# FAQ

## 🌐 General

### What is the difference between Burp Bounty (free) and Burp Bounty Pro?

Burp Bounty Pro includes:

* 🔗 Multi-step scanning profiles
* 🔧 Global variables system
* ⏱️ Time-based detection engine
* 🧠 Smart Scan with Rules
* ⚡ Per-scan configurable thread pools with pause/resume
* 🏷️ Tag-based passive scan launching
* 🎯 Stop-on-first-match optimization
* 🤖 AI Scanner with multi-provider support
* 🔎 Scan Scope (per-host deduplication)
* 📊 Redesigned Scanners tab with dedicated sub-tabs
* 📦 256 default profiles and 28 default rules
* 🪪 Commercial license and support

### Does Burp Bounty Pro work with Burp Suite Community Edition?

Burp Bounty Pro can be installed on Burp Suite Community Edition, but active scanning capabilities are limited since Community Edition has restricted scanning features. ⚠️ Burp Suite Professional is recommended for full functionality.

### Where are my profiles and settings stored?

💾 Profiles, rules, and settings are stored in Burp Suite's extension settings, which are saved per project. They persist across Burp Suite restarts and extension reloads.

***

## 📝 Profiles

### How do I create a new profile?

Go to **Burp Bounty Pro** > **Profiles** tab, select the appropriate category (Active, Passive Request, or Passive Response), and click **Add**. See [Creating Active Profiles](https://docs.bountysecurity.ai/profiles/creating-active-profile) or [Creating Passive Profiles](https://docs.bountysecurity.ai/profiles/creating-passive-profile) for step-by-step guides.

### Can I import/export profiles?

✅ Yes. Select profiles in the table and click **Export** to save as `.bb` JSON files. Click **Import** to load `.bb` files. This is the primary way to share profiles with team members.

### What is the difference between MatchType 1 and MatchType 2?

* **MatchType 1** (AND) ➡️ All grep patterns must match for the issue to be reported
* **MatchType 2** (OR) ➡️ At least one grep pattern must match

### How do I test for time-based vulnerabilities?

⏱️ Set `MatchType` to 5 and configure `TimeOut1` and `TimeOut2` with thresholds in milliseconds. The scanner measures response time and compares it against your thresholds. See [Match Types](https://docs.bountysecurity.ai/profiles/match-types).

### What does `NotResponse` do?

🔄 Setting `NotResponse: true` inverts the match logic — the issue is reported when the grep pattern is **NOT** found in the response. This is commonly used for detecting missing security headers.

### How do multi-step profiles work?

🔗 Multi-step profiles execute a sequence of scanning steps. Each step can have its own payloads, grep patterns, and insertion points. Cookies can be shared between steps using `reuseCookie: true`. See [Multi-Step Profiles](https://docs.bountysecurity.ai/profiles/multi-step-profiles).

### How do I tag passive profiles?

🏷️ All three profile tables (Active, Passive Request, Passive Response) support tagging. Select one or more profiles, right-click, and choose **Set New Tag**. Enter the tag name and it's added to all selected profiles. Tags appear in the Tags column and in the passive scan context menu.

### Do passive profiles have a Tags column like active profiles?

✅ Yes. All three profile tables now have the same columns: Enabled, Profile Name, Tags, and Author's Twitter. The right-click context menu also includes Enable, Disable, and Set New Tag on all three tables.

***

## 🔍 Scanning

### How do I configure threads and request rate for a scan?

⚡ Scanner settings (Threads, Concurrency, Requests per second) are configured **per scan** in the URL Filter popup that appears before each scan. This lets you run different scans with different performance settings simultaneously.

### Where did the thread settings in the Options tab go?

Thread pool size, concurrency, and requests per second have been moved from the global Options tab to the **per-scan URL Filter popup**. This allows each scan to have independent performance settings. Default values are 🧵 10 / 🔀 10 / 📈 10.

