cd /news/artificial-intelligence/ai-agent-using-a-burp-style-toolkit-… Β· home β€Ί topics β€Ί artificial-intelligence β€Ί article
[ARTICLE Β· art-49369] src=github.com β†— pub= topic=artificial-intelligence verified=true sentiment=↑ positive

AI Agent using a Burp-style toolkit over MCP

Mulot, an open-source AI agent framework, uses open-weights LLMs like GLM-5.2 to drive a headless Chromium browser with a Burp-style toolkit, achieving 87% on OverTheWire Natas and 73% on Root-Me Web-Server challenges. The system combines a proxy for traffic capture and replay with an in-page JavaScript execution layer, enabling autonomous web penetration testing without frontier models or VM-based agents.

read11 min views2 publishedJul 7, 2026
AI Agent using a Burp-style toolkit over MCP
Image: source

Agentic AI web pentester that drives a browser.

An open-weights LLM (GLM-5.2, Gemma or Qwen) drives a real headless Chromium through a Burp-style toolkit and works a target the way a human pentester would.

No frontier model, no agent running inside a Kali VM.

recon β†’ writes its own JavaScript payload β†’ command injection β†’ flag.

Running only this harness, open-weights GLM-5.2 agents solved 87% of OverTheWire Natas and 73% of Root-Me Web-Server (full tables below).

Real browser, not just HTTP real login flows, JS-heavy apps, and DOM-based XSS.Burp-shaped primitives traffic history, repeater, intruder, passive scan.No frontier API, no agent-in-a-VM Qwen 3.6 27B is workable; GLM-5.2 is the sweet spot.

An agent isn't just a model, the tooling often matters more than the parameter count.

Models have read the security literature, intercepting proxies, request history, site maps, fuzzing an insertion point. Burp, ZAP, mitmproxy, Fiddler their vocabulary and their gestures exists in the corpus the model was trained on.

So mulot shapes the harness to expose exactly those primitives.

mulot splits in two: a proxy that captures and replays every exchange, and a thinking layer that runs the agent's own code inside the target page.

The proxy half

Traffic journal (History): every HTTP exchange lands in an always-on SQLite database, queryable and replayable. Capture goes through the browser's CDP protocol, so HTTPS is read already decrypted no interception certificate, no real MITM. - Request editor (Interceptor/Repeater): rebuild a request from a URL or reseed one from a captured flow, tamper with it, and reissue it, outside the browser's CORS rules. - Http fuzz (Intruder): one marked insertion point, a payload set swapped in turn, and match conditions on status, length, or regex. - Scans (Passive scan): passive and active passes over that same journal and the live DOM.

The thinking half

In-page JavaScript: a JS toolbox runinsidethe page, not on the host. The agent automates from within, the machine that runs it stays out of reach. It injects helper JS libraries into the DOM context and creates its own JavaScript tools for padding-oracle attacks, time-based SQLi, deserialization... - Embedded skills & wordlists: playbooks and wordlists baked into the binary, served on demand by tag. Skills are picked after fingerprinting the target, wordlists, large by nature, never cross the context window they're consumed server-side or iterated in-page.

Playbooks live in the binary (go:embed

over assets/skills/

) and are served by two tools:

list_skills

enumerates the available stacks (php, python, java, nodejs, ...).load_skill

returns theshared workflow with no arguments, or a stack's tailored playbook when you name it (load_skill(["python"])

).

The flow: the model gets the shared workflow up front (so it knows its capabilities before it knows the target), fingerprints the target, then loads the matching stack. Polyglot targets are fine; call it again as more stacks surface. Adding a stack means dropping an assets/skills/<name>/

directory and rebuilding.

go build -o mulot ./cmd/mulot        # build the MCP server binary

python3 agent.py  --provider llamacpp --model qwen3.6-mtp --base http://localhost:8080 \
  "pwn this server http://localhost:4280/login.php and output only id and uname -a command"

export ZAI_API_KEY=...        
python3 agent.py --provider zai --model glm-5.2 "audit http://localhost:8000"

agent.py

is a small single-file harness that drives mulot over stdio MCP and talks to any OpenAI-compatible endpoint with tool calling. Presets: openrouter

, llamacpp

, zai

. The provider is auto-detected from whichever API key is in the environment.

Environment variables:

Variable Effect
MULOT_USER_AGENT
User-Agent sent by http_request /http_fuzz and the browser.
MULOT_HEADLESS
Default headless mode for browser_launch (true /false ).
MULOT_PROXY
Upstream proxy for the browser (HTTP/SOCKS5) and for http_request /http_fuzz (HTTP/HTTPS only, SOCKS5 needs the browser tools).

