# Active Scan Active scanning is the core capability of Burp Bounty Pro. It sends custom payloads to the target application and analyzes responses to detect vulnerabilities. ## βš™οΈ How It Works 1. πŸ“ **Profile Selection** β€” Burp Bounty Pro loads all enabled active profiles 2. πŸ“ **Insertion Point Discovery** β€” For each request, Burp Suite identifies insertion points (parameters, headers, path components, etc.) 3. πŸ’‰ **Payload Injection** β€” Each profile's payloads are injected into the matching insertion points 4. πŸ” **Response Analysis** β€” The response is analyzed using the profile's match conditions (grep patterns, status codes, timing, content length, etc.) 5. πŸ› **Issue Reporting** β€” If match conditions are satisfied, an issue is created with the configured severity and details ## πŸš€ Launching an Active Scan ### From Context Menu *(Recommended)* ⭐ 1. Select one or more requests from **Proxy History**, **Target Site Map**, **Repeater**, or any other Burp tool 2. Right-click and select **Active Scan** (under the Burp Bounty Pro submenu) 3. The **URL Filter popup** appears with scan configuration options ### πŸ”— URL Filter Popup Before each scan, the URL Filter popup lets you configure: | Section | Description | | ------------------------ | ------------------------------------------------------------------ | | πŸ”— **URL Table** | Review and select which URLs to include in the scan | | πŸ”„ **Match and Replace** | Define request modifications (header additions, parameter changes) | | ⚑ **Scanner Settings** | Configure per-scan performance settings | ### ⚑ Scanner Settings (Per-Scan) Each scan has its own independent performance configuration: | Setting | Description | Default | | -------------------------- | -------------------------------------------- | ------- | | 🧡 **Threads** | Number of threads in this scan's thread pool | 10 | | πŸ”€ **Concurrency** | Maximum concurrent connections | 10 | | πŸ“ˆ **Requests per second** | Rate limit for this scan | 10 | These settings apply **only to this scan** β€” you can run multiple scans simultaneously, each with different performance settings tailored to the target. > πŸ’‘ **Tip:** For fast, resilient targets, increase to 20-30 threads. For rate-limited targets, decrease to 2-3 threads and 1-2 RPS. See [Scan Control](https://docs.bountysecurity.ai/scanning/scan-control) for recommended configurations for different scenarios. ### From Burp Suite Native Scanner 1. Go to **Target** > **Site Map** 2. Right-click on a host, folder, or specific URL 3. Select **Scan** (Burp Suite Professional) 4. Burp Bounty Pro active profiles will run alongside Burp's built-in scanner > πŸ“ **Note:** When using Burp's native scanner, the per-scan settings popup does not appear. Default values (10/10/10) are used. ## πŸ“ What Gets Tested For each request, Burp Bounty Pro tests all enabled active profiles against all matching insertion points. The insertion points tested depend on the profile's `InsertionPointType` configuration. Common insertion point categories: | Category | Description | | ------------------ | ---------------------------------------------- | | πŸ”— URL Parameters | Parameter names and values in the query string | | πŸ“ Body Parameters | Parameter names and values in POST body | | πŸͺ Cookies | Cookie values | | πŸ“‹ HTTP Headers | Standard and custom header values | | πŸ“‚ URL Path | Path folders, filename, full path | | πŸ“¦ JSON | JSON keys and values | | πŸ“„ XML | XML element values and attribute values | | πŸ“Ž Multipart | Multipart form parameter values | See [Insertion Points](https://docs.bountysecurity.ai/profiles/insertion-points) for the complete list. ## πŸ”„ Scan Flow ``` Request β†’ URL Filter Popup β”‚ β”œβ”€ URL selection β”‚ β”œβ”€ Match and Replace β”‚ └─ Scanner Settings (Threads, Concurrency, RPS) β”‚ β–Ό Enabled Active Profiles β†’ For each profile: β”‚ β”œβ”€ Filter insertion points by InsertionPointType β”‚ β”œβ”€ For each insertion point: β”‚ β”‚ β”‚ β”œβ”€ For each payload: β”‚ β”‚ β”‚ β”‚ β”‚ β”œβ”€ Apply