Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp)
๐ค Build Your Own AI Penetration Tester: Claude + MCP + Burp Suite
A complete step-by-step tutorial to replicate autonomous security testing (25 labs + 2 BSCP exams solved)
๐ฏ What you'll build: An autonomous AI agent (Claude Sonnet 4.6) that can browse web apps via Playwright, inspect raw HTTP traffic via Burp Suite, and chain XSS → SQLi → RCE to solve PortSwigger labs — completely on its own.
๐ Table of Contents
- Overview & Architecture
- Prerequisites & Hardware
- Step 1: Install Claude Code & MCP
- Step 2: Configure Playwright MCP Server
- Step 3: Burp Suite & Burp MCP Integration
- Step 4: Connect All Components
- Step 5: Prompt Claude to Hack
- Step 6: Validate with Labs (19 documented)
- Step 7: Run Practice Exams (chained attacks)
- Troubleshooting & Tips
- Conclusion: Where AI Excels (and Where Humans Still Lead)
๐ง Overview & Architecture
We are building an autonomous pentesting system where Claude Sonnet 4.6 (via Claude Code) acts as the pentester. It controls a real browser through a Playwright MCP server, while all traffic is proxied through Burp Suite. Claude can also inspect and replay raw HTTP requests via a Burp MCP bridge — exactly like a human using Burp Repeater.
Dual access: high‑level browser control + low‑level HTTP visibility
⚙️ Prerequisites & Hardware
Based on real-world lab setups [citation:1][citation:4], here’s what you need:
| Component | Minimum | Recommended |
|---|---|---|
| RAM | 16 GB | 32 GB (to run browser + Burp + Claude comfortably) |
| CPU | 4 cores | 8+ cores (with virtualization) |
| OS | Linux (Ubuntu/Debian/Fedora) or macOS | Kali Linux (pre-loaded with tools) [citation:1] |
| Storage | 50 GB free | 100+ GB (for Docker images + logs) |
| Internet | Required (for API calls) | High-speed connection |
Software accounts & tools:
- Anthropic API key (with credits) – console.anthropic.com
- PortSwigger Academy account (free) – portswigger.net/web-security
- Docker (optional but recommended for isolation) [citation:8]
- Node.js (v18+) and Python 3.11+
- Burp Suite (Community is fine, Professional gives API access)
๐ง Step 1: Install Claude Code & MCP
1.1 Install Claude CLI
# Install globally via npm
npm install -g @anthropic-ai/claude-cli
# Verify installation
claude --version
# Authenticate (you'll be prompted to paste your API key)
claude login1.2 Prepare project directory
mkdir ai-pentester && cd ai-pentester
mkdir mcp-servers1.3 Understanding MCP configuration
Claude Code uses a JSON config file to connect to MCP servers. The config is usually at ~/.config/claude/mcp.json (Linux/macOS) or you can pass it via CLI [citation:4][citation:7].
Create the config directory and file:
mkdir -p ~/.config/claude
touch ~/.config/claude/mcp.json๐ Step 2: Configure Playwright MCP Server
The Playwright MCP server gives Claude browser control: navigation, clicking, form filling, DOM reading [citation:3][citation:7].
2.1 Install Playwright MCP
cd mcp-servers
npm init -y
npm install @playwright/mcp@latest
npx playwright install chromium2.2 Add Playwright to MCP config
Edit ~/.config/claude/mcp.json:
{
"mcpServers": {
"playwright": {
"command": "npx",
"args": ["@playwright/mcp@latest"],
"env": {
"PLAYWRIGHT_BROWSER": "chromium"
}
}
}
}2.3 Test the server
npx @playwright/mcp@latestIf successful, you'll see output like "MCP server running on stdio". Press Ctrl+C to stop.
๐ก️ Step 3: Burp Suite & Burp MCP Integration
3.1 Configure Burp as a transparent proxy
- Open Burp Suite → Proxy tab → Options.
- Ensure a listener is running on
127.0.0.1:8080. - Under "Request Handling", enable "Support invisible proxying". This allows non-browser traffic (like Python sockets from MCP) to be proxied.
