# Tags

Tags are labels used to categorize and organize profiles. They enable powerful filtering, tag-based passive scan launching, and are the key mechanism for targeting groups of profiles in Smart Scan rules.

## ⚙️ How Tags Work

Every profile has a `Tags` array containing one or more tag strings:

```json
{
  "Tags": ["All", "XSS", "Reflected"]
}
```

Tags are used for:

1. 🔍 **Filtering profiles** in the Profiles tab — View profiles by category using the tag dropdown
2. 👁️ **Launching passive scans by tag** — Right-click context menu lets you run only passive profiles with a specific tag
3. 🧠 **Targeting profiles in Rules** — Execute all profiles with a specific tag when rule conditions are met
4. 📂 **Organizing profiles** — Group related profiles logically across all three profile types

## 📊 Tags in All Profile Tables

Tags are displayed in **all three profile tables** — Active, Passive Request, and Passive Response:

|    | Table                | Columns                                           |
| -- | -------------------- | ------------------------------------------------- |
| 🎯 | **Active Profiles**  | Enabled, Profile Name, **Tags**, Author's Twitter |
| 📨 | **Passive Request**  | Enabled, Profile Name, **Tags**, Author's Twitter |
| 📩 | **Passive Response** | Enabled, Profile Name, **Tags**, Author's Twitter |

## 🏷️ Assigning Tags with "Set New Tag"

You can quickly assign tags to profiles directly from the profile tables using the right-click context menu:

### Steps

1. Select one or more profiles in any profile table (Active, Passive Request, or Passive Response)
2. Right-click to open the context menu
3. Click **Set New Tag**
4. In the dialog, enter the tag name
5. Click OK — the tag is added to all selected profiles ✅

> 💡 **Tip:** Select multiple profiles with **Ctrl+Click** or **Shift+Click**, then use **Set New Tag** to tag them all at once. This is the fastest way to organize a large number of profiles.

### What Happens

* ✅ The tag is added to each selected profile's `Tags` array in its `.bb` file
* 🔁 If the tag already exists in a profile, it's not duplicated
* 📝 The tag is added to the global tags list (tags.txt)
* 🔄 The Tags column and tag dropdown are updated immediately
* 👁️ The tag becomes available in the passive scan context menu

## 🌐 The "All" Tag

The special `All` tag is included in most profiles by convention. It allows rules to target all profiles at once:

```json
{
  "Tags": ["All"]
}
```

> ⚠️ **Warning:** Rules that execute the `All` tag will trigger **every** active profile, which can be very resource-intensive. Use with caution.

## 📦 Default Tags

The bundled profiles use these tags for categorization:

| Tag                | Description                         | Count |
| ------------------ | ----------------------------------- | ----- |
| `All`              | All profiles                        | \~254 |
| `XSS`              | Cross-Site Scripting                | \~15  |
| `SQLi`             | SQL Injection                       | \~8   |
| `SSRF`             | Server-Side Request Forgery         | \~6   |
| `RCE`              | Remote Code Execution               | \~10  |
| `Open Redirect`    | Open Redirect                       | \~5   |
| `CORS`             | CORS Misconfiguration               | \~1   |
| `SSTI`             | Server-Side Template Injection      | \~1   |
| `XXE`              | XML External Entity                 | \~3   |
| `CVEs`             | Known CVE exploits                  | \~50  |
| `Path Traversal`   | Path/Directory Traversal            | \~2   |
| `Wordpress`        | WordPress-specific                  | \~12  |
| `Drupal`           | Drupal-specific                     | \~2   |
| `Spring`           | Spring Framework-specific           | \~2   |
| `GraphQL`          | GraphQL-specific                    | \~6   |
| `Fuzzing Files`    | File/directory fuzzing              | \~4   |
| `Forgot Password`  | Password reset testing              | \~3   |
| `Cloud`            | Cloud infrastructure                | \~1   |
| `API`              | API endpoints                       | \~1   |
| `JWT`              | JSON Web Tokens                     | \~1   |
| `Mobile`           | Mobile application testing          | \~1   |
| `Blind XSS`        | Blind XSS payloads                  | \~1   |
| `CRLF`             | CRLF Injection                      | \~1   |
| `Errors`           | Error page detection                | \~1   |
| `DRWuzz`           | DWR fuzzing                         | \~1   |
| `Introspection`    | GraphQL introspection               | \~1   |
| `React/Next.js`    | React/Next.js vulnerabilities       | \~3   |
| `n8n`              | n8n platform vulnerabilities        | \~1   |
| `Security_Headers` | Missing security headers (passive)  | \~6   |
| `Secrets`          | Exposed secrets and keys (passive)  | \~10  |
| `Parameters`       | Interesting parameters (passive)    | \~5   |
| `Cookie_Security`  | Cookie security flags (passive)     | \~3   |
| `Technology`       | Technology fingerprinting (passive) | \~8   |

