErrors: | ||
| sessionConfig.ignoreTlsErrors ?? userConfig?.ignoreTlsErrors, | ||
| }; | ||
| } |
There was a problem hiding this comment.
Duplicated mergeBurpSuiteConfig across CLI and TUI
Medium Severity
mergeBurpSuiteConfig is copy-pasted identically in src/cli.ts and src/tui/command-registry.ts. This duplicated logic increases maintenance burden — a bug fix or field addition in one copy can easily be missed in the other. The function could live in a shared utility (e.g., alongside resolveBurpSuiteConfig in burpConfig.ts) and be imported from both call sites.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 62879d2. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 3 total unresolved issues (including 1 from previous review).
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Reviewed by Cursor Bugbot for commit afd00f7. Configure here.
| ); | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
MCP client reuses same instance for SSE fallback
Medium Severity
In connectHttp, when the Streamable HTTP transport fails, the same client instance is reused for the SSE fallback via client.connect(sse). The MCP SDK Client may retain internal state from the first failed connect() call, potentially causing the SSE fallback to fail or behave unexpectedly. A fresh Client instance is likely needed for the retry.
Reviewed by Cursor Bugbot for commit afd00f7. Configure here.
| const regex = getFlag("--regex", args); | ||
| const effectiveRegex = regex | ||
| ? `(?=.*(?:${targetHost}))(?=.*(?:${regex}))` | ||
| : targetHost; |
There was a problem hiding this comment.
User-supplied regex not escaped in proxy history
Low Severity
In runProxyHistory, the --regex flag value is interpolated into a lookahead pattern without escaping, while targetHost is also unescaped. A target URL containing regex metacharacters (e.g., IP addresses with dots) will produce an incorrect or overly broad regex match against Burp proxy history.
Reviewed by Cursor Bugbot for commit afd00f7. Configure here.
|
@cursoragent rebase and babysit this PR until it passes |
Add Burp Suite proxy and MCP support across CLI, TUI, agent tooling, and docs so pentest flows can pair browser traffic with Burp context. Made-with: Cursor
Made-with: Cursor
Co-authored-by: KeremP <kerem@pensarai.com>
cursor
Bot
force-pushed
the
Burp-integration
branch
from
0ff0299 to
fb3e740
Compare
3 participants
Summary
Note
Medium Risk
Medium risk: introduces new network/MCP client plumbing, proxies agent traffic through Burp, and expands tool surface area, which could affect request routing/timeouts and exposure of sensitive proxy data if misconfigured.
Overview
Adds first-class Burp Suite pairing for pentest workflows, including new
--burp*flags that enable proxying and attach Burp MCP access topentest/targeted-pentestsessions.Introduces a new
pensar burpCLI with commands to view/configure integration state and run common helpers (status,tools,proxy-history,repeater,send), persisting user settings under~/.pensar/config.json.Expands the agent toolset with Burp MCP-backed tools (history, repeater/intruder handoff, request sending, collaborator, intercept, scanner issues), filters them unless Burp is enabled, and adds safety controls (scope enforcement, local-endpoint warnings, sensitive-header redaction, config-mutation blocking by default).
Updates HTTP and browser tooling to optionally route traffic through the configured Burp proxy (including TLS-ignore support), adds a generic MCP client supporting SSE/stdio with timeouts/fallbacks, and updates docs/tests to cover the new integration.
Reviewed by Cursor Bugbot for commit 62879d2. Bugbot is set up for automated code reviews on this repo. Configure here.