# Redirections HTTP redirect handling is critical for active scanning. Many vulnerabilities are only visible after following one or more redirects (e.g., open redirects, certain XSS, authentication bypasses). ## 📊 Redirect Types The `RedirType` field controls how Burp Bounty Pro handles HTTP redirects during active scanning: | RedirType | Name | Behavior | | --------- | ----------------------- | ---------------------------------------------------------------------------- | | 0 | 🚫 **Never** | Never follow redirects. Only analyze the initial response. | | 1 | 🏠 **On-site only** | Follow redirects only if the target host matches the original request host. | | 2 | 🎯 **In-scope only** | Follow redirects only if the target URL is within Burp Suite's target scope. | | 3 | 🌐 **Always** | Follow all redirects regardless of destination. | | 4 | 🔢 **Follow redirects** | Follow redirects up to the configured maximum limit. | ## 🔢 Maximum Redirects The `MaxRedir` field sets the maximum number of redirects to follow per request chain: ```json { "RedirType": 4, "MaxRedir": 5 } ``` This follows up to 5 redirects before stopping. ## 📋 Supported Redirect Status Codes Burp Bounty Pro handles these HTTP redirect status codes: | Code | Name | Description | | ---- | ------------------ | --------------------------------------- | | 300 | Multiple Choices | 🔀 Multiple redirect options | | 301 | Moved Permanently | 📌 Permanent redirect | | 302 | Found | 🔄 Temporary redirect | | 303 | See Other | ➡️ Redirect with GET method | | 307 | Temporary Redirect | 🔄 Temporary redirect preserving method | | 308 | Permanent Redirect | 📌 Permanent redirect preserving method | ## 🛡️ Redirect Loop Protection To prevent infinite redirect loops, Burp Bounty Pro enforces a hard limit of **30 redirects** per request chain, regardless of the `MaxRedir` setting. ## 🎯 Choosing the Right Redirect Mode ### 🔄 Open Redirect Testing ```json { "RedirType": 4, "MaxRedir": 5 } ``` Follow redirects to verify the server redirects to the attacker-controlled domain. Match the `Location` header or response body after redirection. ### 🌐 SSRF Testing ```json { "RedirType": 0 } ``` Often best to **not** follow redirects when testing SSRF. Check the initial response for redirect headers pointing to internal resources, or use Burp Collaborator for out-of-band confirmation. ### 💉 XSS Testing ```json { "RedirType": 4, "MaxRedir": 3 } ``` Follow a few redirects to check if the payload is reflected in the final response after any redirects. ### 📂 Path Traversal ```json { "RedirType": 1, "MaxRedir": 3 } ``` Follow on-site redirects only to handle 301 redirects for directory normalization. ### 🛡️ Security Header Checks ```json { "RedirType": 0 } ``` Never follow redirects — check the headers on the initial response. ## 📚 Example Configurations ### 🌐 CORS Misconfiguration ```json { "RedirType": 4, "MaxRedir": 3 } ``` Follow a few redirects since CORS headers may only appear after redirection. ### 🔄 Open Redirect with Parameter Pollution ```json { "RedirType": 4, "MaxRedir": 4 } ``` Follow redirects and match the redirect chain for the attacker domain. ### 🐛 CVE Exploitation ```json { "RedirType": 4, "MaxRedir": 5 } ``` Follow redirects generously since exploit responses may involve multiple redirects.