### Can I run multiple scans with different thread settings?

✅ Yes. Each scan creates its own independent thread pool. You can run one scan with 20 threads against a robust target and another with 2 threads against a rate-limited target, simultaneously.

### How does pause/resume work?

⏸️ Burp Bounty Pro uses a custom **PausableThreadPoolExecutor** that truly pauses threads without destroying them:

1. When you click **Pause All**, each thread blocks at a safe synchronization point using `Condition.await()`
2. ✅ No scan progress is lost — threads resume from exactly where they paused
3. When you click **Resume All**, `Condition.signalAll()` wakes all blocked threads
4. ⏱️ Paused time is tracked and excluded from scan duration and timeout calculations

### Why are my scans slow?

Common causes:

1. 📦 **Too many profiles enabled** — Disable profiles you don't need
2. 📍 **Too many insertion points** — Use only relevant insertion point types per profile
3. 🧵 **Thread count too low** — Increase threads in the per-scan popup (try 20-30)
4. 📈 **Low RPS setting** — Increase requests per second if the target can handle it
5. 🔄 **Following too many redirects** — Reduce `MaxRedir` values

### How does stop-on-first-match work?

🎯 When a payload matches for a given profile and insertion point, a shared flag is set. Other tasks for the same combination check this flag and skip execution. This prevents reporting 6+ duplicate issues per insertion point. See [Scan Control](https://docs.bountysecurity.ai/scanning/scan-control).

### Why do I see duplicate issues?

⚠️ Due to the parallel nature of scanning, 2 tasks may occasionally both pass the match check before one sets the flag. This is a benign race condition — the maximum duplication is 2 instead of N payloads.

### How do I use Burp Collaborator with profiles?

🌐 Use the `{BC}` variable in your payloads. Each occurrence generates a unique Burp Collaborator subdomain. The scanner polls Collaborator for interactions and reports issues when callbacks are received.

### What is Smart Scan?

🧠 Smart Scan uses Rules to automatically trigger active scanning when passive conditions are detected. For example: if a passive profile detects WordPress, a rule can automatically run all WordPress vulnerability profiles. See [Smart Scan](https://docs.bountysecurity.ai/scanning/smart-scan).

### How do I launch a passive scan for specific tags only?

🏷️ Right-click on one or more requests, select **Passive Scan**, then choose from the tag-based submenu:

* 🌐 **All** — Run all passive profiles
* 📨 **Passive Request** > **Tag Name** — Run only request profiles with that tag
* 📩 **Passive Response** > **Tag Name** — Run only response profiles with that tag

Each entry shows a count of matching profiles (e.g., "Security\_Headers (15)").

### What is Live Passive Scan?

👁️ The **Live Passive Scan** toggle in the Dashboard enables automatic passive scanning of all HTTP traffic flowing through Burp Suite. When enabled, every request and response is analyzed by enabled passive profiles in real-time. The "Scope Only" checkbox restricts this to in-scope targets only.

***

## 📋 Rules

### How do Rules work?

Rules follow an **IF-THEN** pattern:

* 🔍 **IF** one or more passive profiles match the traffic
* 🎯 **THEN** execute specific active profiles or all profiles with a tag

See [Rules Overview](https://docs.bountysecurity.ai/rules/overview).

### What is the difference between "All Matches" and "First Match" scope?

* 🔄 **All Matches** — Execute the active profiles every time the passive condition matches
* 1️⃣ **First Match** — Execute only the first time the condition matches (per host)

### Why are some default rules disabled?

⚠️ The four bulk scanning rules ("Scan all requests with...") are disabled by default because they trigger active profiles on **every** request, which can consume excessive resources. Enable them only when scanning small, specific targets.

### What settings are used for scans triggered by rules?

⚙️ When Smart Scan rules automatically trigger active scans (without a manual popup), default values of **10 threads**, **10 concurrency**, and **10 RPS** are used.

