Ctrlk

🏠Introduction

Burp Bounty Pro is a powerful Burp Suite extension that allows security researchers and bug bounty hunters to create custom scan profiles for detecting vulnerabilities in web applications. It extends Burp Suite's scanning capabilities by letting you define custom payloads, match conditions, and detection rules β€” without writing any code.

✨ Key Features

  • πŸ€– AI Scanner β€” AI-powered analysis that identifies attack surfaces, correlates parameters with vulnerability types, detects technologies, and auto-launches the right scan profiles. Supports OpenAI, Anthropic, Google Gemini, OpenRouter, and local models (Ollama)

  • 🎯 Custom Active Scanning β€” Define payloads and match patterns to detect vulnerabilities like XSS, SQLi, SSRF, RCE, path traversal, and more

  • πŸ‘οΈ Passive Scanning with Tag-Based Launching β€” Analyze requests and responses passing through Burp Suite. Launch passive scans by tag to run only the checks you need (e.g., only security headers, only secret detection)

  • 🧠 Smart Scan (Rules) β€” Create IF-THEN rules that automatically trigger active scans when specific passive conditions are detected

  • πŸ”— Multi-Step Profiles β€” Chain multiple scanning steps together with cookie reuse and sequential execution for complex attack scenarios

  • πŸ”€ Global Variables β€” Use dynamic variables like {REDIRECT_DOMAIN}, {BC}, {CURRENT_HOST} in payloads and match patterns

  • πŸ“¦ 256 Default Profiles β€” Ready-to-use profiles covering CVEs, common vulnerabilities, technology detection, and sensitive data exposure

  • πŸ“‹ 28 Default Rules β€” Pre-configured Smart Scan rules for automated vulnerability detection workflows

  • πŸ” Flexible Match Types β€” Simple string, regex, payload reflection, response variations, content length differences, HTTP response codes, time-based detection, and Burp Collaborator integration

  • πŸ“ 30+ Insertion Point Types β€” URL parameters, body parameters, cookies, JSON keys/values, XML, HTTP headers, URL path components, and more

  • πŸ”Ž Scan Scope β€” Per-profile scan scope: per-URL (default) or per-host for path discovery and fixed-path CVE profiles

  • ⚑ Per-Scan Performance Settings β€” Configure threads, concurrency, and requests per second independently for each scan

  • ⏸️ Pause & Resume β€” True thread-safe pause/resume that preserves full scan state. Paused time is excluded from scan duration.

  • 🏷️ Tags System β€” Organize profiles with tags across all profile types. Tags power the passive scan submenu and Smart Scan rule targeting.

  • πŸ“€ Profile Import/Export β€” Share and reuse profiles across teams with JSON-based .bb profile files

πŸ†• What's New in v3.1.0

  • πŸ€– AI Scanner β€” AI-powered reconnaissance that analyzes parameters, detects technologies, identifies attack surfaces, and auto-launches the right scan profiles. Supports OpenAI, Anthropic, Google Gemini, OpenRouter, and local models (Ollama). Includes programmatic response analysis for reflection context detection and customizable prompts.

  • πŸ”Ž Scan Scope (per-host) β€” New scanScope field in active profiles. Per-URL (default) scans every URL; per-host scans once per host:port, ideal for path discovery and fixed-path CVE profiles.

  • πŸ“Š Redesigned Scanners Tab β€” The Scanner tab is now split into dedicated sub-tabs: Active, Passive, Smart, AI, and Live, each with its own results table, entry controls, and request/response viewers.

  • ⚑ Context-Aware Scanner Settings β€” The URL Filter popup now adapts its settings based on the scan type (Active, Smart, Passive, AI Scanner), showing only relevant options for each.

  • πŸ“¨ Passive & Smart Scanner Tabs β€” Dedicated tabs for monitoring passive scan results and Smart Scan rule matches with real-time entry tracking.

What's New in v3.0.0

  • πŸ”— Multi-step scanning for complex attack chains

  • πŸ”€ Global variables system with user-configurable values

  • ⏱️ Time-based vulnerability detection engine

  • ⚑ Per-scan scanner settings (threads, concurrency, RPS) in the scan popup

  • ⏸️ Pause/resume with PausableThreadPoolExecutor β€” true zero-loss state management

  • 🏷️ Tag-based passive scan launching with Request/Response submenus and profile counts

  • 🏷️ Tags column and Set New Tag on all profile tables (Active, Passive Request, Passive Response)

  • 🎯 Stop-on-first-match optimization for single-step profiles

  • πŸͺŸ Non-modal dialogs, profile duplication, payload/grep markers

  • πŸ”— URL filtering for all scan types

  • πŸ›‘οΈ 30-redirect loop protection and scan timeout detection (with paused time excluded)

πŸš€ Getting Started

Head to the Installation guide to set up Burp Bounty Pro, or jump straight to the Quick Start guide to run your first scan.

πŸ“š Documentation Overview

Section
Description

πŸš€ Quick Start

Run your first scan in 5 minutes

πŸ–₯️ Interface Overview

Understand all tabs and controls

🎯 Active Scan

Active scanning with custom payloads

πŸ‘οΈ Passive Scan

Passive analysis with tag-based launching

🧠 Smart Scan

Automated scanning with IF-THEN rules

πŸ€– AI Scanner

AI-powered analysis and auto-scanning

βš™οΈ Scan Control

Pause/resume, per-scan settings, performance tuning

πŸ“ Profiles

Creating and managing scan profiles

🏷️ Tags

Organizing profiles with tags

πŸ“‹ Rules

Creating Smart Scan rules

πŸ”€ Variables

Global variable reference

βš™οΈ Settings

Configuration options

πŸ“¦ Default Profiles

256 built-in profiles reference

πŸ“‹ Default Rules

28 built-in rules reference

❓ FAQ

Frequently asked questions

NextInstallation

Last updated