# Global Variables
Global variables are dynamic placeholders that are replaced with actual values at runtime. They can be used in payloads, grep patterns, and raw request templates to make profiles reusable and configurable.
## 📝 Variable Syntax
Variables use curly brace syntax: `{VARIABLE_NAME}`
```
http://{REDIRECT_DOMAIN}/callback
{CURRENT_HOST}:{CURRENT_PORT}
```
## ⚙️ User-Configurable Variables
These variables have default values that can be customized in the **Variables** tab:
| Variable | Default Value | Description |
| -------------------- | ------------------------------ | -------------------------------------------- |
| `{REDIRECT_DOMAIN}` | `bountysecurity.ai` | 🔄 Domain for open redirect and SSRF testing |
| `{ATTACKER_DOMAIN}` | `yourdomain.com` | 🏴☠️ General attacker-controlled domain |
| `{XXE_FILE}` | `/etc/passwd` | 🐧 File path for Linux XXE payload |
| `{XXE_GREP}` | `root:x` | 🔍 Expected content for Linux XXE match |
| `{XXE_FILE_B64}` | `ZmlsZTovLy9ldGMvcGFzc3dk` | 🔒 Base64-encoded Linux file path for XXE |
| `{XXE_GREP_B64}` | `cm9vdD` | 🔒 Base64-encoded content for XXE match |
| `{XXE_WIN_FILE}` | `c:/boot.ini` | 🪟 File path for Windows XXE payload |
| `{XXE_WIN_GREP}` | `boot loader` | 🔍 Expected content for Windows XXE match |
| `{XXE_WIN_FILE_B64}` | `ZmlsZTovLy9jOi9ib290LmluaQ==` | 🔒 Base64-encoded Windows file path |
| `{RCE_FILE}` | `/etc/passwd` | 📁 File path for RCE verification |
| `{RCE_COMMAND}` | `id` | ⚡ Command for RCE testing |
### ✏️ Modifying Default Values
1. Go to **Burp Bounty Pro** > **Variables** tab
2. 🖱️ Double-click a variable to edit its value
3. 💾 Click **Save**
Changes are persisted in Burp Suite's extension settings and applied to all profiles at runtime.
### ➕ Adding Custom Variables
1. Go to **Burp Bounty Pro** > **Variables** tab
2. Click **Add**
3. Enter the variable name (without curly braces) and value
4. ✅ The variable is immediately available as `{YOUR_VARIABLE_NAME}` in all profiles
### 🗑️ Removing Variables
1. Select the variable in the table
2. Click **Remove**
> ⚠️ **Note:** Removing a default variable means any profiles using it will have the variable string left unresolved. Only remove variables you're sure are not used.
## 📡 Context Variables (Auto-Populated)
These variables are automatically populated from the current request being scanned:
### 🔗 Request URL Variables
| Variable | Description | Example |
| --------------------- | ---------------------- | ------------------------------- |
| `{CURRENT_URL}` | 🔗 Full request URL | `https://example.com/path?id=1` |
| `{CURRENT_HOST}` | 🖥️ Target hostname | `example.com` |
| `{CURRENT_PROTOCOL}` | 🔒 Protocol scheme | `https` |
| `{CURRENT_PORT}` | 🔢 Target port | `443` |
| `{CURRENT_PATH}` | 📂 URL path | `/path` |
| `{CURRENT_QUERY}` | ❓ Query string | `id=1` |
| `{CURRENT_FILE}` | 📄 File component | `page.html` |
| `{CURRENT_SUBDOMAIN}` | 🌐 Extracted subdomain | `api` (from `api.example.com`) |
| `{CURRENT_METHOD}` | 📡 HTTP method | `GET` |
### 📋 Request Header Variables
| Variable | Description |
| --------------------------- | ------------------------------- |
| `{CURRENT_USER_AGENT}` | 🖥️ User-Agent header value |
| `{CURRENT_COOKIES}` | 🍪 Cookie header value |
| `{CURRENT_REFERER}` | 🔗 Referer header value |
| `{CURRENT_ORIGIN}` | 🌐 Origin header value |
| `{CURRENT_CONTENT_TYPE}` | 📄 Content-Type header value |
| `{CURRENT_ACCEPT}` | ✅ Accept header value |
| `{CURRENT_ACCEPT_LANGUAGE}` | 🌍 Accept-Language header value |
| `{CURRENT_ACCEPT_ENCODING}` | 📦 Accept-Encoding header value |
| `{CURRENT_CONTENT_LENGTH}` | 📏 Content-Length header value |
### 📍 Insertion Point Variables
| Variable | Description |
| --------------------------------- | -------------------------------------------------------- |
| `{CURRENT_INSERTION_POINT_VALUE}` | 📍 The current value of the insertion point being tested |
| `{CURRENT_INSERTION_POINT_NAME}` | 🏷️ The name of the insertion point being tested |
## ⚡ Special Variables
### 🌐 Burp Collaborator
| Variable | Description |
| -------- | ------------------------------------------------- |
| `{BC}` | 🌐 Generates a unique Burp Collaborator subdomain |
Use `{BC}` for out-of-band vulnerability detection. Each occurrence generates a unique subdomain that Burp Collaborator monitors for interactions.
