# Default Rules Burp Bounty Pro ships with **27 pre-configured Smart Scan rules**. These rules automate vulnerability scanning by connecting passive detection with targeted active profiles. ## πŸ“Š Summary | Category | Count | | ---------------------------- | ------ | | βœ… Enabled rules | 23 | | ❌ Disabled rules (bulk scan) | 4 | | **Total** | **27** | ## πŸ–₯️ Technology Detection Rules These rules detect specific technologies and automatically run their associated CVE and vulnerability profiles. ### 🌐 Artica\_Web\_Proxy\_Auth\_bypass | | | | ------------- | ---------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Artica_Web_Request` AND Passive Response `Artica_Web` | | 🎯 **THEN** | Execute: `CVE-2020-17506_Artica_Web_Proxy_Auth_Bypass` | | πŸ“ **Scope** | All Matches | ### πŸ›‘οΈ Cisco\_Rule | | | | ------------- | ------------------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Response `Cisco_ASA_Device_Found` OR Passive Request `Cisco_Request_Detected` | | 🎯 **THEN** | Execute: `CVE-2020-3452_Cisco_ASA_LFI`, `CVE-2019-1653_Cisco_Wan_VPN_disclosure` | | πŸ“ **Scope** | All Matches | ### πŸ–₯️ Citrix\_Rule | | | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Response `Citrix_Detection` | | 🎯 **THEN** | Execute: `CVE-2019-19781_Citrix_ADC_Directory_Traversal`, `CVE-2020-8209_Citrix_XenMobile_PathTraversal`, `CVE-2020-8982_Citrix_ShareFile_File_Read` | | πŸ“ **Scope** | All Matches | ### πŸ—„οΈ CouchDB\_Admin\_Exposure | | | | ------------- | ------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `CouchDB_Request` AND Passive Response `CouchDB_Response` | | 🎯 **THEN** | Execute: `CouchDB_Admin_Exposure` | | πŸ“ **Scope** | All Matches | ### πŸ’§ Drupal\_Rule | | | | ------------- | -------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Response `Drupal_Response` | | 🎯 **THEN** | Execute: `Drupal_User_Enum`, `Drupal_User_Enum_Redirect` | | πŸ“ **Scope** | All Matches | ### πŸ”₯ Firebase Database Rule | | | | ------------- | -------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Firebase DB detected` | | 🎯 **THEN** | Execute: `Open Firebase Database` | | πŸ“ **Scope** | First Match | ### πŸ›‘οΈ Fortinet\_Fortigate | | | | ------------- | ------------------------------------------------------------------------ | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Fortinet_Request` AND Passive Response `Fortinet_Panel` | | 🎯 **THEN** | Execute: `CVE-2018-13379_FortiOS_Creds_Disclosure` | | πŸ“ **Scope** | All Matches | ### πŸ“‹ Jira\_Rule | | | | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Jira_Request` | | 🎯 **THEN** | Execute: `CVE-2020-14179_Jira_Info_Exposure`, `CVE-2020-14181_Jira_User_Enum`, `CVE-2017-9506_Jira_SSRF`, `CVE-2019-8442_Jira_Path_Traversal`, `CVE-2019-8449_Jira_Unauthenticated_Sensitive_Info`, `Jira_unauthenticated_Info` | | πŸ“ **Scope** | All Matches | ### ☸️ Kubernetes\_Rule | | | | ------------- | -------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Response `Kubernetes_Response` | | 🎯 **THEN** | Execute: `Kubernetes_API_Exposed` | | πŸ“ **Scope** | All Matches | ### πŸ›’ MAGMI\_Remote\_Auth | | | | ------------- | -------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `MAGMI_Request` OR Passive Response `MAGMI_Response` | | 🎯 **THEN** | Execute: `CVE-2020-5777_MAMGI_Auth_Bypass` | | πŸ“ **Scope** | All Matches | ### 🌐 Netsweeper\_CodeInjection | | | | ------------- | ------------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Netsweeper_Request` AND Passive Response `Netsweeper_Response` | | 🎯 **THEN** | Execute: `CVE-2020-13167_Netsweeper_code_injection` | | πŸ“ **Scope** | All Matches | ### β˜€οΈ Solarwinds | | | | ------------- | ------------------------------------------------------------------------------------------ | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Solarwinds_Orion_Request` OR Passive Response `Solarwinds_Orion_Response` | | 🎯 **THEN** | Execute: `solarwinds_default_admin` | | πŸ“ **Scope** | All Matches | ### πŸƒ SpringBoot\_Rule | | | | ------------- | ------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Springboot_Requests` | | 🎯 **THEN** | Execute: `Spring_Boot_Actuators` | | πŸ“ **Scope** | All Matches | ### 🎡 Symfony\_Rule | | | | ------------- | ----------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Response `Symfony_Response` | | 🎯 **THEN** | Execute: `Symfony_Debug` | | πŸ“ **Scope** | All Matches | ### πŸ”€ Traefik\_Rule | | | | ------------- | ----------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Response `Traefik_Response` | | 🎯 **THEN** | Execute: `CVE-2020-15129_Traefik_Open_Redirect` | | πŸ“ **Scope** | All Matches | ### πŸ–₯️ Weblogic\_Rule | | | | ------------- | ---------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `Weblogic_Request` | | 🎯 **THEN** | Execute: `CVE-2020-2551_Oracle_WebLogic` | | πŸ“ **Scope** | All Matches | ### πŸ”΅ Wordpress\_Rule | | | | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Response `Wordpress detection` | | 🎯 **THEN** | Execute: `Wordpress_user_enum_oembed`, `wordpress_users_enum_yoastseo`, `Wordpress_user_enum_json`, `Wordpress_directory_listing`, `Woody_Wordpress_RCE`, `CVE-2020-24312_File_Manager_Wordpress_Backups`, `Wordpress_Path_Traversal`, `Wordpress_Config_Accessible`, `easy_wp_smtp_listing_enabled`, `CVE-2020-11738_Wordpress_Duplicator_Plugin_LFI` | | πŸ“ **Scope** | First Match | *** ## πŸ’‰ Vulnerability Parameter Detection Rules These rules detect interesting parameters in requests and trigger targeted vulnerability testing. ### πŸ—„οΈ SQLi\_Rule | | | | ------------- | ----------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `SQLi_Parameters` | | 🎯 **THEN** | Execute: `SQLi`, `SQLi_Timebased_Encoded_Space` | | πŸ“ **Scope** | All Matches | ### πŸ’‰ XSS\_rule | | | | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `XSS_Parameters` | | 🎯 **THEN** | Execute: `XSS`, `XSS_URLEncode`, `XSS_HtmlUrlEncode`, `XSS_GETPOST`, `XSS_HTML_Tag_Context`, `XSS_HTML_Attribute_Context`, `XSS_JavaScript_Context` | | πŸ“ **Scope** | All Matches | ### ⚑ RCE\_Rule | | | | ------------- | ---------------------------------------------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `RCE_Parameters` | | 🎯 **THEN** | Execute: `RCE_Linux`, `Blind_RCE_Linux`, `Blind_RCE_Windows`, `Echo_RCE`, `Expect_RCE`, `PHP_RCE`, `RCE_Windows` | | πŸ“ **Scope** | All Matches | ### πŸ“‚ LFI\_Rule | | | | ------------- | ----------------------------------------------------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `LFI_RFI_Parameters` OR Passive Request `URL_Path_as_a_Value` | | 🎯 **THEN** | Execute: `PathTraversal_Linux`, `PathTraversal_Windows` | | πŸ“ **Scope** | All Matches | ### πŸ”§ SSTI\_Rule | | | | ------------- | --------------------------------- | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `SSTI_Parameters` | | 🎯 **THEN** | Execute: `SSTI` | | πŸ“ **Scope** | All Matches | ### πŸ”„ OpenRedirect\_SSRF\_Rule | | | | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | βœ… **Enabled** | Yes | | πŸ” **IF** | Passive Request `OpenRedirect_SSRF_Parameters` OR Passive Request `URL_as_a_Value` OR Passive Request `URL_Path_as_a_Value` | | 🎯 **THEN** | Execute: `OpenRedirect`, `OpenRedirect_SSRF_Collaborator`, `Openredirect_to_XSS`, `OpenRedirect_to_Account_Takeover`, `SSRF-Collaborator`, `SSRF-URLScheme`, `SSRF_Collaborator_HTTP1_0`, `SSRF_Collaborator_HTTP0_9`, `OpenRedirect-ParameterPollution`, `OpenRedirect-ParameterPollution_Path` | | πŸ“ **Scope** | All Matches | *** ## ⚠️ Bulk Scanning Rules (Disabled by Default) > ⚠️ **Warning:** These rules match all requests and can generate significant traffic. Only enable when needed. ### πŸ”„ Scan all requests with Open redirect profiles | | | | ------------- | --------------------------------------------- | | ❌ **Enabled** | No | | πŸ” **IF** | Passive Request `All_Requests_And_Parameters` | | 🎯 **THEN** | Execute tag: `Open Redirect` | | πŸ“ **Scope** | All Matches | ### 🌐 Scan all requests with SSRF | | | | ------------- | --------------------------------------------- | | ❌ **Enabled** | No | | πŸ” **IF** | Passive Request `All_Requests_And_Parameters` | | 🎯 **THEN** | Execute tag: `SSRF` | | πŸ“ **Scope** | All Matches | ### 🌐 Scan all requests with all Profiles | | | | ------------- | --------------------------------------------- | | ❌ **Enabled** | No | | πŸ” **IF** | Passive Request `All_Requests_And_Parameters` | | 🎯 **THEN** | Execute tag: `All` | | πŸ“ **Scope** | All Matches | ### πŸ› Scan all requests with log4shell profiles | | | | ------------- | ------------------------------------------------------------------------------------------------------------- | | ❌ **Enabled** | No | | πŸ” **IF** | Passive Request `All_Requests_And_Parameters` | | 🎯 **THEN** | Execute: `CVE-2021-44228_RCE_Log4j`, `CVE-2021-44228_RCE_Log4j_GETPOST`, `CVE-2021-44228_RCE_Log4j_urlEncode` | | πŸ“ **Scope** | All Matches | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/reference/default-rules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.