🎯Creating Active Profiles

This guide walks you through creating an active scanning profile step by step.

📝 Step 1: Open the Profile Editor

Go to Burp Bounty Pro > Profiles > Active Profiles tab
Click Add to create a new profile
🪟 The profile editor dialog opens (non-modal — you can interact with Burp while editing)

📋 Step 2: Basic Information

Field

Description

Example

📝 Profile Name

Unique identifier

My_XSS_Profile

👤 Author

Your name or handle

@researcher

🏷️ Tags

Categories for organization

XSS, All

✅ Enabled

Whether the profile is active

true

💉 Step 3: Define Payloads

Add the payloads that will be injected into insertion points.

Format: Each payload entry has an enabled flag followed by the payload value:

true,<script>alert(1)</script>
true,"><img src=x onerror=alert(1)>
false,<svg onload=alert(1)>

✅ Prefix true, to enable a payload
❌ Prefix false, to disable (keep for later use)

🔧 Using Variables:

true,http://{REDIRECT_DOMAIN}
true,{CURRENT_INSERTION_POINT_VALUE}<script>alert(1)</script>
true,{BC}

See Variables for the complete list.

📁 Loading from File: Set payloadsFile to the path of a text file containing one payload per line.

📍 Step 4: Configure Insertion Points

Select which parts of the HTTP request to inject payloads into.

🎯 Common selections for XSS testing:

URL parameter value (0)
Body parameter value (1)
URL path folder (6)

🔒 Common selections for header injection:

Specific HTTP headers (67-77)
Custom header (78)

See Insertion Points for the complete reference.

🔍 Step 5: Define Match Conditions (Grep)

Configure how to determine if the vulnerability was detected.

Grep format: "enabled,operator,type,scope,pattern"

Component

Values

enabled

true or false

operator

Empty (first condition), AND, OR

type

Simple String, Regex

scope

Empty (all response), Only in Headers, Only in Body

pattern

The search pattern

📝 Examples:

Simple string match:

true,,Simple String,,<script>alert(1)</script>

Regex match with OR:

true,,Regex,,<script>alert\(1\)</script>
true,OR,Regex,,onerror=alert\(1\)

Header-only match:

true,,Simple String,Only in Headers,Access-Control-Allow-Origin: *

⚙️ Step 6: Set Match Type

MatchType

Description

✅ All conditions AND — All grep patterns must match

🔀 At least one OR — At least one grep pattern must match

🔄 Step 7: Configure Redirections

Choose how to handle HTTP redirects:

RedirType

Behavior

🚫 Never follow redirects

🏠 Follow on-site only

🎯 Follow in-scope only

🌐 Always follow

🔢 Follow with max limit

Set MaxRedir to limit the number of redirects (e.g., 5).

🐛 Step 8: Set Issue Properties

Field

Description

Example

📝 IssueName

Vulnerability name

Reflected XSS

⚠️ IssueSeverity

Severity level

High, Medium, Low, Information

🎯 IssueConfidence

Confidence level

Certain, Firm, Tentative

📄 IssueDetail

Description with placeholders

Payload: <payload><br/>Match: <grep>

The <payload> and <grep> placeholders are replaced with the actual payload and matched pattern at runtime.

⚙️ Step 9: Optional Configuration

🔐 Payload Encoding

Add encoding transformations to payloads:

🔗 URL-encode key characters
🔗 URL-encode all characters
📝 HTML-encode key characters
🔒 Base64-encode
🌐 Unicode-encode

See Payload Encoding for details.

🔽 Response Filtering

Filter which responses to analyze:

📄 Content-Type — Only process specific content types
🔢 Response Code — Only process specific HTTP status codes
📁 URL Extension — Only process specific file extensions

🔄 Request Modification

Modify the HTTP method:

POST → GET
GET → POST
Toggle between methods

🔀 Match and Replace

Apply find/replace rules to requests before sending. See Match and Replace.

📚 Complete Example: CORS Misconfiguration

[
  {
    "ProfileName": "CORS Misconfiguration",
    "Enabled": true,
    "Scanner": 1,
    "Author": "@bountysecurity",
    "Payloads": [
      "true,https://{REDIRECT_DOMAIN}"
    ],
    "Grep": [
      "true,,Simple String,Only in Headers,Access-Control-Allow-Credential: true",
      "true,OR,Simple String,Only in Headers,Access-Control-Allow-Origin: https://{REDIRECT_DOMAIN}",
      "true,OR,Simple String,Only in Headers,Access-Control-Allow-Origin: null"
    ],
    "Tags": ["All", "CORS"],
    "MatchType": 1,
    "InsertionPointType": [64, 78],
    "NewHeaders": ["Origin"],
    "isHeaderValue": true,
    "OnlyHTTP": true,
    "RedirType": 4,
    "MaxRedir": 3,
    "IssueName": "CORS Misconfiguration",
    "IssueSeverity": "Low",
    "IssueConfidence": "Tentative",
    "IssueDetail": "<br/>- PAYLOAD: <br/><payload>\n<br/><br/>\n- GREP: <br/><grep>"
  }
]

This profile:

💉 Injects https://{REDIRECT_DOMAIN} as the Origin header value
🔍 Checks response headers for Access-Control-Allow-Credential: true AND either Access-Control-Allow-Origin: https://{REDIRECT_DOMAIN} or Access-Control-Allow-Origin: null
🐛 Reports a Low severity CORS Misconfiguration issue

PreviousOverview NextCreating Passive Profiles

Last updated 2 days ago

hashtag📝 Step 1: Open the Profile Editor

hashtag📋 Step 2: Basic Information

hashtag💉 Step 3: Define Payloads

hashtag📍 Step 4: Configure Insertion Points

hashtag🔍 Step 5: Define Match Conditions (Grep)

hashtag⚙️ Step 6: Set Match Type

hashtag🔄 Step 7: Configure Redirections

hashtag🐛 Step 8: Set Issue Properties

hashtag⚙️ Step 9: Optional Configuration

hashtag🔐 Payload Encoding

hashtag🔽 Response Filtering

hashtag🔄 Request Modification

hashtag🔀 Match and Replace

hashtag📚 Complete Example: CORS Misconfiguration

📝 Step 1: Open the Profile Editor

📋 Step 2: Basic Information

💉 Step 3: Define Payloads

📍 Step 4: Configure Insertion Points

🔍 Step 5: Define Match Conditions (Grep)

⚙️ Step 6: Set Match Type

🔄 Step 7: Configure Redirections

🐛 Step 8: Set Issue Properties

⚙️ Step 9: Optional Configuration

🔐 Payload Encoding

🔽 Response Filtering

🔄 Request Modification

🔀 Match and Replace

📚 Complete Example: CORS Misconfiguration