***

## 🤖 AI Scanner

### What is the AI Scanner?

🤖 The AI Scanner uses artificial intelligence to analyze HTTP requests and responses, automatically identifying potential attack surfaces and recommending the most relevant scan profiles. It can detect parameters vulnerable to SQLi, XSS, RCE, LFI, SSRF, and more — without needing to define passive rules for each case.

### Which AI providers are supported?

The AI Scanner supports **OpenAI**, **Anthropic (Claude)**, **Google Gemini**, **OpenRouter**, and **Local models via Ollama**. You can use any model available through these providers by changing the Model field in Settings.

### Do I need an API key?

✅ Yes. You need an API key from your chosen provider. If you try to launch an AI scan without one, a popup will guide you to the Settings page.

### How does auto-scan work?

When **Auto-scan after analysis** is enabled, the AI Scanner automatically matches its recommended profiles against your enabled active profiles (by name, case-insensitive) and launches them as an active scan against the original request.

### Can I customize the AI prompts?

✅ Yes. Click **Edit Prompts** in the AI Scanner settings to customize the system prompt (analysis rules, profile taxonomy, confidence calibration) and user prompt template (request data placeholders). The default prompts are comprehensive and work well out of the box.

### Why does the AI Scanner return "No interesting entry points"?

The AI model determines that no parameters in the request are worth testing. This can happen for:

* Requests with no user-controllable parameters
* Static resources (images, CSS, JS)
* API endpoints with only standard/non-injectable parameters

### What is the scan scope per-host feature?

🔎 Active profiles now have a **Scan Scope** setting. Per-URL (default) runs on every URL; Per-Host runs once per host:port, ideal for path discovery profiles and fixed-path CVE probes.

***

## 🔧 Variables

### How do I change the redirect domain?

Go to **Burp Bounty Pro** > **Variables** tab. Edit the `{REDIRECT_DOMAIN}` variable (default: `bountysecurity.ai`) to your preferred domain.

### Can I add custom variables?

✅ Yes. Go to the **Variables** tab, click **Add**, and define a name and value. Your variable is immediately available as `{YOUR_VARIABLE_NAME}` in all profiles. See [Global Variables](https://docs.bountysecurity.ai/variables/global-variables).

### What is {BC}?

🌐 `{BC}` is a special variable that generates a unique Burp Collaborator subdomain. Use it for out-of-band vulnerability detection (SSRF, blind XSS, blind RCE, etc.).

***

## 🔧 Troubleshooting

### Profiles are not loading on first launch

📂 Ensure the `BurpBountyData` directory is present alongside the extension JAR. The extension auto-loads profiles from this directory on first launch.

### Scan is marked as "Failed"

⏱️ This means the scan exceeded the configured timeout. Increase the timeout in **Options** or reduce the scope of the scan.

> 📝 **Note:** Paused time does not count toward the timeout. If a scan is paused for 30 minutes, those minutes are not counted.

### No issues are being found

Check that:

1. ✅ Profiles are **enabled** in the Profiles tab
2. 📍 The profile's **insertion point types** match the target request structure
3. 🔍 The profile's **grep patterns** are correct for the expected response
4. 🔽 **Response filters** (content-type, status code, URL extension) are not excluding your target responses
5. 🔄 **Redirect settings** are appropriate — some vulnerabilities only appear after following redirects

### Extension is consuming too much memory

1. 📦 Reduce the number of enabled profiles
2. 🧵 Lower the thread count in the per-scan popup
3. ❌ Disable bulk scanning rules
4. 🏷️ Use Tags and Rules for targeted scanning instead of running all profiles
5. 🔢 Reduce Max Concurrent Scans in Options

### Passive scan context menu doesn't show tags

🏷️ Tags only appear in the submenu for enabled profiles. If you've disabled all profiles with a certain tag, that tag won't appear. Enable the relevant profiles and the tags will appear with their counts.