# Smart Scan Smart Scan is one of the most powerful features of Burp Bounty Pro. It uses **Rules** to automatically trigger active scanning profiles when specific passive conditions are detected โ€” creating intelligent, context-aware scanning workflows. ## ๐Ÿ’ก Concept Smart Scan follows an **IF-THEN** pattern: ``` IF passive profile(s) match โ†’ THEN execute active profile(s) ``` This means: 1. ๐Ÿ‘๏ธ **Passive profiles** continuously analyze all traffic (requests and responses) 2. ๐Ÿ“‹ When a passive profile matches, **rules** check if conditions are met 3. ๐ŸŽฏ If conditions are met, **active profiles** are automatically executed against the matched request ## โ“ Why Smart Scan? Instead of running all active profiles against every request (which is slow and noisy), Smart Scan: * โšก **Reduces scan time** โ€” Only tests relevant vulnerabilities for each target * ๐ŸŽฏ **Reduces false positives** โ€” Only scans when context suggests a vulnerability is likely * ๐Ÿค– **Automates workflows** โ€” No manual intervention needed to target specific technologies * ๐Ÿ–ฅ๏ธ **Enables technology-specific testing** โ€” Detects WordPress, Jira, Spring, etc. and runs their CVE profiles ## โš™๏ธ How It Works ### ๐Ÿ“˜ Example: WordPress Detection 1. ๐Ÿ‘๏ธ **Passive Response profile** `Wordpress detection` matches responses containing WordPress indicators (e.g., `wp-content`, `wp-includes`) 2. ๐Ÿ“‹ **Rule** `Wordpress_Rule` is configured: * **IF**: Passive Response profile `Wordpress detection` matches * **THEN**: Execute active profiles: `Wordpress_user_enum_oembed`, `Wordpress_user_enum_json`, `Wordpress_directory_listing`, `Wordpress_Path_Traversal`, `Wordpress_Config_Accessible`, etc. 3. ๐ŸŽฏ **Active scanning** automatically begins on the matched request with WordPress-specific profiles ### ๐Ÿ“˜ Example: SQL Injection Parameter Detection 1. ๐Ÿ‘๏ธ **Passive Request profile** `SQLi_Parameters` detects parameters like `id=`, `user_id=`, `query=` 2. ๐Ÿ“‹ **Rule** `SQLi_Rule` is configured: * **IF**: Passive Request profile `SQLi_Parameters` matches * **THEN**: Execute active profiles: `SQLi`, `SQLi_Timebased_Encoded_Space` 3. ๐ŸŽฏ **Active scanning** targets only the requests with suspicious parameters ## ๐Ÿ“‹ Rule Structure Each rule consists of: ### ๐Ÿ” Match Conditions (IF) One or more passive profile matches that must be satisfied: * ๐Ÿ“จ **Passive Request profiles** โ€” Match patterns in HTTP requests * ๐Ÿ“ฉ **Passive Response profiles** โ€” Match patterns in HTTP responses * ๐Ÿ”— **Logic operators** โ€” Combine conditions with AND/OR: * **AND** โ€” All conditions must match * **OR** โ€” At least one condition must match ### ๐ŸŽฏ Execute Actions (THEN) What to do when conditions are met: * ๐Ÿ“ **Execute specific profiles** โ€” Run named active profiles * ๐Ÿท๏ธ **Execute profiles by tag** โ€” Run all active profiles with a specific tag (e.g., all profiles tagged "XSS") * ๐ŸŽฏ **Match scope** โ€” Execute on "All Matches" or "First Match" only ## ๐Ÿ”„ Smart Scan Flow ``` HTTP Traffic โ”‚ โ”œโ”€ ๐Ÿ“จ Passive Request Profile matches request โ”‚ โ””โ”€ ๐Ÿ“‹ Check Rules โ†’ IF condition met โ†’ ๐ŸŽฏ Execute Active Profiles on this request โ”‚ โ””โ”€ ๐Ÿ“ฉ Passive Response Profile matches response โ””โ”€ ๐Ÿ“‹ Check Rules โ†’ IF condition met โ†’ ๐ŸŽฏ Execute Active Profiles on this request ``` ## ๐Ÿ“Š Smart Scanner Tab Smart Scan results are displayed in the dedicated **Scanners** > **Smart** sub-tab: * Lists each evaluated request with host, method, URL, and matched rules * Shows which active profiles were launched and scan count * Includes request/response viewers for inspection ## โš™๏ธ Configuration ### โšก Scanner Settings When Smart Scan rules trigger active scans automatically, they use default scanner settings (**10 threads**, **10 concurrency**, **10 RPS**). These defaults are suitable for most scenarios. When you manually launch a Smart Scan via the context menu, the URL Filter popup appears with context-aware settings: | Setting | Description | | -------------------------- | ---------------------------------------------- | | ๐Ÿงต **Threads** | Number of threads for the scan | | ๐Ÿ”€ **Passive Concurrency** | Maximum concurrent passive profile evaluations | | ๐Ÿ”€ **Active Concurrency** | Maximum concurrent active scan connections | | ๐Ÿ“ˆ **Requests per second** | Rate limit for the scan | See [Scan Control](https://docs.bountysecurity.ai/scanning/scan-control) for details on per-scan performance configuration. ### โœ… Enabling/Disabling Rules * Go to **Burp Bounty Pro** > **Rules** tab * Enable/disable individual rules with the checkbox * Only enabled rules participate in Smart Scan ## ๐Ÿ“ฆ Default Rules Burp Bounty Pro ships with 28 pre-configured rules covering: * ๐Ÿ–ฅ๏ธ **Technology detection** โ€” WordPress, Jira, Spring Boot, Drupal, Symfony, Weblogic, CouchDB, etc. * ๐Ÿ’‰ **Vulnerability parameters** โ€” SQLi, XSS, RCE, LFI, SSRF, SSTI, Open Redirect * ๐ŸŒ **Bulk scanning** โ€” Disabled by default: scan all requests with specific profile groups See [Default Rules](https://docs.bountysecurity.ai/reference/default-rules) for the complete list. ## ๐Ÿ“– Creating Custom Rules See [Creating Rules](https://docs.bountysecurity.ai/rules/creating-rules) for a step-by-step guide.