# Creating Active Profiles

This guide walks you through creating an active scanning profile step by step.

## 📝 Step 1: Open the Profile Editor

1. Go to **Burp Bounty Pro** > **Profiles** > **Active Profiles** tab
2. Click **Add** to create a new profile
3. 🪟 The profile editor dialog opens (non-modal — you can interact with Burp while editing)

## 📋 Step 2: Basic Information

| Field               | Description                   | Example          |
| ------------------- | ----------------------------- | ---------------- |
| 📝 **Profile Name** | Unique identifier             | `My_XSS_Profile` |
| 👤 **Author**       | Your name or handle           | `@researcher`    |
| 🏷️ **Tags**        | Categories for organization   | `XSS`, `All`     |
| ✅ **Enabled**       | Whether the profile is active | `true`           |

## 💉 Step 3: Define Payloads

Add the payloads that will be injected into insertion points.

**Format:** Each payload entry has an enabled flag followed by the payload value:

```
true,<script>alert(1)</script>
true,"><img src=x onerror=alert(1)>
false,<svg onload=alert(1)>
```

* ✅ Prefix `true,` to enable a payload
* ❌ Prefix `false,` to disable (keep for later use)

**🔧 Using Variables:**

```
true,http://{REDIRECT_DOMAIN}
true,{CURRENT_INSERTION_POINT_VALUE}<script>alert(1)</script>
true,{BC}
```

See [Variables](/variables/global-variables.md) for the complete list.

**📁 Loading from File:** Set `payloadsFile` to the path of a text file containing one payload per line.

## 📍 Step 4: Configure Insertion Points

Select which parts of the HTTP request to inject payloads into.

🎯 Common selections for XSS testing:

* URL parameter value (0)
* Body parameter value (1)
* URL path folder (6)

🔒 Common selections for header injection:

* Specific HTTP headers (67-77)
* Custom header (78)

See [Insertion Points](/profiles/insertion-points.md) for the complete reference.

## 🔍 Step 5: Define Match Conditions (Grep)

Configure how to determine if the vulnerability was detected.

**Grep format:** `"enabled,operator,type,scope,pattern"`

| Component | Values                                                  |
| --------- | ------------------------------------------------------- |
| enabled   | `true` or `false`                                       |
| operator  | Empty (first condition), `AND`, `OR`                    |
| type      | `Simple String`, `Regex`                                |
| scope     | Empty (all response), `Only in Headers`, `Only in Body` |
| pattern   | The search pattern                                      |

**📝 Examples:**

Simple string match:

```
true,,Simple String,,<script>alert(1)</script>
```

Regex match with OR:

```
true,,Regex,,<script>alert\(1\)</script>
true,OR,Regex,,onerror=alert\(1\)
```

Header-only match:

```
true,,Simple String,Only in Headers,Access-Control-Allow-Origin: *
```

## ⚙️ Step 6: Set Match Type

| MatchType | Description                                                   |
| --------- | ------------------------------------------------------------- |
| 1         | ✅ **All conditions AND** — All grep patterns must match       |
| 2         | 🔀 **At least one OR** — At least one grep pattern must match |

## 🔄 Step 7: Configure Redirections

Choose how to handle HTTP redirects:

| RedirType | Behavior                  |
| --------- | ------------------------- |
| 0         | 🚫 Never follow redirects |
| 1         | 🏠 Follow on-site only    |
| 2         | 🎯 Follow in-scope only   |
| 3         | 🌐 Always follow          |
| 4         | 🔢 Follow with max limit  |

Set `MaxRedir` to limit the number of redirects (e.g., 5).

## 🐛 Step 8: Set Issue Properties

| Field                  | Description                   | Example                                |
| ---------------------- | ----------------------------- | -------------------------------------- |
| 📝 **IssueName**       | Vulnerability name            | `Reflected XSS`                        |
| ⚠️ **IssueSeverity**   | Severity level                | `High`, `Medium`, `Low`, `Information` |
| 🎯 **IssueConfidence** | Confidence level              | `Certain`, `Firm`, `Tentative`         |
| 📄 **IssueDetail**     | Description with placeholders | `Payload: <payload><br/>Match: <grep>` |

The `<payload>` and `<grep>` placeholders are replaced with the actual payload and matched pattern at runtime.

## 🔎 Step 9: Set Scan Scope

Choose how the profile is scoped per target:

| scanScope | Mode                  | Use Case                                                                    |
| --------- | --------------------- | --------------------------------------------------------------------------- |
| 0         | **Per-URL** (default) | Runs on every URL — for parameter injection profiles                        |
| 1         | **Per-Host**          | Runs once per host:port — for path discovery, fixed-path CVEs, raw requests |

> 💡 **Tip:** Use per-host scope for profiles that test fixed paths (like `/wp-admin/` or `/actuator/health`) to avoid re-testing the same path on every URL of the same host.

## ⚙️ Step 10: Optional Configuration

### 🔐 Payload Encoding

Add encoding transformations to payloads:

* 🔗 URL-encode key characters
* 🔗 URL-encode all characters
* 📝 HTML-encode key characters
* 🔒 Base64-encode
* 🌐 Unicode-encode

See [Payload Encoding](/profiles/payload-encoding.md) for details.

### 🔽 Response Filtering

Filter which responses to analyze:

* 📄 **Content-Type** — Only process specific content types
* 🔢 **Response Code** — Only process specific HTTP status codes
* 📁 **URL Extension** — Only process specific file extensions

### 🔄 Request Modification

Modify the HTTP method:

* POST → GET
* GET → POST
* Toggle between methods

### 🔀 Match and Replace

Apply find/replace rules to requests before sending. See [Match and Replace](/profiles/match-and-replace.md).

## 📚 Complete Example: CORS Misconfiguration

```json
[
  {
    "ProfileName": "CORS Misconfiguration",
    "Enabled": true,
    "Scanner": 1,
    "Author": "@bountysecurity",
    "Payloads": [
      "true,https://{REDIRECT_DOMAIN}"
    ],
    "Grep": [
      "true,,Simple String,Only in Headers,Access-Control-Allow-Credential: true",
      "true,OR,Simple String,Only in Headers,Access-Control-Allow-Origin: https://{REDIRECT_DOMAIN}",
      "true,OR,Simple String,Only in Headers,Access-Control-Allow-Origin: null"
    ],
    "Tags": ["All", "CORS"],
    "MatchType": 1,
    "InsertionPointType": [64, 78],
    "NewHeaders": ["Origin"],
    "isHeaderValue": true,
    "OnlyHTTP": true,
    "RedirType": 4,
    "MaxRedir": 3,
    "IssueName": "CORS Misconfiguration",
    "IssueSeverity": "Low",
    "IssueConfidence": "Tentative",
    "IssueDetail": "<br/>- PAYLOAD: <br/><payload>\n<br/><br/>\n- GREP: <br/><grep>"
  }
]
```

This profile:

1. 💉 Injects `https://{REDIRECT_DOMAIN}` as the `Origin` header value
2. 🔍 Checks response headers for `Access-Control-Allow-Credential: true` AND either `Access-Control-Allow-Origin: https://{REDIRECT_DOMAIN}` or `Access-Control-Allow-Origin: null`
3. 🐛 Reports a Low severity CORS Misconfiguration issue


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bountysecurity.ai/profiles/creating-active-profile.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.