# Creating Active Profiles
This guide walks you through creating an active scanning profile step by step.
## 📝 Step 1: Open the Profile Editor
1. Go to **Burp Bounty Pro** > **Profiles** > **Active Profiles** tab
2. Click **Add** to create a new profile
3. 🪟 The profile editor dialog opens (non-modal — you can interact with Burp while editing)
## 📋 Step 2: Basic Information
| Field | Description | Example |
| ------------------- | ----------------------------- | ---------------- |
| 📝 **Profile Name** | Unique identifier | `My_XSS_Profile` |
| 👤 **Author** | Your name or handle | `@researcher` |
| 🏷️ **Tags** | Categories for organization | `XSS`, `All` |
| ✅ **Enabled** | Whether the profile is active | `true` |
## 💉 Step 3: Define Payloads
Add the payloads that will be injected into insertion points.
**Format:** Each payload entry has an enabled flag followed by the payload value:
```
true,
true,">
```
* ✅ Prefix `true,` to enable a payload
* ❌ Prefix `false,` to disable (keep for later use)
**🔧 Using Variables:**
```
true,http://{REDIRECT_DOMAIN}
true,{CURRENT_INSERTION_POINT_VALUE}
true,{BC}
```
See [Variables](https://docs.bountysecurity.ai/variables/global-variables) for the complete list.
**📁 Loading from File:** Set `payloadsFile` to the path of a text file containing one payload per line.
## 📍 Step 4: Configure Insertion Points
Select which parts of the HTTP request to inject payloads into.
🎯 Common selections for XSS testing:
* URL parameter value (0)
* Body parameter value (1)
* URL path folder (6)
🔒 Common selections for header injection:
* Specific HTTP headers (67-77)
* Custom header (78)
See [Insertion Points](https://docs.bountysecurity.ai/profiles/insertion-points) for the complete reference.
## 🔍 Step 5: Define Match Conditions (Grep)
Configure how to determine if the vulnerability was detected.
**Grep format:** `"enabled,operator,type,scope,pattern"`
| Component | Values |
| --------- | ------------------------------------------------------- |
| enabled | `true` or `false` |
| operator | Empty (first condition), `AND`, `OR` |
| type | `Simple String`, `Regex` |
| scope | Empty (all response), `Only in Headers`, `Only in Body` |
| pattern | The search pattern |
**📝 Examples:**
Simple string match:
```
true,,Simple String,,
```
Regex match with OR:
```
true,,Regex,,
true,OR,Regex,,onerror=alert\(1\)
```
Header-only match:
```
true,,Simple String,Only in Headers,Access-Control-Allow-Origin: *
```
## ⚙️ Step 6: Set Match Type
| MatchType | Description |
| --------- | ------------------------------------------------------------- |
| 1 | ✅ **All conditions AND** — All grep patterns must match |
| 2 | 🔀 **At least one OR** — At least one grep pattern must match |
## 🔄 Step 7: Configure Redirections
Choose how to handle HTTP redirects:
| RedirType | Behavior |
| --------- | ------------------------- |
| 0 | 🚫 Never follow redirects |
| 1 | 🏠 Follow on-site only |
| 2 | 🎯 Follow in-scope only |
| 3 | 🌐 Always follow |
| 4 | 🔢 Follow with max limit |
Set `MaxRedir` to limit the number of redirects (e.g., 5).
## 🐛 Step 8: Set Issue Properties
| Field | Description | Example |
| ---------------------- | ----------------------------- | -------------------------------------- |
| 📝 **IssueName** | Vulnerability name | `Reflected XSS` |
| ⚠️ **IssueSeverity** | Severity level | `High`, `Medium`, `Low`, `Information` |
| 🎯 **IssueConfidence** | Confidence level | `Certain`, `Firm`, `Tentative` |
| 📄 **IssueDetail** | Description with placeholders | `Payload: ` |
The `` and `` placeholders are replaced with the actual payload and matched pattern at runtime.
## 🔎 Step 9: Set Scan Scope
Choose how the profile is scoped per target:
| scanScope | Mode | Use Case |
| --------- | --------------------- | --------------------------------------------------------------------------- |
| 0 | **Per-URL** (default) | Runs on every URL — for parameter injection profiles |
| 1 | **Per-Host** | Runs once per host:port — for path discovery, fixed-path CVEs, raw requests |
> 💡 **Tip:** Use per-host scope for profiles that test fixed paths (like `/wp-admin/` or `/actuator/health`) to avoid re-testing the same path on every URL of the same host.
## ⚙️ Step 10: Optional Configuration
### 🔐 Payload Encoding
Add encoding transformations to payloads:
* 🔗 URL-encode key characters
* 🔗 URL-encode all characters
* 📝 HTML-encode key characters
* 🔒 Base64-encode
* 🌐 Unicode-encode
See [Payload Encoding](https://docs.bountysecurity.ai/profiles/payload-encoding) for details.
### 🔽 Response Filtering
Filter which responses to analyze:
* 📄 **Content-Type** — Only process specific content types
* 🔢 **Response Code** — Only process specific HTTP status codes
* 📁 **URL Extension** — Only process specific file extensions
### 🔄 Request Modification
Modify the HTTP method:
* POST → GET
* GET → POST
* Toggle between methods
### 🔀 Match and Replace
Apply find/replace rules to requests before sending. See [Match and Replace](https://docs.bountysecurity.ai/profiles/match-and-replace).
## 📚 Complete Example: CORS Misconfiguration
```json
[
{
"ProfileName": "CORS Misconfiguration",
"Enabled": true,
"Scanner": 1,
"Author": "@bountysecurity",
"Payloads": [
"true,https://{REDIRECT_DOMAIN}"
],
"Grep": [
"true,,Simple String,Only in Headers,Access-Control-Allow-Credential: true",
"true,OR,Simple String,Only in Headers,Access-Control-Allow-Origin: https://{REDIRECT_DOMAIN}",
"true,OR,Simple String,Only in Headers,Access-Control-Allow-Origin: null"
],
"Tags": ["All", "CORS"],
"MatchType": 1,
"InsertionPointType": [64, 78],
"NewHeaders": ["Origin"],
"isHeaderValue": true,
"OnlyHTTP": true,
"RedirType": 4,
"MaxRedir": 3,
"IssueName": "CORS Misconfiguration",
"IssueSeverity": "Low",
"IssueConfidence": "Tentative",
"IssueDetail": "\n"
}
]
```
This profile:
1. 💉 Injects `https://{REDIRECT_DOMAIN}` as the `Origin` header value
2. 🔍 Checks response headers for `Access-Control-Allow-Credential: true` AND either `Access-Control-Allow-Origin: https://{REDIRECT_DOMAIN}` or `Access-Control-Allow-Origin: null`
3. 🐛 Reports a Low severity CORS Misconfiguration issue