🤖AI Scanner

The AI Scanner uses artificial intelligence to analyze HTTP requests and responses, automatically identifying potential attack surfaces and recommending the most relevant scan profiles — without needing to define rules manually.

💡 Concept

The AI Scanner acts as an intelligent reconnaissance layer:

HTTP Request → AI Analysis → Findings (parameters + attack types) → Auto-launch Active Profiles

Instead of relying on predefined passive rules, the AI Scanner:

🔍 Analyzes every parameter in the request (URL, body, cookies, JSON, XML, headers)
🧠 Correlates parameter names with known attack patterns (e.g., id → SQLi, file → LFI, url → SSRF)
🪞 Detects reflection contexts programmatically (HTML body, JavaScript, attributes, headers)
🖥️ Fingerprints technologies from response headers and body (WordPress, Jira, Spring, Grafana, etc.)
🎯 Recommends specific profiles from your active profile library
⚡ Auto-launches active scans with the recommended profiles (if enabled)

⚙️ How It Works

Analysis Pipeline

Request Preprocessing — Extracts method, URL, headers, body, parameters, and their types
Programmatic Response Analysis — Detects parameter reflections, reflection contexts (HTML body, JavaScript, CSS, attributes, event handlers, URL attributes), and security headers
AI Analysis — Sends the structured data to an AI model with the full profile taxonomy, parameter name correlations, and confidence calibration rules
Result Parsing — Parses the AI response into structured findings with parameters, attack types, confidence levels, and recommended profiles
Auto-Scan (optional) — Automatically launches active scans using the recommended profiles

AI Providers

The AI Scanner supports multiple AI providers:

Provider

Default Model

Default Endpoint

OpenAI

gpt-4o

https://api.openai.com/v1/chat/completions

Anthropic

claude-sonnet-4-20250514

https://api.anthropic.com/v1/messages

Google Gemini

gemini-pro

https://generativelanguage.googleapis.com/v1beta/

OpenRouter

(configurable)

https://openrouter.ai/api/v1/chat/completions

Local (Ollama)

(configurable)

http://localhost:11434/api/chat

You can use any model available through these providers by changing the Model field in Settings.

🚀 Launching an AI Scan

Select one or more requests from Proxy History, Target Site Map, Repeater, or any other Burp tool
Right-click and select AI Scanner from the Burp Bounty Pro context menu
The URL Filter popup appears — review URLs and configure scanner settings
Click OK to start the AI analysis

⚠️ API Key Required: If no API key is configured, a popup will prompt you to set one up in Settings before scanning.

From the Scanners Tab

Go to Burp Bounty Pro > Scanners > AI sub-tab
View all AI scan entries with their status and findings

📊 AI Scanner Tab

The AI Scanner tab (under Scanners > AI) displays:

Results Table

Column

Description

Entry ID

Status

Analyzing, Complete, Error

Host

Target hostname

Method

HTTP method

URL

Full request URL

Parameters

Number of parameters detected

Findings

Summary of findings (e.g., "1 High, 2 Med")

Detail Panel

When you select an entry:

Request/Response tabs show the original HTTP request and response
AI Response tab shows the full JSON response from the AI model

Entry Controls

Action

Description

⏸️ Pause

Pause the AI analysis for this entry

▶️ Resume

Resume a paused entry

❌ Cancel

Cancel the analysis

🗑️ Remove

Remove the entry from the list

🗑️ Clear

Remove all entries

🔍 Finding Structure

Each finding from the AI Scanner contains:

Field

Description

parameter

The real parameter name from the request

parameter_type

url, body, cookie, header, json, xml, multipart

insertion_point_hint

Where to inject payloads (e.g., param_url_value, param_body_value)

reflected

Whether the parameter value appears in the response

reflection_contexts

Where it's reflected: html_body, javascript, html_attribute, url_attribute, event_handler, css, html_comment, response_header, json_value, none

response_content_type

Response Content-Type header

attack_types

Applicable attack types (SQLi, XSS, RCE, LFI, SSRF, SSTI, XXE, etc.)

confidence

high, medium, or low

priority

1 (Critical) to 5 (Informational)

technology_detected

Technology fingerprint found (e.g., wordpress, jira, spring) or null

reasoning

Brief explanation of why this parameter is interesting

recommended_profiles

Exact profile names to use for testing

Confidence Levels

Level

Criteria

high

Parameter reflected in dangerous context (HTML body unencoded, JavaScript block, Location header) without output encoding. Or direct evidence: SQL error messages, file contents in response, template engine output.

medium

Parameter name correlates strongly with an attack type. Or parameter reflected but in safer context (HTML attribute with encoding, JSON response).

low

Generic parameter without reflection and without strong name correlation, but accepts user input and at least one attack is plausible.

