Global variables are dynamic placeholders that are replaced with actual values at runtime. They can be used in payloads, grep patterns, and raw request templates to make profiles reusable and configurable.
These variables have default values that can be customized in the Variables tab:
Variable
Default Value
Description
{REDIRECT_DOMAIN}
bountysecurity.ai
π Domain for open redirect and SSRF testing
{ATTACKER_DOMAIN}
yourdomain.com
π΄ββ οΈ General attacker-controlled domain
{XXE_FILE}
/etc/passwd
π§ File path for Linux XXE payload
{XXE_GREP}
root:x
π Expected content for Linux XXE match
{XXE_FILE_B64}
ZmlsZTovLy9ldGMvcGFzc3dk
π Base64-encoded Linux file path for XXE
{XXE_GREP_B64}
cm9vdD
π Base64-encoded content for XXE match
{XXE_WIN_FILE}
c:/boot.ini
πͺ File path for Windows XXE payload
{XXE_WIN_GREP}
boot loader
π Expected content for Windows XXE match
{XXE_WIN_FILE_B64}
ZmlsZTovLy9jOi9ib290LmluaQ==
π Base64-encoded Windows file path
{RCE_FILE}
/etc/passwd
π File path for RCE verification
{RCE_COMMAND}
id
β‘ Command for RCE testing
βοΈ Modifying Default Values
Go to Burp Bounty Pro > Variables tab
π±οΈ Double-click a variable to edit its value
πΎ Click Save
Changes are persisted in Burp Suite's extension settings and applied to all profiles at runtime.
β Adding Custom Variables
Go to Burp Bounty Pro > Variables tab
Click Add
Enter the variable name (without curly braces) and value
β The variable is immediately available as {YOUR_VARIABLE_NAME} in all profiles
ποΈ Removing Variables
Select the variable in the table
Click Remove
β οΈ Note: Removing a default variable means any profiles using it will have the variable string left unresolved. Only remove variables you're sure are not used.
π‘ Context Variables (Auto-Populated)
These variables are automatically populated from the current request being scanned:
π Request URL Variables
Variable
Description
Example
{CURRENT_URL}
π Full request URL
https://example.com/path?id=1
{CURRENT_HOST}
π₯οΈ Target hostname
example.com
{CURRENT_PROTOCOL}
π Protocol scheme
https
{CURRENT_PORT}
π’ Target port
443
{CURRENT_PATH}
π URL path
/path
{CURRENT_QUERY}
β Query string
id=1
{CURRENT_FILE}
π File component
page.html
{CURRENT_SUBDOMAIN}
π Extracted subdomain
api (from api.example.com)
{CURRENT_METHOD}
π‘ HTTP method
GET
π Request Header Variables
Variable
Description
{CURRENT_USER_AGENT}
π₯οΈ User-Agent header value
{CURRENT_COOKIES}
πͺ Cookie header value
{CURRENT_REFERER}
π Referer header value
{CURRENT_ORIGIN}
π Origin header value
{CURRENT_CONTENT_TYPE}
π Content-Type header value
{CURRENT_ACCEPT}
β Accept header value
{CURRENT_ACCEPT_LANGUAGE}
π Accept-Language header value
{CURRENT_ACCEPT_ENCODING}
π¦ Accept-Encoding header value
{CURRENT_CONTENT_LENGTH}
π Content-Length header value
π Insertion Point Variables
Variable
Description
{CURRENT_INSERTION_POINT_VALUE}
π The current value of the insertion point being tested
{CURRENT_INSERTION_POINT_NAME}
π·οΈ The name of the insertion point being tested
β‘ Special Variables
π Burp Collaborator
Variable
Description
{BC}
π Generates a unique Burp Collaborator subdomain
Use {BC} for out-of-band vulnerability detection. Each occurrence generates a unique subdomain that Burp Collaborator monitors for interactions.
π² Random Values
Variable
Description
{RANDOM}
π€ Unique identifier (ULID format)
{RANDOM_ALPHANUM_8}
π€ 8-character random alphanumeric string
{RANDOM_ALPHANUM_16}
π€ 16-character random alphanumeric string
Use random values for cache busting, unique markers, or canary tokens:
π‘ Raw Request Variables
These variables are specifically for use in Raw Request mode:
Variable
Description
{PAYLOAD}
π The current payload being tested
{PAYLOAD_URL}
π The current payload, URL-encoded
{URL}
π The full target URL
{COOKIE}
πͺ Cookies from the original request
βοΈ Variable Replacement Order
Variables are replaced in this order during scanning:
π Global/user-defined variables from VariablesManager ({REDIRECT_DOMAIN}, {ATTACKER_DOMAIN}, custom variables)
π‘ Context variables from the current request ({CURRENT_HOST}, {CURRENT_PATH}, etc.)
β‘ Special variables ({BC}, {RANDOM}, etc.)
Variables are replaced in both payloads and grep patterns, so you can use variables on both sides: