# AI Scanner The AI Scanner uses artificial intelligence to analyze HTTP requests and responses, automatically identifying potential attack surfaces and recommending the most relevant scan profiles β€” without needing to define rules manually. ## πŸ’‘ Concept The AI Scanner acts as an intelligent reconnaissance layer: ``` HTTP Request β†’ AI Analysis β†’ Findings (parameters + attack types) β†’ Auto-launch Active Profiles ``` Instead of relying on predefined passive rules, the AI Scanner: * πŸ” **Analyzes every parameter** in the request (URL, body, cookies, JSON, XML, headers) * 🧠 **Correlates parameter names** with known attack patterns (e.g., `id` β†’ SQLi, `file` β†’ LFI, `url` β†’ SSRF) * πŸͺž **Detects reflection contexts** programmatically (HTML body, JavaScript, attributes, headers) * πŸ–₯️ **Fingerprints technologies** from response headers and body (WordPress, Jira, Spring, Grafana, etc.) * 🎯 **Recommends specific profiles** from your active profile library * ⚑ **Auto-launches active scans** with the recommended profiles (if enabled) ## βš™οΈ How It Works ### Analysis Pipeline 1. **Request Preprocessing** β€” Extracts method, URL, headers, body, parameters, and their types 2. **Programmatic Response Analysis** β€” Detects parameter reflections, reflection contexts (HTML body, JavaScript, CSS, attributes, event handlers, URL attributes), and security headers 3. **AI Analysis** β€” Sends the structured data to an AI model with the full profile taxonomy, parameter name correlations, and confidence calibration rules 4. **Result Parsing** β€” Parses the AI response into structured findings with parameters, attack types, confidence levels, and recommended profiles 5. **Auto-Scan** *(optional)* β€” Automatically launches active scans using the recommended profiles ### AI Providers The AI Scanner supports multiple AI providers: | Provider | Default Model | Default Endpoint | | ------------------ | ------------------------ | --------------------------------------------------- | | **OpenAI** | gpt-4o | `https://api.openai.com/v1/chat/completions` | | **Anthropic** | claude-sonnet-4-20250514 | `https://api.anthropic.com/v1/messages` | | **Google Gemini** | gemini-pro | `https://generativelanguage.googleapis.com/v1beta/` | | **OpenRouter** | (configurable) | `https://openrouter.ai/api/v1/chat/completions` | | **Local (Ollama)** | (configurable) | `http://localhost:11434/api/chat` | You can use any model available through these providers by changing the **Model** field in Settings. ## πŸš€ Launching an AI Scan ### From Context Menu 1. Select one or more requests from **Proxy History**, **Target Site Map**, **Repeater**, or any other Burp tool 2. Right-click and select **AI Scanner** from the Burp Bounty Pro context menu 3. The **URL Filter popup** appears β€” review URLs and configure scanner settings 4. Click **OK** to start the AI analysis > ⚠️ **API Key Required:** If no API key is configured, a popup will prompt you to set one up in **Settings** before scanning. ### From the Scanners Tab 1. Go to **Burp Bounty Pro** > **Scanners** > **AI** sub-tab 2. View all AI scan entries with their status and findings ## πŸ“Š AI Scanner Tab The AI Scanner tab (under **Scanners** > **AI**) displays: ### Results Table | Column | Description | | -------------- | ------------------------------------------- | | **#** | Entry ID | | **Status** | Analyzing, Complete, Error | | **Host** | Target hostname | | **Method** | HTTP method | | **URL** | Full request URL | | **Parameters** | Number of parameters detected | | **Findings** | Summary of findings (e.g., "1 High, 2 Med") | ### Detail Panel When you select an entry: * **Request/Response** tabs show the original HTTP request and response * **AI Response** tab shows the full JSON response from the AI model ### Entry Controls | Action | Description | | -------------- | ------------------------------------ | | ⏸️ **Pause** | Pause the AI analysis for this entry | | ▢️ **Resume** | Resume a paused entry | | ❌ **Cancel** | Cancel the analysis | | πŸ—‘οΈ **Remove** | Remove the entry from the list | | πŸ—‘οΈ **Clear** | Remove all entries | ## πŸ” Finding Structure Each finding from the AI Scanner contains: | Field | Description | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | **parameter** | The real parameter name from the request | | **parameter\_type** | url, body, cookie, header, json, xml, multipart | | **insertion\_point\_hint** | Where to inject payloads (e.g., param\_url\_value, param\_body\_value) | | **reflected** | Whether the parameter value appears in the response | | **reflection\_contexts** | Where it's reflected: html\_body, javascript, html\_attribute, url\_attribute, event\_handler, css, html\_comment, response\_header, json\_value, none | | **response\_content\_type** | Response Content-Type header | | **attack\_types** | Applicable attack types (SQLi, XSS, RCE, LFI, SSRF, SSTI, XXE, etc.) | | **confidence** | high, medium, or low | | **priority** | 1 (Critical) to 5 (Informational) | | **technology\_detected** | Technology fingerprint found (e.g., wordpress, jira, spring) or null | | **reasoning** | Brief explanation of why this parameter is interesting | | **recommended\_profiles** | Exact profile names to use for testing | ### Confidence Levels | Level | Criteria | | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **high** | Parameter reflected in dangerous context (HTML body unencoded, JavaScript block, Location