```json
{
"Payloads": [
"true,http://{BC}/test",
"true,${jndi:ldap://{BC}/a}"
]
}
```
### 🎲 Random Values
| Variable | Description |
| ---------------------- | ------------------------------------------ |
| `{RANDOM}` | 🔤 Unique identifier (ULID format) |
| `{RANDOM_ALPHANUM_8}` | 🔤 8-character random alphanumeric string |
| `{RANDOM_ALPHANUM_16}` | 🔤 16-character random alphanumeric string |
Use random values for cache busting, unique markers, or canary tokens:
```json
{
"Payloads": [
"true,{RANDOM_ALPHANUM_8}"
],
"Grep": [
"true,,Simple String,,{RANDOM_ALPHANUM_8}"
]
}
```
## 📡 Raw Request Variables
These variables are specifically for use in [Raw Request](/profiles/raw-request.md) mode:
| Variable | Description |
| --------------- | ------------------------------------ |
| `{PAYLOAD}` | 💉 The current payload being tested |
| `{PAYLOAD_URL}` | 🔗 The current payload, URL-encoded |
| `{URL}` | 🔗 The full target URL |
| `{COOKIE}` | 🍪 Cookies from the original request |
## ⚙️ Variable Replacement Order
Variables are replaced in this order during scanning:
1. 🌐 **Global/user-defined variables** from VariablesManager (`{REDIRECT_DOMAIN}`, `{ATTACKER_DOMAIN}`, custom variables)
2. 📡 **Context variables** from the current request (`{CURRENT_HOST}`, `{CURRENT_PATH}`, etc.)
3. ⚡ **Special variables** (`{BC}`, `{RANDOM}`, etc.)
Variables are replaced in both **payloads** and **grep patterns**, so you can use variables on both sides:
```json
{
"Payloads": ["true,http://{REDIRECT_DOMAIN}"],
"Grep": ["true,,Simple String,,Location: http://{REDIRECT_DOMAIN}"]
}
```
## 📚 Examples
### 🔄 Open Redirect Testing
```json
{
"Payloads": [
"true,http://{REDIRECT_DOMAIN}",
"true,//{REDIRECT_DOMAIN}",
"true,{CURRENT_PROTOCOL}://{CURRENT_HOST}@{REDIRECT_DOMAIN}"
],
"Grep": [
"true,,Simple String,,Location: http://{REDIRECT_DOMAIN}",
"true,OR,Simple String,,Location: //{REDIRECT_DOMAIN}"
]
}
```
### 🌐 SSRF with Collaborator
```json
{
"Payloads": [
"true,http://{BC}",
"true,https://{BC}/test",
"true,http://{BC}:80/callback"
]
}
```
### 💉 Parameter Pollution
```json
{
"Payloads": [
"true,{CURRENT_INSERTION_POINT_VALUE}&url=http://{REDIRECT_DOMAIN}",
"true,{CURRENT_INSERTION_POINT_VALUE}&redirect=http://{REDIRECT_DOMAIN}"
]
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.bountysecurity.ai/variables/global-variables.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.