- Go to Network → Connections and disable any upstream proxy.
3.2 Install and configure Burp MCP server
You need a bridge that allows Claude to inspect and replay requests via Burp. Two options:
Option A: Use community Burp MCP (Python)
Clone a community project (example – check GitHub for latest):
cd mcp-servers
git clone https://github.com/your-community-repo/burp-mcp-server
cd burp-mcp-server
pip install -r requirements.txtOption B: Use a generic HTTP proxy MCP that can interface with Burp's API
If using Burp Professional, you can enable the REST API and use an MCP server that calls it. For Burp Community, a simpler approach: write a small wrapper that reads Burp's log file (Proxy → HTTP history → save items) – but real-time replay is harder. The original article used a custom integration; for this tutorial, we'll assume a basic bridge that can send raw requests via Burp's proxy.
Add Burp MCP to config:
{
"mcpServers": {
"playwright": { ... },
"burp": {
"command": "python",
"args": ["/full/path/to/burp-mcp-server/main.py"],
"env": {
"BURP_PROXY": "http://127.0.0.1:8080",
"BURP_API_KEY": "optional_if_pro"
}
}
}
}3.3 Verify Burp intercepts traffic
Set your system proxy or browser to 127.0.0.1:8080 and visit any HTTP site. You should see traffic in Burp Proxy → Intercept/HTTP history.
๐ Step 4: Connect All Components
4.1 Set environment variables for Playwright proxy
Before starting Claude, ensure the Playwright MCP server's environment includes the proxy:
export HTTP_PROXY=http://127.0.0.1:8080
export HTTPS_PROXY=http://127.0.0.1:8080If you're using the MCP config, you can add env vars there:
{
"mcpServers": {
"playwright": {
"command": "npx",
"args": ["@playwright/mcp@latest"],
"env": {
"HTTP_PROXY": "http://127.0.0.1:8080",
"HTTPS_PROXY": "http://127.0.0.1:8080"
}
}
}
}4.2 Launch Claude with both MCP servers
claude --mcp-playwright --mcp-burpOr, if using the config file, simply:
claudeYou should see Claude acknowledge that tools are available: "You have access to browser control and Burp Suite HTTP inspection."
๐ค Step 5: Prompt Claude to Hack
Now for the magic: give Claude a mission. Framing is critical – always present yourself as the developer looking for vulnerabilities in your own app [citation:4].
Example prompt for a PortSwigger lab:
You are an expert penetration tester assisting me in testing my own web application.
Your goal: solve the PortSwigger lab at this URL: https://YOUR-LAB-ID.web-security-academy.net/
You have two powerful tools:
1. Playwright – you can control a real browser. Use it to navigate, click, fill forms, and read page content.
2. Burp Suite – you can inspect raw HTTP requests and responses, and replay modified requests through the proxy.
Please start by performing reconnaissance. Explore the application, map its functionality, and look for common vulnerabilities (XSS, SQLi, path traversal, etc.). Report your findings step-by-step. When you find a potential injection point, use Burp to test payloads. If you need to steal a cookie or execute a second-order attack, use the browser.
Let's begin. First, navigate to the lab URL and tell me what you see.Claude will now:
- Use Playwright to browse the lab, likely visiting all pages, reading source, and noting forms/parameters.
- Ask Burp MCP to list captured requests.
- Identify a parameter to test (e.g.,
?category=). - Instruct Burp MCP to send a modified request with a test payload (
'). - Analyze the response (error message? behavior change?).
- Iterate – refine payload, maybe use
UNION SELECT, extract data. - Once it has admin credentials, log in via Playwright, then proceed to next stage.
✅ Step 6: Validate with 25 PortSwigger Labs
According to the original article, this workflow completed 25 labs across 14 categories. Here's a subset documented:
| # | Lab | Category | Level |
|---|---|---|---|
| 01 | SQL Injection WHERE Clause Bypass | SQL Injection | Apprentice |
| 02 | Reflected XSS into HTML Context | XSS | Apprentice |
| 03 | SQL Injection UNION Attack | SQL Injection | Practitioner |
| 04 | Stored XSS into HTML Context | XSS | Practitioner |
| 05 | SQL Injection via XML Encoding (WAF Bypass) | SQL Injection | Expert |
| 06 | OS Command Injection – Simple Case | Command Injection | Apprentice |
| ... | (Full list in original article) | ||
Each lab tests different skills: WAF bypass, blind injection, second-order attacks. Claude handles them adaptively.
