🎯Active Scan

Active scanning is the core capability of Burp Bounty Pro. It sends custom payloads to the target application and analyzes responses to detect vulnerabilities.

⚙️ How It Works

📝 Profile Selection — Burp Bounty Pro loads all enabled active profiles
📍 Insertion Point Discovery — For each request, Burp Suite identifies insertion points (parameters, headers, path components, etc.)
💉 Payload Injection — Each profile's payloads are injected into the matching insertion points
🔍 Response Analysis — The response is analyzed using the profile's match conditions (grep patterns, status codes, timing, content length, etc.)
🐛 Issue Reporting — If match conditions are satisfied, an issue is created with the configured severity and details

🚀 Launching an Active Scan

Select one or more requests from Proxy History, Target Site Map, Repeater, or any other Burp tool
Right-click and select Active Scan (under the Burp Bounty Pro submenu)
The URL Filter popup appears with scan configuration options

Before each scan, the URL Filter popup lets you configure:

Section

Description

🔗 URL Table

Review and select which URLs to include in the scan

🔄 Match and Replace

Define request modifications (header additions, parameter changes)

⚡ Scanner Settings

Configure per-scan performance settings

⚡ Scanner Settings (Per-Scan)

Each scan has its own independent performance configuration:

Setting

Description

Default

🧵 Threads

Number of threads in this scan's thread pool

🔀 Concurrency

Maximum concurrent connections

📈 Requests per second

Rate limit for this scan

These settings apply only to this scan — you can run multiple scans simultaneously, each with different performance settings tailored to the target.

💡 Tip: For fast, resilient targets, increase to 20-30 threads. For rate-limited targets, decrease to 2-3 threads and 1-2 RPS.

See Scan Control for recommended configurations for different scenarios.

From Burp Suite Native Scanner

Go to Target > Site Map
Right-click on a host, folder, or specific URL
Select Scan (Burp Suite Professional)
Burp Bounty Pro active profiles will run alongside Burp's built-in scanner

📝 Note: When using Burp's native scanner, the per-scan settings popup does not appear. Default values (10/10/10) are used.

📍 What Gets Tested

For each request, Burp Bounty Pro tests all enabled active profiles against all matching insertion points. The insertion points tested depend on the profile's InsertionPointType configuration.

Common insertion point categories:

🔄 Scan Flow

Request → URL Filter Popup
  │        ├─ URL selection
  │        ├─ Match and Replace
  │        └─ Scanner Settings (Threads, Concurrency, RPS)
  │
  ▼
Enabled Active Profiles → For each profile:
  │
  ├─ Filter insertion points by InsertionPointType
  │
  ├─ For each insertion point:
  │   │
  │   ├─ For each payload:
  │   │   │
  │   │   ├─ Apply encoding (if configured)
  │   │   ├─ Replace variables ({REDIRECT_DOMAIN}, {BC}, etc.)
  │   │   ├─ Inject payload into insertion point
  │   │   ├─ Send request (with redirects if configured)
  │   │   ├─ Apply match conditions
  │   │   │
  │   │   └─ If match → 🐛 Report issue, stop remaining payloads*
  │   │
  │   └─ Next insertion point
  │
  └─ Next profile

* 🎯 Stop-on-first-match: When a payload matches for a given profile and insertion point, remaining payloads for that same combination are skipped. This prevents duplicate issues and improves scan efficiency.

⏸️ Pause, Resume & Stop

During an active scan:

⏸️ Pause All — Pauses all threads instantly. No requests are lost — threads block at a safe synchronization point.
▶️ Resume All — All paused threads wake up and continue from where they stopped.
⏹️ Stop — Stops the scan entirely and clears the queue.

⏱️ Paused time is tracked and excluded from the total scan duration.

See Scan Control for details on the PausableThreadPoolExecutor.

🔍 Match Types

Each profile defines how to determine if a vulnerability was found:

Match Type

Description

🔤 Simple String / Regex

Search for patterns in the response

🪞 Payload Reflection

Check if the payload appears in the response

📊 Variations / Invariations

Compare response attributes across requests

📏 Content Length

Detect differences in response size

🔢 HTTP Response Code

Match specific status codes

⏱️ Timeout

Detect timing-based vulnerabilities

🌐 Collaborator

Out-of-band detection via Burp Collaborator

See Match Types for detailed documentation.

🔀 Redirection Handling

Active scans can follow HTTP redirects. Configure per profile:

🚫 Never follow — Only analyze the initial response
🏠 On-site only — Follow redirects to the same host
🎯 In-scope only — Follow redirects within Burp's target scope
🌐 Always — Follow all redirects
🔄 Follow redirects — Follow with maximum redirect limit

See Redirections for details.

⚡ Performance Considerations

🧵 Per-Scan Thread Pool — Configure the number of concurrent threads, concurrency, and RPS in the scan popup
📝 Profile Selection — Disable profiles you don't need to reduce scan time
🏷️ Tags — Use tags and rules to target specific profile groups instead of running all profiles
🎯 Stop-on-first-match — The scanner automatically stops testing remaining payloads after a match, reducing redundant requests
⏸️ Pause & Resume — If you notice the target is struggling, pause the scan and adjust your approach

PreviousInterface Overview NextPassive Scan

Last updated 6 hours ago

hashtag⚙️ How It Works

hashtag🚀 Launching an Active Scan

hashtagFrom Context Menu (Recommended) ⭐

hashtag🔗 URL Filter Popup

hashtag⚡ Scanner Settings (Per-Scan)

hashtagFrom Burp Suite Native Scanner

hashtag📍 What Gets Tested

hashtag🔄 Scan Flow

hashtag⏸️ Pause, Resume & Stop

hashtag🔍 Match Types

hashtag🔀 Redirection Handling

hashtag⚡ Performance Considerations

⚙️ How It Works

🚀 Launching an Active Scan

From Context Menu (Recommended) ⭐

🔗 URL Filter Popup

⚡ Scanner Settings (Per-Scan)

From Burp Suite Native Scanner

📍 What Gets Tested

🔄 Scan Flow

⏸️ Pause, Resume & Stop

🔍 Match Types

🔀 Redirection Handling

⚡ Performance Considerations