# Redirections HTTP redirect handling is critical for active scanning. Many vulnerabilities are only visible after following one or more redirects (e.g., open redirects, certain XSS, authentication bypasses). ## 📊 Redirect Types The `RedirType` field controls how Burp Bounty Pro handles HTTP redirects during active scanning: | RedirType | Name | Behavior | | --------- | ----------------------- | ---------------------------------------------------------------------------- | | 0 | 🚫 **Never** | Never follow redirects. Only analyze the initial response. | | 1 | 🏠 **On-site only** | Follow redirects only if the target host matches the original request host. | | 2 | 🎯 **In-scope only** | Follow redirects only if the target URL is within Burp Suite's target scope. | | 3 | 🌐 **Always** | Follow all redirects regardless of destination. | | 4 | 🔢 **Follow redirects** | Follow redirects up to the configured maximum limit. | ## 🔢 Maximum Redirects The `MaxRedir` field sets the maximum number of redirects to follow per request chain: ```json { "RedirType": 4, "MaxRedir": 5 } ``` This follows up to 5 redirects before stopping. ## 📋 Supported Redirect Status Codes Burp Bounty Pro handles these HTTP redirect status codes: | Code | Name | Description | | ---- | ------------------ | --------------------------------------- | | 300 | Multiple Choices | 🔀 Multiple redirect options | | 301 | Moved Permanently | 📌 Permanent redirect | | 302 | Found | 🔄 Temporary redirect | | 303 | See Other | ➡️ Redirect with GET method | | 307 | Temporary Redirect | 🔄 Temporary redirect preserving method | | 308 | Permanent Redirect | 📌 Permanent redirect preserving method | ## 🛡️ Redirect Loop Protection To prevent infinite redirect loops, Burp Bounty Pro enforces a hard limit of **30 redirects** per request chain, regardless of the `MaxRedir` setting. ## 🎯 Choosing the Right Redirect Mode ### 🔄 Open Redirect Testing ```json { "RedirType": 4, "MaxRedir": 5 } ``` Follow redirects to verify the server redirects to the attacker-controlled domain. Match the `Location` header or response body after redirection. ### 🌐 SSRF Testing ```json { "RedirType": 0 } ``` Often best to **not** follow redirects when testing SSRF. Check the initial response for redirect headers pointing to internal resources, or use Burp Collaborator for out-of-band confirmation. ### 💉 XSS Testing ```json { "RedirType": 4, "MaxRedir": 3 } ``` Follow a few redirects to check if the payload is reflected in the final response after any redirects. ### 📂 Path Traversal ```json { "RedirType": 1, "MaxRedir": 3 } ``` Follow on-site redirects only to handle 301 redirects for directory normalization. ### 🛡️ Security Header Checks ```json { "RedirType": 0 } ``` Never follow redirects — check the headers on the initial response. ## 📚 Example Configurations ### 🌐 CORS Misconfiguration ```json { "RedirType": 4, "MaxRedir": 3 } ``` Follow a few redirects since CORS headers may only appear after redirection. ### 🔄 Open Redirect with Parameter Pollution ```json { "RedirType": 4, "MaxRedir": 4 } ``` Follow redirects and match the redirect chain for the attacker domain. ### 🐛 CVE Exploitation ```json { "RedirType": 4, "MaxRedir": 5 } ``` Follow redirects generously since exploit responses may involve multiple redirects. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/profiles/redirections.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.