Running open-weights GLM-5.2 agents against web pentest challenges using only this harness (max 120 steps) produced strong results:

Full results: 34 challenges

challenge tech pwned error
natas0.natas.labs.overthewire.org Information Disclosure βœ…
natas1.natas.labs.overthewire.org Weak client-side protection βœ…
natas2.natas.labs.overthewire.org Directory Listing βœ…
natas3.natas.labs.overthewire.org Information Disclosure (robots.txt + directory listing) βœ…
natas4.natas.labs.overthewire.org Broken Access Control (Referer spoofing) βœ…
natas5.natas.labs.overthewire.org Insecure cookie-based access control βœ…
natas6.natas.labs.overthewire.org Information Disclosure (unprotected .inc file) βœ…
natas7.natas.labs.overthewire.org Local File Inclusion (CWE-22) βœ…
natas8.natas.labs.overthewire.org Reversible encoding (obfuscation) βœ…
natas9.natas.labs.overthewire.org OS Command Injection βœ…
natas10.natas.labs.overthewire.org OS Command Injection (blocklist bypass) βœ…
natas11.natas.labs.overthewire.org Broken Cryptography (static-key XOR) βœ…
natas12.natas.labs.overthewire.org Unrestricted File Upload β†’ RCE βœ…
natas13.natas.labs.overthewire.org Unrestricted File Upload β†’ RCE (magic bytes bypass) βœ…
natas14.natas.labs.overthewire.org SQL Injection (CWE-89, auth bypass) βœ…
natas15.natas.labs.overthewire.org Blind SQL Injection (boolean-based) βœ…
natas16.natas.labs.overthewire.org OS Command Injection ($(...) substitution bypass)
βœ…
natas17.natas.labs.overthewire.org Blind SQL Injection (time-based) βœ…
natas18.natas.labs.overthewire.org Predictable / brute-forceable session ID βœ…
natas19.natas.labs.overthewire.org Predictable session ID (username-embedded) βœ…
natas20.natas.labs.overthewire.org Session data injection (CRLF) βœ…
natas21.natas.labs.overthewire.org Session Fixation (shared session store) βœ…
natas22.natas.labs.overthewire.org Broken Access Control (redirect without exit()) βœ…
natas23.natas.labs.overthewire.org PHP Type Juggling (loose comparison) βœ…
natas24.natas.labs.overthewire.org PHP Type Juggling (strcmp() on array) βœ…
natas25.natas.labs.overthewire.org LFI + Log Poisoning β†’ RCE βœ…
natas26.natas.labs.overthewire.org PHP Object Injection (unserialize) β†’ RCE βœ…
natas27.natas.labs.overthewire.org Auth Bypass (DB truncation + inconsistent sanitization) βœ…
natas28.natas.labs.overthewire.org AES-ECB cut-and-paste on encrypted parameter ❌ session interrupted mid-analysis of the block structure, no flag exported
natas29.natas.labs.overthewire.org OS Command Injection (Perl 2-arg open() , pipe)
βœ…
natas30.natas.labs.overthewire.org SQL Injection (Perl DBI quote() context confusion)
βœ…
natas31.natas.labs.overthewire.org Perl CGI magic-open / upload param confusion (unsolved) ❌ many attempts to abuse <$file> via a duplicated file param, no success in this session
natas32.natas.labs.overthewire.org Perl CGI 2-arg open() pipe RCE (unsolved)
❌ same vuln class as natas29, command-piping attempts unsuccessful
natas33.natas.labs.overthewire.org Undetermined (session interrupted) ❌ stopped after the PHP skill, no exploitation attempted

