# Active Scan

Active scanning is the core capability of Burp Bounty Pro. It sends custom payloads to the target application and analyzes responses to detect vulnerabilities.

## ⚙️ How It Works

1. 📝 **Profile Selection** — Burp Bounty Pro loads all enabled active profiles
2. 📍 **Insertion Point Discovery** — For each request, Burp Suite identifies insertion points (parameters, headers, path components, etc.)
3. 💉 **Payload Injection** — Each profile's payloads are injected into the matching insertion points
4. 🔍 **Response Analysis** — The response is analyzed using the profile's match conditions (grep patterns, status codes, timing, content length, etc.)
5. 🐛 **Issue Reporting** — If match conditions are satisfied, an issue is created with the configured severity and details

## 🚀 Launching an Active Scan

### From Context Menu *(Recommended)* ⭐

1. Select one or more requests from **Proxy History**, **Target Site Map**, **Repeater**, or any other Burp tool
2. Right-click and select **Active Scan** (under the Burp Bounty Pro submenu)
3. The **URL Filter popup** appears with scan configuration options

### 🔗 URL Filter Popup

Before each scan, the URL Filter popup lets you configure:

| Section                  | Description                                                        |
| ------------------------ | ------------------------------------------------------------------ |
| 🔗 **URL Table**         | Review and select which URLs to include in the scan                |
| 🔄 **Match and Replace** | Define request modifications (header additions, parameter changes) |
| ⚡ **Scanner Settings**   | Configure per-scan performance settings                            |

### ⚡ Scanner Settings (Per-Scan)

Each scan has its own independent performance configuration:

| Setting                    | Description                                  | Default |
| -------------------------- | -------------------------------------------- | ------- |
| 🧵 **Threads**             | Number of threads in this scan's thread pool | 10      |
| 🔀 **Concurrency**         | Maximum concurrent connections               | 10      |
| 📈 **Requests per second** | Rate limit for this scan                     | 10      |

These settings apply **only to this scan** — you can run multiple scans simultaneously, each with different performance settings tailored to the target.

> 💡 **Tip:** For fast, resilient targets, increase to 20-30 threads. For rate-limited targets, decrease to 2-3 threads and 1-2 RPS.

See [Scan Control](/scanning/scan-control.md) for recommended configurations for different scenarios.

### From Burp Suite Native Scanner

1. Go to **Target** > **Site Map**
2. Right-click on a host, folder, or specific URL
3. Select **Scan** (Burp Suite Professional)
4. Burp Bounty Pro active profiles will run alongside Burp's built-in scanner

> 📝 **Note:** When using Burp's native scanner, the per-scan settings popup does not appear. Default values (10/10/10) are used.

## 📍 What Gets Tested

For each request, Burp Bounty Pro tests all enabled active profiles against all matching insertion points. The insertion points tested depend on the profile's `InsertionPointType` configuration.

Common insertion point categories:

| Category           | Description                                    |
| ------------------ | ---------------------------------------------- |
| 🔗 URL Parameters  | Parameter names and values in the query string |
| 📝 Body Parameters | Parameter names and values in POST body        |
| 🍪 Cookies         | Cookie values                                  |
| 📋 HTTP Headers    | Standard and custom header values              |
| 📂 URL Path        | Path folders, filename, full path              |
| 📦 JSON            | JSON keys and values                           |
| 📄 XML             | XML element values and attribute values        |
| 📎 Multipart       | Multipart form parameter values                |

See [Insertion Points](/profiles/insertion-points.md) for the complete list.

