What is the difference between Burp Bounty (free) and Burp Bounty Pro?
Burp Bounty Pro includes:
π Multi-step scanning profiles
π§ Global variables system
β±οΈ Time-based detection engine
π§ Smart Scan with Rules
β‘ Per-scan configurable thread pools with pause/resume
π·οΈ Tag-based passive scan launching
π― Stop-on-first-match optimization
π¦ 254 default profiles and 27 default rules
πͺͺ Commercial license and support
Does Burp Bounty Pro work with Burp Suite Community Edition?
Burp Bounty Pro can be installed on Burp Suite Community Edition, but active scanning capabilities are limited since Community Edition has restricted scanning features. β οΈ Burp Suite Professional is recommended for full functionality.
Where are my profiles and settings stored?
πΎ Profiles, rules, and settings are stored in Burp Suite's extension settings, which are saved per project. They persist across Burp Suite restarts and extension reloads.
How do I create a new profile?
Go to Burp Bounty Pro > Profiles tab, select the appropriate category (Active, Passive Request, or Passive Response), and click Add. See Creating Active Profiles or Creating Passive Profiles for step-by-step guides.
Can I import/export profiles?
β
Yes. Select profiles in the table and click Export to save as .bb JSON files. Click Import to load .bb files. This is the primary way to share profiles with team members.
What is the difference between MatchType 1 and MatchType 2?
MatchType 1 (AND) β‘οΈ All grep patterns must match for the issue to be reported
MatchType 2 (OR) β‘οΈ At least one grep pattern must match
How do I test for time-based vulnerabilities?
β±οΈ Set MatchType to 5 and configure TimeOut1 and TimeOut2 with thresholds in milliseconds. The scanner measures response time and compares it against your thresholds. See Match Types.
What does NotResponse do?
π Setting NotResponse: true inverts the match logic β the issue is reported when the grep pattern is NOT found in the response. This is commonly used for detecting missing security headers.
How do multi-step profiles work?
π Multi-step profiles execute a sequence of scanning steps. Each step can have its own payloads, grep patterns, and insertion points. Cookies can be shared between steps using reuseCookie: true. See Multi-Step Profiles.
How do I tag passive profiles?
π·οΈ All three profile tables (Active, Passive Request, Passive Response) support tagging. Select one or more profiles, right-click, and choose Set New Tag. Enter the tag name and it's added to all selected profiles. Tags appear in the Tags column and in the passive scan context menu.
β
Yes. All three profile tables now have the same columns: Enabled, Profile Name, Tags, and Author's Twitter. The right-click context menu also includes Enable, Disable, and Set New Tag on all three tables.
β‘ Scanner settings (Threads, Concurrency, Requests per second) are configured per scan in the URL Filter popup that appears before each scan. This lets you run different scans with different performance settings simultaneously.
Where did the thread settings in the Options tab go?
Thread pool size, concurrency, and requests per second have been moved from the global Options tab to the per-scan URL Filter popup. This allows each scan to have independent performance settings. Default values are 𧡠10 / π 10 / π 10.
Can I run multiple scans with different thread settings?
β
Yes. Each scan creates its own independent thread pool. You can run one scan with 20 threads against a robust target and another with 2 threads against a rate-limited target, simultaneously.
How does pause/resume work?
βΈοΈ Burp Bounty Pro uses a custom PausableThreadPoolExecutor that truly pauses threads without destroying them:
When you click Pause All, each thread blocks at a safe synchronization point using Condition.await()
β
No scan progress is lost β threads resume from exactly where they paused
When you click Resume All, Condition.signalAll() wakes all blocked threads
β±οΈ Paused time is tracked and excluded from scan duration and timeout calculations
Why are my scans slow?
Common causes:
π¦ Too many profiles enabled β Disable profiles you don't need
π Too many insertion points β Use only relevant insertion point types per profile
𧡠Thread count too low β Increase threads in the per-scan popup (try 20-30)
π Low RPS setting β Increase requests per second if the target can handle it
π Following too many redirects β Reduce MaxRedir values
How does stop-on-first-match work?
