Surface MCP HTTP requests in Site Map and normalize Repeater newlines#90
Open
humurabbi wants to merge 1 commit into
Open
Surface MCP HTTP requests in Site Map and normalize Repeater newlines#90humurabbi wants to merge 1 commit into
humurabbi wants to merge 1 commit into
Conversation
3 tasks
send_http1_request and send_http2_request now register the response via api.siteMap().add() after sending. Previously these calls bypassed every visible Burp surface (Proxy History is read-only to extensions, and the existing logToOutput line only recorded host:port). Site Map is the closest writable surface for extension-issued traffic, so users can review requests issued by the MCP under Target > Site map. The add is gated on HttpRequestResponse.hasResponse() so failed attempts (e.g. HTTP/2 against an HTTP/1.1-only origin, which returns a non-null wrapper with response() == null) do not pollute Site Map with request-only entries. Burp's Logger continues to record those attempts as "communication error", which is the right place for them. create_repeater_tab now normalizes \n to \r\n before constructing the request, matching send_http1_request. Without this, callers that pass LF-only content (common when an LLM emits a multi-line string) produce garbled requests in the Repeater tab. Adds tests covering siteMap.add on the success path, the no-add case when sendRequest returns null, the no-add case when the wrapper has no response, and the CRLF normalization in create_repeater_tab.
humurabbi
force-pushed
the
fix/sitemap-visibility-and-newline-fix
branch
from
9be0ae0 to
f1079ab
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
send_http1_requestandsend_http2_requestroute throughapi.http().sendRequest(), which bypasses Burp's proxy. Without intervention, MCP-issued requests are invisible to the user — Proxy History is read-only to extensions, and the existinglogToOutputline only recordshost:port. Each tool now callsapi.siteMap().add(response)after a successful send so the request/response pair shows up under Target > Site map.create_repeater_tab: callers (LLMs in particular) often pass content with bare LF line terminators. The existing code forwarded that straight toHttpRequest.httpRequest, producing a garbled request in the Repeater tab that had to be hand-corrected.create_repeater_tabnow applies the same\n→\r\nnormalization thatsend_http1_requestalready uses (Tools.kt:58).Test plan
./gradlew testpasses (16 tests inToolsKtTest)verify { api.siteMap().add(httpResponse) }on the success path of bothsend_http1_requestandsend_http2_requestverify(exactly = 0) { api.siteMap().add(any()) }whensendRequestreturns null (no spurious site-map entries on connection failure)create repeater tab should normalize line endingstest asserts LF-only input is rewritten to CRLF before reaching RepeaterManual verification
\nline breaks; the resulting tab renders cleanly without manually re-entering carriage returns.