# Tags Tags are labels used to categorize and organize profiles. They enable powerful filtering, tag-based passive scan launching, and are the key mechanism for targeting groups of profiles in Smart Scan rules. ## ⚙️ How Tags Work Every profile has a `Tags` array containing one or more tag strings: ```json { "Tags": ["All", "XSS", "Reflected"] } ``` Tags are used for: 1. 🔍 **Filtering profiles** in the Profiles tab — View profiles by category using the tag dropdown 2. 👁️ **Launching passive scans by tag** — Right-click context menu lets you run only passive profiles with a specific tag 3. 🧠 **Targeting profiles in Rules** — Execute all profiles with a specific tag when rule conditions are met 4. 📂 **Organizing profiles** — Group related profiles logically across all three profile types ## 📊 Tags in All Profile Tables Tags are displayed in **all three profile tables** — Active, Passive Request, and Passive Response: | | Table | Columns | | -- | -------------------- | ------------------------------------------------- | | 🎯 | **Active Profiles** | Enabled, Profile Name, **Tags**, Author's Twitter | | 📨 | **Passive Request** | Enabled, Profile Name, **Tags**, Author's Twitter | | 📩 | **Passive Response** | Enabled, Profile Name, **Tags**, Author's Twitter | ## 🏷️ Assigning Tags with "Set New Tag" You can quickly assign tags to profiles directly from the profile tables using the right-click context menu: ### Steps 1. Select one or more profiles in any profile table (Active, Passive Request, or Passive Response) 2. Right-click to open the context menu 3. Click **Set New Tag** 4. In the dialog, enter the tag name 5. Click OK — the tag is added to all selected profiles ✅ > 💡 **Tip:** Select multiple profiles with **Ctrl+Click** or **Shift+Click**, then use **Set New Tag** to tag them all at once. This is the fastest way to organize a large number of profiles. ### What Happens * ✅ The tag is added to each selected profile's `Tags` array in its `.bb` file * 🔁 If the tag already exists in a profile, it's not duplicated * 📝 The tag is added to the global tags list (tags.txt) * 🔄 The Tags column and tag dropdown are updated immediately * 👁️ The tag becomes available in the passive scan context menu ## 🌐 The "All" Tag The special `All` tag is included in most profiles by convention. It allows rules to target all profiles at once: ```json { "Tags": ["All"] } ``` > ⚠️ **Warning:** Rules that execute the `All` tag will trigger **every** active profile, which can be very resource-intensive. Use with caution. ## 📦 Default Tags The bundled profiles use these tags for categorization: | Tag | Description | Count | | ------------------ | ----------------------------------- | ----- | | `All` | All profiles | \~254 | | `XSS` | Cross-Site Scripting | \~15 | | `SQLi` | SQL Injection | \~8 | | `SSRF` | Server-Side Request Forgery | \~6 | | `RCE` | Remote Code Execution | \~10 | | `Open Redirect` | Open Redirect | \~5 | | `CORS` | CORS Misconfiguration | \~1 | | `SSTI` | Server-Side Template Injection | \~1 | | `XXE` | XML External Entity | \~3 | | `CVEs` | Known CVE exploits | \~50 | | `Path Traversal` | Path/Directory Traversal | \~2 | | `Wordpress` | WordPress-specific | \~12 | | `Drupal` | Drupal-specific | \~2 | | `Spring` | Spring Framework-specific | \~2 | | `GraphQL` | GraphQL-specific | \~6 | | `Fuzzing Files` | File/directory fuzzing | \~4 | | `Forgot Password` | Password reset testing | \~3 | | `Cloud` | Cloud infrastructure | \~1 | | `API` | API endpoints | \~1 | | `JWT` | JSON Web Tokens | \~1 | | `Mobile` | Mobile application testing | \~1 | | `Blind XSS` | Blind XSS payloads | \~1 | | `CRLF` | CRLF Injection | \~1 | | `Errors` | Error page detection | \~1 | | `DRWuzz` | DWR fuzzing | \~1 | | `Introspection` | GraphQL introspection | \~1 | | `React/Next.js` | React/Next.js vulnerabilities | \~3 | | `n8n` | n8n platform vulnerabilities | \~1 | | `Security_Headers` | Missing security headers (passive) | \~6 | | `Secrets` | Exposed secrets and keys (passive) | \~10 | | `Parameters` | Interesting parameters (passive) | \~5 | | `Cookie_Security` | Cookie security flags (passive) | \~3 | | `Technology` | Technology fingerprinting (passive) | \~8 | ## 👁️ Tags in the Passive Scan Context Menu Tags are the foundation of the **tag-based passive scan** feature. When you right-click to launch a passive scan, the context menu organizes passive profiles by tag: ``` 👁️ Passive Scan ├── 🌐 All (125) ├── 📨 Passive Request │ ├── All (48) │ ├── API (5) │ ├── Parameters (12) │ ├── Technology (8) │ └── ... └── 📩 Passive Response ├── All (77) ├── Cookie_Security (3) ├── Secrets (10) ├── Security_Headers (15) └── ... ``` Each entry shows the **count** of profiles with that tag. This lets you run precisely the passive checks you need. See [Passive Scan](/scanning/passive-scan.md) for details on launching tag-based passive scans. ## 📋 Using Tags in Rules Rules can target profiles by tag instead of listing individual profiles: ```json { "Execute": { "type": "tag", "value": "XSS" } } ``` This executes all active profiles tagged with "XSS" when the rule's conditions are met. See [Creating Rules](/rules/creating-rules.md) for details. ## 📊 Tags Manager The **Tags Manager** sub-tab within the Profiles section allows you to: * 👀 View all tags in use across all profiles * 📝 See which profiles belong to each tag * 🔧 Manage tag assignments * 🔍 Filter the profile tables by selecting a tag from the dropdown ## ✏️ Creating Custom Tags When creating or editing a profile, simply add your custom tag strings to the `Tags` array: ```json { "Tags": ["All", "Custom_Bug_Bounty", "Target_Specific"] } ``` Or use the **Set New Tag** right-click menu on existing profiles — this is the fastest way. ⚡ **Best practices:** * ✅ Always include the `All` tag unless you want to exclude the profile from broad scans * 📝 Use descriptive tag names that indicate the vulnerability class or target technology * 🔤 Use consistent naming across profiles (e.g., always use `XSS` not `xss` or `Cross-Site-Scripting`) * 🎯 Create target-specific tags (e.g., `Client_A`) for profiles tailored to specific engagements * 👁️ Use tags on passive profiles to enable focused passive scanning via the context menu ## 📚 Example: Tag-Based Scanning Workflow 1. 🏷️ **Tag profiles by category:** * XSS profiles → `XSS` tag * SQLi profiles → `SQLi` tag * WordPress profiles → `Wordpress` tag * Security header checks → `Security_Headers` tag * Secret detection → `Secrets` tag 2. 👁️ **Launch focused passive scans:** * Right-click a request → **Passive Scan** > **Passive Response** > **Security\_Headers** * Right-click a request → **Passive Scan** > **Passive Request** > **Parameters** 3. 📋 **Create rules that use tags:** * When Passive Request detects SQL-like parameters → Execute tag `SQLi` * When Passive Response detects WordPress → Execute tag `Wordpress` 4. 🎯 **Control scope:** * For broad scanning: Use tag `All` * For focused scanning: Use specific tags like `XSS` or `CVEs` * For passive-only audits: Use the tag submenu to run only relevant checks --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/profiles/tags.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.