🎯 Auto-Scan

When Auto-scan after analysis is enabled, the AI Scanner automatically launches active scans using the recommended profiles from the AI analysis:

The AI returns findings with recommended_profiles for each parameter
Each recommended profile name is matched against your enabled active profiles (case-insensitive)
Matched profiles are collected and launched as an active scan against the original request
The launched profiles are displayed in the AI Scanner results

Example Flow

Request: GET /product?id=1&cat=5
  │
  ├─ AI Analysis finds:
  │   ├─ id → SQLi (medium) → profiles: SQLi, SQLi_TimeBased
  │   └─ cat → SQLi (medium) → profiles: SQLi, SQLi_TimeBased
  │
  └─ Auto-scan launches: SQLi, SQLi_TimeBased profiles against /product?id=1&cat=5

⚙️ Settings

AI Scanner settings are accessed from the Settings dialog within the AI Scanner tab.

General Settings

Setting

Description

Default

Enable

Enable/disable AI Scanner

Enabled

Auto-scan after analysis

Automatically launch active scans with recommended profiles

Enabled

Provider

AI provider to use

OpenAI

API Key

API key for the selected provider

(empty)

Model

AI model name

gpt-4o

Endpoint

API endpoint URL

Provider default

Prompt Customization

The AI Scanner uses two prompts that can be fully customized via the Edit Prompts button:

System Prompt — Defines the AI's role, profile taxonomy, analysis rules, confidence calibration, and output schema
User Prompt Template — Template for each request analysis, with placeholders:
- {REQUEST} — Full HTTP request
- {PARAMETERS} — Extracted parameters with types and reflection data
- {RESPONSE_HEADERS} — Response headers
- {RESPONSE_ANALYSIS} — Programmatic response analysis (reflections, contexts, security headers)
- {AVAILABLE_PROFILES} — List of all active profiles with tags

💡 Tip: The default prompts include comprehensive profile taxonomy, parameter name correlations, and examples. Customize them to fit your specific workflow or to add custom profile categories.

Prompt Auto-Update

When you update Burp Bounty Pro, if the saved prompts are outdated (missing new schema fields or sections), they are automatically reset to the new defaults to ensure compatibility.

🖥️ Technology Detection

The AI Scanner can detect technologies from response data and recommend technology-specific CVE profiles:

Technology

Detection Indicators

Example Profiles

WordPress

/wp-content/, /wp-admin/, wp-json

Wordpress_Path_Traversal, Wordpress_Config_Accessible

Jira/Atlassian

/rest/api/, X-ASEN header, atlassian-token

CVE-2021-26086, CVE-2019-8442

Spring Boot

/actuator/, X-Application-Context

Spring_Boot_Actuators, CVE-2020-5410

Grafana

/api/dashboards/, grafana in paths

CVE-2021-43798_Grafana_LFI

GraphQL

/graphql endpoint, query in body

Graphql Introspection, GraphQL Batching

Drupal

X-Drupal-Cache, /node/

Drupal_User_Enum

Symfony

X-Debug-Token, /_profiler/

Symfony_Debug

Technology-specific profiles are only recommended when evidence is found in the response.

📚 Examples

SQLi Parameter Detection

Request: GET /api/users?id=42&sort=name HTTP/1.1

AI finding:

{
  "parameter": "id",
  "parameter_type": "url",
  "insertion_point_hint": "param_url_value",
  "reflected": false,
  "reflection_contexts": ["none"],
  "attack_types": ["SQLi"],
  "confidence": "medium",
  "priority": 3,
  "reasoning": "Numeric parameter 'id' is a classic SQLi candidate.",
  "recommended_profiles": ["SQLi", "SQLi_TimeBased", "SQLi_Collaborator"]
}

LFI with File Path

Request: GET /image?file=./pictures/photo.jpg HTTP/1.1

AI finding:

{
  "parameter": "file",
  "parameter_type": "url",
  "insertion_point_hint": "param_url_value",
  "reflected": false,
  "reflection_contexts": ["none"],
  "attack_types": ["LFI"],
  "confidence": "medium",
  "priority": 2,
  "reasoning": "Parameter 'file' controls the file path, making it a strong LFI candidate.",
  "recommended_profiles": ["PathTraversal_Linux", "PathTraversal_Windows"]
}

Reflected XSS Detection

Request: GET /search?q=test HTTP/1.1
Response: <h1>Results for: test</h1>

AI finding:

{
  "parameter": "q",
  "parameter_type": "url",
  "insertion_point_hint": "param_url_value",
  "reflected": true,
  "reflection_contexts": ["html_body"],
  "attack_types": ["XSS"],
  "confidence": "high",
  "priority": 2,
  "reasoning": "Parameter 'q' reflected unencoded in HTML body.",
  "recommended_profiles": ["XSS", "XSS_GETPOST", "Test_XSS_append"]
}

PreviousSmart Scan NextScan Control

Last updated 2 months ago

💡 Concept

⚙️ How It Works

Analysis Pipeline

AI Providers

🚀 Launching an AI Scan

From Context Menu

From the Scanners Tab

📊 AI Scanner Tab

Results Table

Detail Panel

Entry Controls

🔍 Finding Structure

Confidence Levels

🎯 Auto-Scan

Example Flow

⚙️ Settings

General Settings

Prompt Customization

Prompt Auto-Update

🖥️ Technology Detection

📚 Examples

SQLi Parameter Detection

LFI with File Path

Reflected XSS Detection