## 👁️ Tags in the Passive Scan Context Menu

Tags are the foundation of the **tag-based passive scan** feature. When you right-click to launch a passive scan, the context menu organizes passive profiles by tag:

```
👁️ Passive Scan
├── 🌐 All (125)
├── 📨 Passive Request
│   ├── All (48)
│   ├── API (5)
│   ├── Parameters (12)
│   ├── Technology (8)
│   └── ...
└── 📩 Passive Response
    ├── All (77)
    ├── Cookie_Security (3)
    ├── Secrets (10)
    ├── Security_Headers (15)
    └── ...
```

Each entry shows the **count** of profiles with that tag. This lets you run precisely the passive checks you need.

See [Passive Scan](https://docs.bountysecurity.ai/scanning/passive-scan) for details on launching tag-based passive scans.

## 📋 Using Tags in Rules

Rules can target profiles by tag instead of listing individual profiles:

```json
{
  "Execute": {
    "type": "tag",
    "value": "XSS"
  }
}
```

This executes all active profiles tagged with "XSS" when the rule's conditions are met.

See [Creating Rules](https://docs.bountysecurity.ai/rules/creating-rules) for details.

## 📊 Tags Manager

The **Tags Manager** sub-tab within the Profiles section allows you to:

* 👀 View all tags in use across all profiles
* 📝 See which profiles belong to each tag
* 🔧 Manage tag assignments
* 🔍 Filter the profile tables by selecting a tag from the dropdown

## ✏️ Creating Custom Tags

When creating or editing a profile, simply add your custom tag strings to the `Tags` array:

```json
{
  "Tags": ["All", "Custom_Bug_Bounty", "Target_Specific"]
}
```

Or use the **Set New Tag** right-click menu on existing profiles — this is the fastest way. ⚡

**Best practices:**

* ✅ Always include the `All` tag unless you want to exclude the profile from broad scans
* 📝 Use descriptive tag names that indicate the vulnerability class or target technology
* 🔤 Use consistent naming across profiles (e.g., always use `XSS` not `xss` or `Cross-Site-Scripting`)
* 🎯 Create target-specific tags (e.g., `Client_A`) for profiles tailored to specific engagements
* 👁️ Use tags on passive profiles to enable focused passive scanning via the context menu

## 📚 Example: Tag-Based Scanning Workflow

1. 🏷️ **Tag profiles by category:**
   * XSS profiles → `XSS` tag
   * SQLi profiles → `SQLi` tag
   * WordPress profiles → `Wordpress` tag
   * Security header checks → `Security_Headers` tag
   * Secret detection → `Secrets` tag
2. 👁️ **Launch focused passive scans:**
   * Right-click a request → **Passive Scan** > **Passive Response** > **Security\_Headers**
   * Right-click a request → **Passive Scan** > **Passive Request** > **Parameters**
3. 📋 **Create rules that use tags:**
   * When Passive Request detects SQL-like parameters → Execute tag `SQLi`
   * When Passive Response detects WordPress → Execute tag `Wordpress`
4. 🎯 **Control scope:**
   * For broad scanning: Use tag `All`
   * For focused scanning: Use specific tags like `XSS` or `CVEs`
   * For passive-only audits: Use the tag submenu to run only relevant checks