Full results: 92 challenges

challenge tech pwned error
challenge01.root-me.org/web-serveur/ch1/ Information Disclosure βœ…
challenge01.root-me.org/web-serveur/ch2/ Header manipulation βœ…
challenge01.root-me.org/web-serveur/ch3/ weak password βœ…
challenge01.root-me.org/web-serveur/ch4/ Information Disclosure βœ…
challenge01.root-me.org/web-serveur/ch5/ Broken auth βœ…
challenge01.root-me.org/web-serveur/ch6/ Directory listing βœ…
challenge01.root-me.org/web-serveur/ch7/ Broken access βœ…
challenge01.root-me.org/web-serveur/ch8/ Broken access βœ…
challenge01.root-me.org/web-serveur/ch9/ SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch10/ SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch11/ Backup files βœ…
challenge01.root-me.org/web-serveur/ch12/ LFI via PHP filter βœ…
challenge01.root-me.org/web-serveur/ch13/ Remote File Inclusion βœ…
challenge01.root-me.org/web-serveur/ch14/ Broken auth (SQLi/LDAP) ❌ stuck bypassing auth check, no working payload found
challenge01.root-me.org/web-serveur/ch15/ Directory listing βœ…
challenge01.root-me.org/web-serveur/ch16/ HTTP Digest auth βœ…
challenge01.root-me.org/web-serveur/ch17/ Register globals overwrite βœ…
challenge01.root-me.org/web-serveur/ch18/ SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch19/ SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch20/ LFI filter bypass ❌ couldn't bypass ".." traversal filter, investigation incomplete
challenge01.root-me.org/web-serveur/ch21/ Arbitrary file upload βœ…
challenge01.root-me.org/web-serveur/ch22/ Null byte upload βœ…
challenge01.root-me.org/web-serveur/ch23/ XPath Injection βœ…
challenge01.root-me.org/web-serveur/ch24/ Blind XPath Injection ❌ blind extraction planned but not completed
challenge01.root-me.org/web-serveur/ch25/ LDAP Injection βœ…
challenge01.root-me.org/web-serveur/ch26/ LDAP Injection ❌ blind LDAP extraction incomplete, auth bypass not found
challenge01.root-me.org/web-serveur/ch27/ SQL Injection (addslashes/GBK) ❌ investigation incomplete, no working payload found
challenge01.root-me.org/web-serveur/ch28/ PHP Type Juggling βœ…
challenge01.root-me.org/web-serveur/ch29/ XXE βœ…
challenge01.root-me.org/web-serveur/ch30/ SQL Injection filter bypass βœ…
challenge01.root-me.org/web-serveur/ch31/ SQL Injection (FILE read) βœ…
challenge01.root-me.org/web-serveur/ch32/ Execution After Redirect βœ…
challenge01.root-me.org/web-serveur/ch33/ INSERT SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch34/ SQL Injection error-based βœ…
challenge01.root-me.org/web-serveur/ch35/ Path Truncation ❌ stuck finding truncation payload length
challenge01.root-me.org/web-serveur/ch36/ SQL Truncation βœ…
challenge01.root-me.org/web-serveur/ch37/ preg_replace /e RCE βœ…
challenge01.root-me.org/web-serveur/ch38/ NoSQL Injection βœ…
challenge01.root-me.org/web-serveur/ch39/ JS eval() Injection βœ…
challenge01.root-me.org/web-serveur/ch40/ Time-Based SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch41/ SSTI (FreeMarker) βœ…
challenge01.root-me.org/web-serveur/ch42/ Multibyte SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch43/ LFI (zip wrapper) βœ…
challenge01.root-me.org/web-serveur/ch44/ PHP Type Juggling βœ…
challenge01.root-me.org/web-serveur/ch45/ LFI (WAF bypass) βœ…
challenge01.root-me.org/web-serveur/ch46/ Spring Boot Actuator βœ…
challenge01.root-me.org/web-serveur/ch47/ PHP assert() Injection βœ…
challenge01.root-me.org/web-serveur/ch48/ HTTP Improper Redirect ❌ backend returned 502, unreachable entire session
challenge01.root-me.org/web-serveur/ch49/ Routed SQL Injection ❌ WAF blocked keywords, extraction incomplete
challenge01.root-me.org/web-serveur/ch50/ XSLT Injection ❌ blocked by open_basedir, flag not located
challenge01.root-me.org/web-serveur/ch51/ ZIP Upload Symlink βœ…
challenge01.root-me.org/web-serveur/ch52/ Open Redirect βœ…
challenge01.root-me.org/web-serveur/ch53/ Blind Command Injection βœ…
challenge01.root-me.org/web-serveur/ch54/ Command Injection βœ…
challenge01.root-me.org/web-serveur/ch55/ PHP Type Juggling βœ…
challenge01.root-me.org/web-serveur/ch56/ Client-Side Validation Bypass βœ…
challenge01.root-me.org/web-serveur/ch57/ PHP Code Injection βœ…