encoding (if configured) β”‚ β”‚ β”œβ”€ Replace variables ({REDIRECT_DOMAIN}, {BC}, etc.) β”‚ β”‚ β”œβ”€ Inject payload into insertion point β”‚ β”‚ β”œβ”€ Send request (with redirects if configured) β”‚ β”‚ β”œβ”€ Apply match conditions β”‚ β”‚ β”‚ β”‚ β”‚ └─ If match β†’ πŸ› Report issue, stop remaining payloads* β”‚ β”‚ β”‚ └─ Next insertion point β”‚ └─ Next profile ``` > \* 🎯 **Stop-on-first-match**: When a payload matches for a given profile and insertion point, remaining payloads for that same combination are skipped. This prevents duplicate issues and improves scan efficiency. ## ⏸️ Pause, Resume & Stop During an active scan: * ⏸️ **Pause All** β€” Pauses all threads instantly. No requests are lost β€” threads block at a safe synchronization point. * ▢️ **Resume All** β€” All paused threads wake up and continue from where they stopped. * ⏹️ **Stop** β€” Stops the scan entirely and clears the queue. ⏱️ Paused time is tracked and excluded from the total scan duration. See [Scan Control](https://docs.bountysecurity.ai/scanning/scan-control) for details on the PausableThreadPoolExecutor. ## πŸ” Match Types Each profile defines how to determine if a vulnerability was found: | Match Type | Description | | ---------------------------- | -------------------------------------------- | | πŸ”€ Simple String / Regex | Search for patterns in the response | | πŸͺž Payload Reflection | Check if the payload appears in the response | | πŸ“Š Variations / Invariations | Compare response attributes across requests | | πŸ“ Content Length | Detect differences in response size | | πŸ”’ HTTP Response Code | Match specific status codes | | ⏱️ Timeout | Detect timing-based vulnerabilities | | 🌐 Collaborator | Out-of-band detection via Burp Collaborator | See [Match Types](https://docs.bountysecurity.ai/profiles/match-types) for detailed documentation. ## πŸ”€ Redirection Handling Active scans can follow HTTP redirects. Configure per profile: * 🚫 **Never follow** β€” Only analyze the initial response * 🏠 **On-site only** β€” Follow redirects to the same host * 🎯 **In-scope only** β€” Follow redirects within Burp's target scope * 🌐 **Always** β€” Follow all redirects * πŸ”„ **Follow redirects** β€” Follow with maximum redirect limit See [Redirections](https://docs.bountysecurity.ai/profiles/redirections) for details. ## πŸ”Ž Scan Scope Active profiles support a **Scan Scope** setting that controls how often the profile runs: | scanScope | Mode | Behavior | | --------- | --------------------- | --------------------------------------------- | | 0 | **Per-URL** (default) | Profile runs on every URL scanned | | 1 | **Per-Host** | Profile runs once per `host:port` combination | **Per-Host** scope is ideal for: * πŸ“‚ **Path discovery profiles** β€” Directory fuzzing only needs to run once per host * πŸ” **Fixed-path CVE profiles** β€” CVE probes targeting specific paths (e.g., `/wp-admin/`, `/actuator/`) * πŸ“‘ **Raw request profiles** β€” Profiles that send requests to fixed URLs regardless of the scanned page When a per-host profile has been executed on a given host:port, it's skipped for subsequent URLs on the same host. This significantly reduces scan time and duplicate findings. > πŸ’‘ **Tip:** Of the 256 default profiles, 63 use per-host scope (path discovery, CVE-specific, raw requests). The remaining 193 use per-URL scope. ## ⚑ Performance Considerations * 🧡 **Per-Scan Thread Pool** β€” Configure the number of concurrent threads, concurrency, and RPS in the scan popup * πŸ“ **Profile Selection** β€” Disable profiles you don't need to reduce scan time * 🏷️ **Tags** β€” Use tags and rules to target specific profile groups instead of running all profiles * 🎯 **Stop-on-first-match** β€” The scanner automatically stops testing remaining payloads after a match, reducing redundant requests * πŸ”Ž **Scan Scope** β€” Per-host profiles automatically deduplicate, reducing redundant requests across URLs on the same host * ⏸️ **Pause & Resume** β€” If you notice the target is struggling, pause the scan and adjust your approach