When using send_to_intruder, the tool injects additional headers (Connection: keep-alive and a duplicate Host header) after the blank line that separates headers from body, resulting in malformed HTTP requests that return 400 Bad Request.
Environment:
- Burp Suite Professional v2025.12.3
- MCP Server extension (latest from BApp Store)
Steps to Reproduce:
- Use MCP client to call
send_to_intruder with a valid HTTP request:
POST /login2 HTTP/1.1
Host: example.web-security-academy.net
Cookie: verify=carlos; session=xxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
mfa-code=0000
- Open the created Intruder tab (looks correct here)
- Start the intruder attack
Expected Result:
Requests maintains proper HTTP format with headers, blank line, then body.
Actual Result:
POST /login2 HTTP/1.1
Host: example.web-security-academy.net
Cookie: verify=carlos; session=xxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
← blank line
Connection: keep-alive ← INJECTED AFTER SEPARATOR
Host: example... ← DUPLICATE HOST HEADER
mfa-code=0000
Impact:
All Intruder attacks using requests created via MCP return 400 Bad Request, making the send_to_intruder tool unusable.
Note: create_repeater_tab does NOT have this issue - only send_to_intruder is affected.
When using
send_to_intruder, the tool injects additional headers (Connection: keep-alive and a duplicate Host header) after the blank line that separates headers from body, resulting in malformed HTTP requests that return 400 Bad Request.Environment:
Steps to Reproduce:
send_to_intruderwith a valid HTTP request:Expected Result:
Requests maintains proper HTTP format with headers, blank line, then body.
Actual Result:
Impact:
All Intruder attacks using requests created via MCP return 400 Bad Request, making the send_to_intruder tool unusable.
Note:
create_repeater_tabdoes NOT have this issue - onlysend_to_intruderis affected.