--verbose) and save Burp history. You'll see Claude's reasoning and tool calls.
๐ฏ Step 7: Run Practice Exams (Chained Attacks)
The ultimate test: Burp Suite Certified Practitioner (BSCP) practice exams. Each requires chaining three vulnerabilities – client-side → database → RCE.
Exam 1 – solved in ~40 minutes
| Stage | Vulnerability | Technique |
|---|---|---|
| 1 | Reflected XSS via eval() | fetch() with bracket notation to bypass WAF dot-notation block |
| 2 | PostgreSQL SQL Injection | Error-based CAST(... AS INT) in organize_by parameter |
| 3 | Java Insecure Deserialization (RCE) | CommonsCollections6 + two-step wget/bash execution |
Exam 2 – solved in ~25 minutes
| Stage | Vulnerability | Technique |
|---|---|---|
| 1 | Reflected XSS (stricter WAF – parentheses blocked) | window['location']['href'] assignment redirect payload |
| 2 | PostgreSQL SQL Injection | Error-based CAST in order parameter of /filtered_search |
| 3 | Java Insecure Deserialization (RCE) | CommonsCollections2 + two-step wget/bash |
How Claude adapts: In Exam 2, the WAF blocked parentheses. Claude tried a few XSS payloads, saw they failed, then switched to a redirect-based approach using window.location.href assignment – a creative bypass.
๐ Troubleshooting & Tips
| Problem | Likely Cause & Solution |
|---|---|
| Claude can't connect to MCP servers | Check paths in mcp.json. Run servers manually first to verify. |
| Browser not proxying through Burp | Ensure HTTP_PROXY env var is set before starting Claude. Test with curl --proxy. |
| Burp MCP can't replay requests | Burp's invisible proxying must be enabled. Also check if Burp is listening on all interfaces. |
| Claude hits context limit during long exams | Summarize and start a new session: "We have admin cookie, now need SQLi on /products. Previous attempts: ..." [citation:7] |
| WAF blocks payloads | Claude should try alternative encodings (e.g., Unicode, double URL encode). If it doesn't, nudge it: "Try using HTML entities or JavaScript string.fromCharCode." |
| Deserialization gadgets not working | Ensure the lab uses the correct library (CommonsCollections). Claude can read error messages to guess. |
๐ Conclusion: Where AI Excels (and Where Humans Still Lead)
✅ AI works well for:
- Injection attacks (XSS, SQLi, SSTI, Command Injection) – high payload volume, clear signals
- Recon & enumeration – reading source, robots.txt, error messages, GraphQL introspection
- Known exploit chains – deserialization gadget chains, prototype pollution, request smuggling [citation:4]
- Report writing – structured, consistent, fast
⚠️ Humans still lead in:
- Business logic flaws – understanding why a flow is wrong, not just that a parameter is injectable
- Novel vulnerability discovery – though AI is catching up (Project Zero's SQLite zero-day, 500+ vulns in OSS) [citation:8]
- Creative fraud scenarios – adversarial thinking beyond pattern matching
"If this is what's possible on a practice exam, what would a focused, full-day run look like against a real target?" – Original author
Your new AI pentester won't replace you – but it will automate the repetitive 80%, freeing you to focus on the creative 20% that truly matters.
๐ References & Further Reading
- Cybersecurity Lab Setup with AI Tools – GitHub [citation:1]
- Red team security testing with agentic AI – Nutrient Blog [citation:4]
- Strix Claude Code: Docker-based AI pentesting – GitHub [citation:8]
- Browse Together MCP – Playwright + MCP integration [citation:3]
- Spring AI + Playwright MCP example – Juejin [citation:7]
⚡ Now go forth and let Claude take the exam. You just watch.
Comments
Post a Comment