π― When a payload matches for a given profile and insertion point, a shared flag is set. Other tasks for the same combination check this flag and skip execution. This prevents reporting 6+ duplicate issues per insertion point. See Scan Control.
Why do I see duplicate issues?
β οΈ Due to the parallel nature of scanning, 2 tasks may occasionally both pass the match check before one sets the flag. This is a benign race condition β the maximum duplication is 2 instead of N payloads.
How do I use Burp Collaborator with profiles?
π Use the {BC} variable in your payloads. Each occurrence generates a unique Burp Collaborator subdomain. The scanner polls Collaborator for interactions and reports issues when callbacks are received.
What is Smart Scan?
π§ Smart Scan uses Rules to automatically trigger active scanning when passive conditions are detected. For example: if a passive profile detects WordPress, a rule can automatically run all WordPress vulnerability profiles. See Smart Scan.
π·οΈ Right-click on one or more requests, select Passive Scan, then choose from the tag-based submenu:
π All β Run all passive profiles
π¨ Passive Request > Tag Name β Run only request profiles with that tag
π© Passive Response > Tag Name β Run only response profiles with that tag
Each entry shows a count of matching profiles (e.g., "Security_Headers (15)").
What is Live Passive Scan?
ποΈ The Live Passive Scan toggle in the Dashboard enables automatic passive scanning of all HTTP traffic flowing through Burp Suite. When enabled, every request and response is analyzed by enabled passive profiles in real-time. The "Scope Only" checkbox restricts this to in-scope targets only.
How do Rules work?
Rules follow an IF-THEN pattern:
π IF one or more passive profiles match the traffic
π― THEN execute specific active profiles or all profiles with a tag
See Rules Overview.
What is the difference between "All Matches" and "First Match" scope?
π All Matches β Execute the active profiles every time the passive condition matches
1οΈβ£ First Match β Execute only the first time the condition matches (per host)
Why are some default rules disabled?
β οΈ The four bulk scanning rules ("Scan all requests with...") are disabled by default because they trigger active profiles on every request, which can consume excessive resources. Enable them only when scanning small, specific targets.
What settings are used for scans triggered by rules?
βοΈ When Smart Scan rules automatically trigger active scans (without a manual popup), default values of 10 threads, 10 concurrency, and 10 RPS are used.
How do I change the redirect domain?
Go to Burp Bounty Pro > Variables tab. Edit the {REDIRECT_DOMAIN} variable (default: bountysecurity.ai) to your preferred domain.
Can I add custom variables?
β
Yes. Go to the Variables tab, click Add, and define a name and value. Your variable is immediately available as {YOUR_VARIABLE_NAME} in all profiles. See Global Variables.
π {BC} is a special variable that generates a unique Burp Collaborator subdomain. Use it for out-of-band vulnerability detection (SSRF, blind XSS, blind RCE, etc.).
π§ Troubleshooting
Profiles are not loading on first launch
π Ensure the BurpBountyData directory is present alongside the extension JAR. The extension auto-loads profiles from this directory on first launch.
Scan is marked as "Failed"
β±οΈ This means the scan exceeded the configured timeout. Increase the timeout in Options or reduce the scope of the scan.
π Note: Paused time does not count toward the timeout. If a scan is paused for 30 minutes, those minutes are not counted.
No issues are being found
Check that:
β
Profiles are enabled in the Profiles tab
π The profile's insertion point types match the target request structure
π The profile's grep patterns are correct for the expected response
π½ Response filters (content-type, status code, URL extension) are not excluding your target responses
π Redirect settings are appropriate β some vulnerabilities only appear after following redirects
Extension is consuming too much memory
π¦ Reduce the number of enabled profiles
𧡠Lower the thread count in the per-scan popup
β Disable bulk scanning rules
π·οΈ Use Tags and Rules for targeted scanning instead of running all profiles
π’ Reduce Max Concurrent Scans in Options
Passive scan context menu doesn't show tags
π·οΈ Tags only appear in the submenu for enabled profiles. If you've disabled all profiles with a certain tag, that tag won't appear. Enable the relevant profiles and the tags will appear with their counts.