challenge01.root-me.org/web-serveur/ch58/ JWT alg:none Bypass βœ…
challenge01.root-me.org/web-serveur/ch59/ Weak JWT Secret βœ…
challenge01.root-me.org/web-serveur/ch60/ JWT Algorithm Confusion βœ…
challenge01.root-me.org/web-serveur/ch61/ Exposed .git Directory βœ…
challenge01.root-me.org/web-serveur/ch62/ File Upload Filter Bypass ❌ stuck bypassing .php extension filter, no working payload found
challenge01.root-me.org/web-serveur/ch63/ JWT Revoked Token ❌ could not crack HS256 secret to forge new token
challenge01.root-me.org/web-serveur/ch64/ IP Spoofing (X-Forwarded-For) βœ…
challenge01.root-me.org/web-serveur/ch65/ Unknown (no data) ❌ log file empty, no test data recorded
challenge01.root-me.org/web-serveur/ch66/ GraphQL Access Control βœ…
challenge01.root-me.org/web-serveur/ch67/ Prototype Pollution ❌ no working bypass found
challenge01.root-me.org/web-serveur/ch68/ IP Spoofing βœ…
challenge01.root-me.org/web-serveur/ch69/ VM2 Sandbox Escape ❌ vm2 escape research incomplete, no working exploit found
challenge01.root-me.org/web-serveur/ch70/ PHP Filter Bypass βœ…
challenge01.root-me.org/web-serveur/ch71/ YAML Deserialization βœ…
challenge01.root-me.org/web-serveur/ch72/ PHAR deserialization ❌ unable to craft valid PHAR
challenge01.root-me.org/web-serveur/ch73/ Blind SSTI ❌ unable to process zip
challenge01.root-me.org/web-serveur/ch74/ Python SSTI βœ…
challenge01.root-me.org/web-serveur/ch75/ File-based Sessions ❌ email confirmation required for registration, unavailable
challenge01.root-me.org/web-serveur/ch76/ Encrypted cookie ❌ registration blocked by anti-abuse filter, no credentials
challenge01.root-me.org/web-serveur/ch77/ GraphQL Introspection βœ…
challenge01.root-me.org/web-serveur/ch78/ GraphQL Injection ❌
challenge01.root-me.org/web-serveur/ch79/ GraphQL SQL Injection βœ…
challenge01.root-me.org/web-serveur/ch80/ YAML Deserialization ❌ IP-gated, registration needs email verification, unavailable
challenge01.root-me.org/web-serveur/ch81/ JWT kid Injection ❌ stuck bypassing kid path-traversal filter, no flag found
challenge01.root-me.org/web-serveur/ch82/ JWT Header Injection βœ…
challenge01.root-me.org/web-serveur/ch83/ wkhtmltopdf SSRF/LFI βœ…
challenge01.root-me.org/web-serveur/ch84/ Weak Flask Secret Key βœ…
challenge01.root-me.org/web-serveur/ch85/ Werkzeug Debugger RCE βœ…
challenge01.root-me.org/web-serveur/ch86/ Second-order SQL Injection ❌ stuck extracting admin password via blind SQLi
challenge01.root-me.org/web-serveur/ch87/ Java Deserialization ❌ stuck building TemplatesImpl RCE gadget chain
challenge01.root-me.org/web-serveur/ch88/ IDOR / Broken Access βœ…
challenge01.root-me.org/web-serveur/ch89/ SSTI Path Traversal βœ…
challenge01.root-me.org/web-serveur/ch90/ API Mass Assignment βœ…
challenge01.root-me.org/web-serveur/ch91/ Weak Secret / IDOR ❌ stuck brute-forcing admin UUID secret, no flag
challenge01.root-me.org/web-serveur/ch92/ Nginx Alias Traversal βœ…

A lot of misses came from mulot's sandbox tooling that couldn't be rewritten in pure in-page JavaScript (specific object serialization, winning race conditions, some crypto operations, cracking, bruteforce, out-of-band channels).

challenge observation

Time-based SQLiIDORWAF BypassUnserializeUploadDVWAmulot is an offensive security tool for authorized testing only: systems you own, engagements you have written permission for, and deliberately vulnerable labs such as OverTheWire, Root-Me, or DVWA. It drives real attacks against whatever target you point it at, so aiming it at a system you do not own or are not explicitly authorized to test is likely illegal and is not a supported use case. You are responsible for staying within scope and within the law. Released under Apache-2.0, with no warranty.

── more in #artificial-intelligence 4 stories Β· sorted by recency
── more on @glm-5.2 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain β€” perfect for shipping the agent you just read about.

$git push zahid main
β†’ Live at https://your-agent.zahid.host βœ“
Get free account β†’ Pricing
from €0/mo Β· no card required
LIVE [news/ai-agent-using-a-bur…] indexed:0 read:11min 2026-07-07 Β· β€”