🔄Redirections

HTTP redirect handling is critical for active scanning. Many vulnerabilities are only visible after following one or more redirects (e.g., open redirects, certain XSS, authentication bypasses).

📊 Redirect Types

The RedirType field controls how Burp Bounty Pro handles HTTP redirects during active scanning:

RedirType

Name

Behavior

🚫 Never

Never follow redirects. Only analyze the initial response.

🏠 On-site only

Follow redirects only if the target host matches the original request host.

🎯 In-scope only

Follow redirects only if the target URL is within Burp Suite's target scope.

🌐 Always

Follow all redirects regardless of destination.

🔢 Follow redirects

Follow redirects up to the configured maximum limit.

🔢 Maximum Redirects

The MaxRedir field sets the maximum number of redirects to follow per request chain:

{
  "RedirType": 4,
  "MaxRedir": 5
}

This follows up to 5 redirects before stopping.

📋 Supported Redirect Status Codes

Burp Bounty Pro handles these HTTP redirect status codes:

Code

Name

Description

300

Multiple Choices

🔀 Multiple redirect options

301

Moved Permanently

📌 Permanent redirect

302

Found

🔄 Temporary redirect

303

See Other

➡️ Redirect with GET method

307

Temporary Redirect

🔄 Temporary redirect preserving method

308

Permanent Redirect

📌 Permanent redirect preserving method

🛡️ Redirect Loop Protection

To prevent infinite redirect loops, Burp Bounty Pro enforces a hard limit of 30 redirects per request chain, regardless of the MaxRedir setting.

🎯 Choosing the Right Redirect Mode

🔄 Open Redirect Testing

{
  "RedirType": 4,
  "MaxRedir": 5
}

Follow redirects to verify the server redirects to the attacker-controlled domain. Match the Location header or response body after redirection.

🌐 SSRF Testing

{
  "RedirType": 0
}

Often best to not follow redirects when testing SSRF. Check the initial response for redirect headers pointing to internal resources, or use Burp Collaborator for out-of-band confirmation.

💉 XSS Testing

{
  "RedirType": 4,
  "MaxRedir": 3
}

Follow a few redirects to check if the payload is reflected in the final response after any redirects.

📂 Path Traversal

{
  "RedirType": 1,
  "MaxRedir": 3
}

Follow on-site redirects only to handle 301 redirects for directory normalization.

🛡️ Security Header Checks

{
  "RedirType": 0
}

Never follow redirects — check the headers on the initial response.

📚 Example Configurations

🌐 CORS Misconfiguration

{
  "RedirType": 4,
  "MaxRedir": 3
}

Follow a few redirects since CORS headers may only appear after redirection.

🔄 Open Redirect with Parameter Pollution

{
  "RedirType": 4,
  "MaxRedir": 4
}

Follow redirects and match the redirect chain for the attacker domain.

🐛 CVE Exploitation

{
  "RedirType": 4,
  "MaxRedir": 5
}

Follow redirects generously since exploit responses may involve multiple redirects.

PreviousGrep Options NextRaw Request

Last updated 2 days ago

hashtag📊 Redirect Types

hashtag🔢 Maximum Redirects

hashtag📋 Supported Redirect Status Codes

hashtag🛡️ Redirect Loop Protection

hashtag🎯 Choosing the Right Redirect Mode

hashtag🔄 Open Redirect Testing

hashtag🌐 SSRF Testing

hashtag💉 XSS Testing

hashtag📂 Path Traversal

hashtag🛡️ Security Header Checks

hashtag📚 Example Configurations

hashtag🌐 CORS Misconfiguration

hashtag🔄 Open Redirect with Parameter Pollution

hashtag🐛 CVE Exploitation