🐛Issue Properties

Issue properties define how detected vulnerabilities are reported in Burp Suite. Each profile configures the issue name, severity, confidence, and detailed description.

📋 Issue Fields

📝 Issue Name (`IssueName`)

The title of the vulnerability as it appears in Burp Suite's issue list.

{
  "IssueName": "Reflected Cross-Site Scripting (XSS)"
}

💡 Best practices:

✅ Use descriptive names that identify the vulnerability type
🐛 Include the CVE number for known vulnerabilities (e.g., CVE-2021-44228 Log4j RCE)
📝 Keep names concise but informative

⚠️ Issue Severity (`IssueSeverity`)

The severity level of the vulnerability:

Value

Description

When to Use

🔴 High

Critical vulnerability

RCE, SQLi, authentication bypass, data breach

🟠 Medium

Significant vulnerability

XSS, CSRF, open redirect, SSRF

🟡 Low

Minor vulnerability

CORS misconfiguration, information disclosure

🔵 Information

Informational finding

Technology detection, missing headers, interesting parameters

⚪ False positive

Known false positive

Mark findings that are not actual vulnerabilities

🎯 Issue Confidence (`IssueConfidence`)

The confidence level of the detection:

Value

Description

When to Use

✅ Certain

Verified vulnerability

Response clearly confirms the vulnerability (e.g., payload reflected exactly)

🟢 Firm

Likely vulnerability

Strong indicators but not 100% confirmed

🟡 Tentative

Possible vulnerability

Weak indicators, requires manual verification

📄 Issue Detail (`IssueDetail`)

The detailed description of the finding. Supports HTML formatting and dynamic placeholders.

🔧 Placeholders

Placeholder

Replaced With

<payload>

💉 The actual payload that was sent

<grep>

🔍 The grep pattern that matched

📝 Example

{
  "IssueDetail": "<br/>- PAYLOAD: <br/><payload>\n<br/><br/>\n- GREP: <br/><grep>"
}

At runtime, this renders as:

- PAYLOAD:
<script>alert(1)</script>

- GREP:
<script>alert(1)</script>

📚 Detailed Example with Background

{
  "IssueDetail": "The application is vulnerable to reflected XSS. The following payload was injected and reflected in the response without proper encoding:\n\n<br/><br/>- PAYLOAD: <br/><payload>\n<br/><br/>\n- GREP: <br/><grep>\n\n<br/><br/>This allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session."
}

📖 Issue Background (`IssueBackground`)

General background information about the vulnerability type. This appears in the "Issue background" section of Burp's issue details.

{
  "IssueBackground": "Cross-Site Scripting (XSS) vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. These scripts can steal session tokens, redirect users to malicious sites, or modify page content."
}

🔧 Remediation Detail (`RemediationDetail`)

Specific remediation guidance for the detected vulnerability.

{
  "RemediationDetail": "Implement proper output encoding for all user-supplied input. Use context-appropriate encoding (HTML entity encoding for HTML contexts, JavaScript encoding for JS contexts). Consider implementing a Content Security Policy (CSP) as a defense-in-depth measure."
}

📖 Remediation Background (`RemediationBackground`)

General remediation background information about the vulnerability class.

{
  "RemediationBackground": "Input validation and output encoding are the primary defenses against injection vulnerabilities. Always validate input on the server side and encode output based on the context where it will be rendered."
}

📚 Complete Example

{
  "IssueName": "SQL Injection",
  "IssueSeverity": "High",
  "IssueConfidence": "Firm",
  "IssueDetail": "A potential SQL injection vulnerability was detected. The following payload caused an anomalous response:\n\n<br/><br/>- PAYLOAD: <br/><payload>\n<br/><br/>\n- GREP: <br/><grep>",
  "IssueBackground": "SQL injection vulnerabilities arise when user-controllable data is incorporated into database queries without proper sanitization. An attacker can manipulate the SQL query to access, modify, or delete data in the database.",
  "RemediationDetail": "Use parameterized queries (prepared statements) for all database operations. Never concatenate user input directly into SQL queries.",
  "RemediationBackground": "The most effective defense against SQL injection is to use parameterized queries, which separate SQL logic from data values."
}

🖥️ How Issues Appear in Burp Suite

When a match is found, Burp Bounty Pro creates an issue that appears in:

📊 Burp Bounty Pro Dashboard — The Issues table in the Dashboard tab
📋 Burp Suite Dashboard — The global Issue activity panel
🗺️ Target Site Map — As annotations on affected URLs

Each issue includes:

⚠️ The configured severity and confidence
📡 The full request/response pair
🔴 Highlighted payload and grep matches (markers shown in red)
📄 The issue detail with placeholder values replaced

PreviousPayload Encoding NextTags

Last updated 11 hours ago

hashtag📋 Issue Fields

hashtag📝 Issue Name (IssueName)

hashtag⚠️ Issue Severity (IssueSeverity)

hashtag🎯 Issue Confidence (IssueConfidence)

hashtag📄 Issue Detail (IssueDetail)

hashtag🔧 Placeholders

hashtag📝 Example

hashtag📚 Detailed Example with Background

hashtag📖 Issue Background (IssueBackground)

hashtag🔧 Remediation Detail (RemediationDetail)

hashtag📖 Remediation Background (RemediationBackground)

hashtag📚 Complete Example

hashtag🖥️ How Issues Appear in Burp Suite