search

πŸ”Match Types

Match types define how Burp Bounty Pro determines whether a vulnerability was found. The MatchType field controls the logic used to evaluate grep patterns and other detection conditions.

hashtag
πŸ“ Grep-Based Match Types

hashtag
βœ… MatchType 1: All Conditions (AND)

All grep patterns must match for the issue to be reported.

{
  "MatchType": 1,
  "Grep": [
    "true,,Simple String,Only in Headers,Access-Control-Allow-Credentials: true",
    "true,OR,Simple String,Only in Headers,Access-Control-Allow-Origin: https://evil.com"
  ]
}

πŸ“ Note: Even though individual patterns use OR operators between them, MatchType 1 requires the combined result to be true. The OR operators define groups that are evaluated, then all groups must pass.

hashtag
πŸ”€ MatchType 2: At Least One (OR)

At least one grep pattern must match for the issue to be reported.

{
  "MatchType": 2,
  "Grep": [
    "true,,Regex,,Location:\\shttp://{REDIRECT_DOMAIN}",
    "true,OR,Regex,,location\\.replace\\(.http://{REDIRECT_DOMAIN}",
    "true,OR,Regex,,http-equiv=\"refresh\" content=\".*url=.http://{REDIRECT_DOMAIN}"
  ]
}

hashtag
πŸ“‹ Grep Pattern Types

hashtag
πŸ“ Simple String

Searches for an exact substring in the response.

  • πŸ”€ Case sensitivity controlled by CaseSensitive field

  • ⚑ Fastest match type

hashtag
πŸ”£ Regex

Searches using a regular expression pattern.

  • πŸ“š Supports full Java regex syntax

  • 🎯 More flexible but slower than Simple String

  • πŸ”€ Use (?i) flag for case-insensitive regex, or set CaseSensitive: false

hashtag
πŸ“Š Grep Pattern Format

Each grep entry follows this format:

Component
Description
Values

enabled

Whether this pattern is active

true, false

operator

Logic operator (empty for first pattern)

(empty), AND, OR

type

Pattern matching method

Simple String, Regex

scope

Where to search

(empty = all), Only in Headers, Only in Body

pattern

The search string or regex

Any string

hashtag
βš™οΈ Operator Logic

Grep patterns are grouped by operators and evaluated with short-circuit optimization:

Evaluates as:

  • βœ… AND groups are evaluated left to right; if any pattern fails, the group fails

  • πŸ”€ OR connects groups; if any group passes, the result is true

hashtag
🎯 Response Scope

Control where in the response patterns are searched:

Scope
Description

(empty)

🌐 Search the entire response (headers + body)

Only in Headers

πŸ“‹ Search only in HTTP response headers

Only in Body

πŸ“„ Search only in the response body

hashtag
⚑ Special Match Types

hashtag
πŸͺž Payload Reflection (MatchType 3)

Checks if the exact payload appears in the response.

The scanner sends the payload and checks if the response contains the unmodified payload string. Useful for reflected XSS detection.

hashtag
πŸͺž Payload Reflection Without Encoding (MatchType 4)

Like MatchType 3, but checks for the payload before any encoding was applied.

hashtag
⏱️ Timeout (MatchType 5)

Detects time-based vulnerabilities by measuring response time.

Comparison modes:

  • πŸ“Š Between β€” Response time is between TimeOut1 and TimeOut2 (milliseconds)

  • ⬆️ Greater than β€” Response time exceeds TimeOut1

  • ⬇️ Less than β€” Response time is below TimeOut1

Use cases:

  • πŸ—„οΈ Time-based SQL injection (e.g., SLEEP(5))

  • ⚑ Time-based blind command injection

  • πŸ–₯️ Server-side processing delays

hashtag
πŸ“ Content Length (MatchType 6)

Detects vulnerabilities by comparing response content length differences.

The scanner:

  1. πŸ“‘ Sends a baseline request (without payload)

  2. πŸ’‰ Sends the payload request

  3. πŸ“Š Compares content lengths

  4. πŸ› If the difference exceeds the threshold, reports an issue

Use cases:

  • πŸ—„οΈ Boolean-based SQL injection

  • πŸ”“ Access control bypasses (different response sizes)

hashtag
πŸ“Š Variations (MatchType 7)

Detects changes in specific response attributes between baseline and payload requests.

The scanner compares the specified attributes between the baseline response and the payload response. If any attributes differ, it reports an issue.

hashtag
πŸ“Š Invariations (MatchType 8)

The opposite of Variations β€” detects when response attributes remain the same when they should differ.

hashtag
πŸ”’ HTTP Response Code (MatchType 9)

Matches specific HTTP status codes in the response.

Use cases:

  • πŸ“‚ Path discovery (200 vs 404)

  • πŸ”“ Authentication bypass (200 vs 401/403)

  • ⚠️ Server errors (500)

hashtag
🌐 Collaborator-Based Detection

For out-of-band vulnerability detection using Burp Collaborator:

  1. πŸ”§ Use {BC} variable in payloads to generate a Collaborator subdomain

  2. πŸ”„ The scanner periodically polls Burp Collaborator for interactions

  3. βœ… If an interaction is detected, the vulnerability is confirmed

Collaborator detection is asynchronous β€” results may appear after the scan completes. The polling interval is configurable in Options (collaboratorRefreshtime).

⚠️ Note: Collaborator-based profiles are excluded from the stop-on-first-match optimization since detection happens asynchronously.

hashtag
πŸ”„ Negative Matching

Set NotResponse: true to invert the match logic β€” the issue is reported when the pattern is NOT found:

This reports an issue when the Strict-Transport-Security header is missing. Commonly used for security header checks in Passive Response profiles.

PreviousInsertion PointsNextGrep Options

Last updated