header) without output encoding. Or direct evidence: SQL error messages, file contents in response, template engine output. | | **medium** | Parameter name correlates strongly with an attack type. Or parameter reflected but in safer context (HTML attribute with encoding, JSON response). | | **low** | Generic parameter without reflection and without strong name correlation, but accepts user input and at least one attack is plausible. | ## 🎯 Auto-Scan When **Auto-scan after analysis** is enabled, the AI Scanner automatically launches active scans using the recommended profiles from the AI analysis: 1. The AI returns findings with `recommended_profiles` for each parameter 2. Each recommended profile name is matched against your enabled active profiles (case-insensitive) 3. Matched profiles are collected and launched as an active scan against the original request 4. The launched profiles are displayed in the AI Scanner results ### Example Flow ``` Request: GET /product?id=1&cat=5 β”‚ β”œβ”€ AI Analysis finds: β”‚ β”œβ”€ id β†’ SQLi (medium) β†’ profiles: SQLi, SQLi_TimeBased β”‚ └─ cat β†’ SQLi (medium) β†’ profiles: SQLi, SQLi_TimeBased β”‚ └─ Auto-scan launches: SQLi, SQLi_TimeBased profiles against /product?id=1&cat=5 ``` ## βš™οΈ Settings AI Scanner settings are accessed from the **Settings** dialog within the AI Scanner tab. ### General Settings | Setting | Description | Default | | ---------------------------- | ----------------------------------------------------------- | ---------------- | | **Enable** | Enable/disable AI Scanner | Enabled | | **Auto-scan after analysis** | Automatically launch active scans with recommended profiles | Enabled | | **Provider** | AI provider to use | OpenAI | | **API Key** | API key for the selected provider | (empty) | | **Model** | AI model name | gpt-4o | | **Endpoint** | API endpoint URL | Provider default | ### Prompt Customization The AI Scanner uses two prompts that can be fully customized via the **Edit Prompts** button: * **System Prompt** β€” Defines the AI's role, profile taxonomy, analysis rules, confidence calibration, and output schema * **User Prompt Template** β€” Template for each request analysis, with placeholders: * `{REQUEST}` β€” Full HTTP request * `{PARAMETERS}` β€” Extracted parameters with types and reflection data * `{RESPONSE_HEADERS}` β€” Response headers * `{RESPONSE_ANALYSIS}` β€” Programmatic response analysis (reflections, contexts, security headers) * `{AVAILABLE_PROFILES}` β€” List of all active profiles with tags > πŸ’‘ **Tip:** The default prompts include comprehensive profile taxonomy, parameter name correlations, and examples. Customize them to fit your specific workflow or to add custom profile categories. ### Prompt Auto-Update When you update Burp Bounty Pro, if the saved prompts are outdated (missing new schema fields or sections), they are automatically reset to the new defaults to ensure compatibility. ## πŸ–₯️ Technology Detection The AI Scanner can detect technologies from response data and recommend technology-specific CVE profiles: | Technology | Detection Indicators | Example Profiles | | -------------- | ------------------------------------------ | --------------------------------------------------------- | | WordPress | /wp-content/, /wp-admin/, wp-json | Wordpress\_Path\_Traversal, Wordpress\_Config\_Accessible | | Jira/Atlassian | /rest/api/, X-ASEN header, atlassian-token | CVE-2021-26086, CVE-2019-8442 | | Spring Boot | /actuator/, X-Application-Context | Spring\_Boot\_Actuators, CVE-2020-5410 | | Grafana | /api/dashboards/, grafana in paths | CVE-2021-43798\_Grafana\_LFI | | GraphQL | /graphql endpoint, query in body | Graphql Introspection, GraphQL Batching | | Drupal | X-Drupal-Cache, /node/ | Drupal\_User\_Enum | | Symfony | X-Debug-Token, /\_profiler/ | Symfony\_Debug | Technology-specific profiles are only recommended when evidence is found in the response. ## πŸ“š Examples ### SQLi Parameter Detection ``` Request: GET /api/users?id=42&sort=name HTTP/1.1 ``` AI finding: ```json { "parameter": "id", "parameter_type": "url", "insertion_point_hint": "param_url_value", "reflected": false, "reflection_contexts": ["none"], "attack_types": ["SQLi"], "confidence": "medium", "priority": 3, "reasoning": "Numeric parameter 'id' is a classic SQLi candidate.", "recommended_profiles": ["SQLi", "SQLi_TimeBased", "SQLi_Collaborator"] } ``` ### LFI with File Path ``` Request: GET /image?file=./pictures/photo.jpg HTTP/1.1 ``` AI finding: ```json { "parameter": "file", "parameter_type": "url", "insertion_point_hint": "param_url_value", "reflected": false, "reflection_contexts": ["none"], "attack_types": ["LFI"], "confidence": "medium", "priority": 2, "reasoning": "Parameter 'file' controls the file path, making it a strong LFI candidate.", "recommended_profiles": ["PathTraversal_Linux", "PathTraversal_Windows"] } ``` ### Reflected XSS Detection ``` Request: GET /search?q=test HTTP/1.1 Response:

Results for: test

``` AI finding: ```json { "parameter": "q", "parameter_type": "url", "insertion_point_hint": "param_url_value", "reflected": true, "reflection_contexts": ["html_body"], "attack_types": ["XSS"], "confidence": "high", "priority": 2, "reasoning": "Parameter 'q' reflected unencoded in HTML body.", "recommended_profiles": ["XSS", "XSS_GETPOST", "Test_XSS_append"] } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/scanning/ai-scan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.