# Global Variables

Global variables are dynamic placeholders that are replaced with actual values at runtime. They can be used in payloads, grep patterns, and raw request templates to make profiles reusable and configurable.

## 📝 Variable Syntax

Variables use curly brace syntax: `{VARIABLE_NAME}`

```
http://{REDIRECT_DOMAIN}/callback
{CURRENT_HOST}:{CURRENT_PORT}
```

## ⚙️ User-Configurable Variables

These variables have default values that can be customized in the **Variables** tab:

| Variable             | Default Value                  | Description                                  |
| -------------------- | ------------------------------ | -------------------------------------------- |
| `{REDIRECT_DOMAIN}`  | `bountysecurity.ai`            | 🔄 Domain for open redirect and SSRF testing |
| `{ATTACKER_DOMAIN}`  | `yourdomain.com`               | 🏴‍☠️ General attacker-controlled domain     |
| `{XXE_FILE}`         | `/etc/passwd`                  | 🐧 File path for Linux XXE payload           |
| `{XXE_GREP}`         | `root:x`                       | 🔍 Expected content for Linux XXE match      |
| `{XXE_FILE_B64}`     | `ZmlsZTovLy9ldGMvcGFzc3dk`     | 🔒 Base64-encoded Linux file path for XXE    |
| `{XXE_GREP_B64}`     | `cm9vdD`                       | 🔒 Base64-encoded content for XXE match      |
| `{XXE_WIN_FILE}`     | `c:/boot.ini`                  | 🪟 File path for Windows XXE payload         |
| `{XXE_WIN_GREP}`     | `boot loader`                  | 🔍 Expected content for Windows XXE match    |
| `{XXE_WIN_FILE_B64}` | `ZmlsZTovLy9jOi9ib290LmluaQ==` | 🔒 Base64-encoded Windows file path          |
| `{RCE_FILE}`         | `/etc/passwd`                  | 📁 File path for RCE verification            |
| `{RCE_COMMAND}`      | `id`                           | ⚡ Command for RCE testing                    |

### ✏️ Modifying Default Values

1. Go to **Burp Bounty Pro** > **Variables** tab
2. 🖱️ Double-click a variable to edit its value
3. 💾 Click **Save**

Changes are persisted in Burp Suite's extension settings and applied to all profiles at runtime.

### ➕ Adding Custom Variables

1. Go to **Burp Bounty Pro** > **Variables** tab
2. Click **Add**
3. Enter the variable name (without curly braces) and value
4. ✅ The variable is immediately available as `{YOUR_VARIABLE_NAME}` in all profiles

### 🗑️ Removing Variables

1. Select the variable in the table
2. Click **Remove**

> ⚠️ **Note:** Removing a default variable means any profiles using it will have the variable string left unresolved. Only remove variables you're sure are not used.

## 📡 Context Variables (Auto-Populated)

These variables are automatically populated from the current request being scanned:

### 🔗 Request URL Variables

| Variable              | Description            | Example                         |
| --------------------- | ---------------------- | ------------------------------- |
| `{CURRENT_URL}`       | 🔗 Full request URL    | `https://example.com/path?id=1` |
| `{CURRENT_HOST}`      | 🖥️ Target hostname    | `example.com`                   |
| `{CURRENT_PROTOCOL}`  | 🔒 Protocol scheme     | `https`                         |
| `{CURRENT_PORT}`      | 🔢 Target port         | `443`                           |
| `{CURRENT_PATH}`      | 📂 URL path            | `/path`                         |
| `{CURRENT_QUERY}`     | ❓ Query string         | `id=1`                          |
| `{CURRENT_FILE}`      | 📄 File component      | `page.html`                     |
| `{CURRENT_SUBDOMAIN}` | 🌐 Extracted subdomain | `api` (from `api.example.com`)  |
| `{CURRENT_METHOD}`    | 📡 HTTP method         | `GET`                           |

### 📋 Request Header Variables

| Variable                    | Description                     |
| --------------------------- | ------------------------------- |
| `{CURRENT_USER_AGENT}`      | 🖥️ User-Agent header value     |
| `{CURRENT_COOKIES}`         | 🍪 Cookie header value          |
| `{CURRENT_REFERER}`         | 🔗 Referer header value         |
| `{CURRENT_ORIGIN}`          | 🌐 Origin header value          |
| `{CURRENT_CONTENT_TYPE}`    | 📄 Content-Type header value    |
| `{CURRENT_ACCEPT}`          | ✅ Accept header value           |
| `{CURRENT_ACCEPT_LANGUAGE}` | 🌍 Accept-Language header value |
| `{CURRENT_ACCEPT_ENCODING}` | 📦 Accept-Encoding header value |
| `{CURRENT_CONTENT_LENGTH}`  | 📏 Content-Length header value  |

