AgentReadyHomeAgent Listing

← BurpMCP (swgee)

BurpMCP (swgee) — agentic threat model

8.5AIVSS 8.5 · High

BurpMCP acts as a highly privileged bridge between autonomous LLMs and local web-application testing environments, presenting significant risk of unauthorized local network scanning, data exfiltration, or destructive testing if the driving model is compromised or manipulated.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.92Factor sum 5.6/10Threat ×1.1Mitigation ×0.9
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.50
Multi-Agent Interactions
0.30
Non-Determinism
0.80
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on external client-side models (e.g., Claude Desktop, Cursor) which are susceptible to prompt injection, adversarial reprogramming, and mis-aligned outputs that could trigger unintended offensive actions via the proxy.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the agent processes live HTTP/S traffic, request/response history, and local project state, but the listing does not specify how this data is stored, vectorised, or protected against local data exfiltration.

L3 · Agent Frameworks✓ mapped

The agent framework exposes Burp Suite's powerful intercepting-proxy capabilities as MCP tools. This introduces severe tool misuse risks, where an LLM could be manipulated into executing unauthorized web attacks, scanning internal hosts, or leaking sensitive session tokens.

L4 · Deployment & Infrastructure✓ mapped

The agent runs locally as a Burp extension and MCP server. It inherits the host's network privileges and lacks sandboxing, meaning a compromised model could perform lateral movement or access local loopback services.

L5 · Evaluation & Observability✓ mapped

The listing highlights 'visibility' and manual workflow augmentation, suggesting the user can monitor actions in real-time via Burp Suite or the MCP client, though automated guardrails or execution-blocking policies are not explicitly detailed.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as an open-source offensive security tool, it lacks built-in enterprise compliance controls, relying entirely on the operator's local environment security and manual oversight.

L7 · Agent Ecosystem✓ mapped

Integrates directly with developer ecosystems like Cursor and Claude Desktop. Vulnerabilities or malicious extensions within these host ecosystems could abuse the BurpMCP trust relationship to execute arbitrary web requests.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).