## 🔄 Scan Flow

```
Request → URL Filter Popup
  │        ├─ URL selection
  │        ├─ Match and Replace
  │        └─ Scanner Settings (Threads, Concurrency, RPS)
  │
  ▼
Enabled Active Profiles → For each profile:
  │
  ├─ Filter insertion points by InsertionPointType
  │
  ├─ For each insertion point:
  │   │
  │   ├─ For each payload:
  │   │   │
  │   │   ├─ Apply encoding (if configured)
  │   │   ├─ Replace variables ({REDIRECT_DOMAIN}, {BC}, etc.)
  │   │   ├─ Inject payload into insertion point
  │   │   ├─ Send request (with redirects if configured)
  │   │   ├─ Apply match conditions
  │   │   │
  │   │   └─ If match → 🐛 Report issue, stop remaining payloads*
  │   │
  │   └─ Next insertion point
  │
  └─ Next profile
```

> \* 🎯 **Stop-on-first-match**: When a payload matches for a given profile and insertion point, remaining payloads for that same combination are skipped. This prevents duplicate issues and improves scan efficiency.

## ⏸️ Pause, Resume & Stop

During an active scan:

* ⏸️ **Pause All** — Pauses all threads instantly. No requests are lost — threads block at a safe synchronization point.
* ▶️ **Resume All** — All paused threads wake up and continue from where they stopped.
* ⏹️ **Stop** — Stops the scan entirely and clears the queue.

⏱️ Paused time is tracked and excluded from the total scan duration.

See [Scan Control](/scanning/scan-control.md) for details on the PausableThreadPoolExecutor.

## 🔍 Match Types

Each profile defines how to determine if a vulnerability was found:

| Match Type                   | Description                                  |
| ---------------------------- | -------------------------------------------- |
| 🔤 Simple String / Regex     | Search for patterns in the response          |
| 🪞 Payload Reflection        | Check if the payload appears in the response |
| 📊 Variations / Invariations | Compare response attributes across requests  |
| 📏 Content Length            | Detect differences in response size          |
| 🔢 HTTP Response Code        | Match specific status codes                  |
| ⏱️ Timeout                   | Detect timing-based vulnerabilities          |
| 🌐 Collaborator              | Out-of-band detection via Burp Collaborator  |

See [Match Types](/profiles/match-types.md) for detailed documentation.

## 🔀 Redirection Handling

Active scans can follow HTTP redirects. Configure per profile:

* 🚫 **Never follow** — Only analyze the initial response
* 🏠 **On-site only** — Follow redirects to the same host
* 🎯 **In-scope only** — Follow redirects within Burp's target scope
* 🌐 **Always** — Follow all redirects
* 🔄 **Follow redirects** — Follow with maximum redirect limit

See [Redirections](/profiles/redirections.md) for details.

## 🔎 Scan Scope

Active profiles support a **Scan Scope** setting that controls how often the profile runs:

| scanScope | Mode                  | Behavior                                      |
| --------- | --------------------- | --------------------------------------------- |
| 0         | **Per-URL** (default) | Profile runs on every URL scanned             |
| 1         | **Per-Host**          | Profile runs once per `host:port` combination |

**Per-Host** scope is ideal for:

* 📂 **Path discovery profiles** — Directory fuzzing only needs to run once per host
* 🔐 **Fixed-path CVE profiles** — CVE probes targeting specific paths (e.g., `/wp-admin/`, `/actuator/`)
* 📡 **Raw request profiles** — Profiles that send requests to fixed URLs regardless of the scanned page

When a per-host profile has been executed on a given host:port, it's skipped for subsequent URLs on the same host. This significantly reduces scan time and duplicate findings.

> 💡 **Tip:** Of the 256 default profiles, 63 use per-host scope (path discovery, CVE-specific, raw requests). The remaining 193 use per-URL scope.

## ⚡ Performance Considerations

* 🧵 **Per-Scan Thread Pool** — Configure the number of concurrent threads, concurrency, and RPS in the scan popup
* 📝 **Profile Selection** — Disable profiles you don't need to reduce scan time
* 🏷️ **Tags** — Use tags and rules to target specific profile groups instead of running all profiles
* 🎯 **Stop-on-first-match** — The scanner automatically stops testing remaining payloads after a match, reducing redundant requests
* 🔎 **Scan Scope** — Per-host profiles automatically deduplicate, reducing redundant requests across URLs on the same host
* ⏸️ **Pause & Resume** — If you notice the target is struggling, pause the scan and adjust your approach


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bountysecurity.ai/scanning/active-scan.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.