### 📍 Insertion Point Variables

| Variable                          | Description                                              |
| --------------------------------- | -------------------------------------------------------- |
| `{CURRENT_INSERTION_POINT_VALUE}` | 📍 The current value of the insertion point being tested |
| `{CURRENT_INSERTION_POINT_NAME}`  | 🏷️ The name of the insertion point being tested         |

## ⚡ Special Variables

### 🌐 Burp Collaborator

| Variable | Description                                       |
| -------- | ------------------------------------------------- |
| `{BC}`   | 🌐 Generates a unique Burp Collaborator subdomain |

Use `{BC}` for out-of-band vulnerability detection. Each occurrence generates a unique subdomain that Burp Collaborator monitors for interactions.

```json
{
  "Payloads": [
    "true,http://{BC}/test",
    "true,${jndi:ldap://{BC}/a}"
  ]
}
```

### 🎲 Random Values

| Variable               | Description                                |
| ---------------------- | ------------------------------------------ |
| `{RANDOM}`             | 🔤 Unique identifier (ULID format)         |
| `{RANDOM_ALPHANUM_8}`  | 🔤 8-character random alphanumeric string  |
| `{RANDOM_ALPHANUM_16}` | 🔤 16-character random alphanumeric string |

Use random values for cache busting, unique markers, or canary tokens:

```json
{
  "Payloads": [
    "true,{RANDOM_ALPHANUM_8}<script>alert(1)</script>"
  ],
  "Grep": [
    "true,,Simple String,,{RANDOM_ALPHANUM_8}<script>alert(1)</script>"
  ]
}
```

## 📡 Raw Request Variables

These variables are specifically for use in [Raw Request](https://docs.bountysecurity.ai/profiles/raw-request) mode:

| Variable        | Description                          |
| --------------- | ------------------------------------ |
| `{PAYLOAD}`     | 💉 The current payload being tested  |
| `{PAYLOAD_URL}` | 🔗 The current payload, URL-encoded  |
| `{URL}`         | 🔗 The full target URL               |
| `{COOKIE}`      | 🍪 Cookies from the original request |

## ⚙️ Variable Replacement Order

Variables are replaced in this order during scanning:

1. 🌐 **Global/user-defined variables** from VariablesManager (`{REDIRECT_DOMAIN}`, `{ATTACKER_DOMAIN}`, custom variables)
2. 📡 **Context variables** from the current request (`{CURRENT_HOST}`, `{CURRENT_PATH}`, etc.)
3. ⚡ **Special variables** (`{BC}`, `{RANDOM}`, etc.)

Variables are replaced in both **payloads** and **grep patterns**, so you can use variables on both sides:

```json
{
  "Payloads": ["true,http://{REDIRECT_DOMAIN}"],
  "Grep": ["true,,Simple String,,Location: http://{REDIRECT_DOMAIN}"]
}
```

## 📚 Examples

### 🔄 Open Redirect Testing

```json
{
  "Payloads": [
    "true,http://{REDIRECT_DOMAIN}",
    "true,//{REDIRECT_DOMAIN}",
    "true,{CURRENT_PROTOCOL}://{CURRENT_HOST}@{REDIRECT_DOMAIN}"
  ],
  "Grep": [
    "true,,Simple String,,Location: http://{REDIRECT_DOMAIN}",
    "true,OR,Simple String,,Location: //{REDIRECT_DOMAIN}"
  ]
}
```

### 🌐 SSRF with Collaborator

```json
{
  "Payloads": [
    "true,http://{BC}",
    "true,https://{BC}/test",
    "true,http://{BC}:80/callback"
  ]
}
```

### 💉 Parameter Pollution

```json
{
  "Payloads": [
    "true,{CURRENT_INSERTION_POINT_VALUE}&url=http://{REDIRECT_DOMAIN}",
    "true,{CURRENT_INSERTION_POINT_VALUE}&redirect=http://{REDIRECT_DOMAIN}"
  ]
}
```