# Creating Passive Profiles

Passive profiles analyze HTTP traffic without sending additional requests. They are ideal for detecting sensitive information, security misconfigurations, and technology fingerprints.

## 📩 Passive Response Profile

### 🤔 When to Use

Use Passive Response profiles to analyze server responses for:

* 🛡️ Missing or misconfigured security headers
* 🔑 Sensitive data exposure (API keys, tokens, passwords)
* 🖥️ Technology indicators and version numbers
* ⚠️ Error messages and debug information
* 🌐 Domain takeover indicators

### 📝 Step-by-Step Creation

#### 1️⃣ Open the Profile Editor

1. Go to **Burp Bounty Pro** > **Profiles** > **Passive Response Profiles** tab
2. Click **Add**

#### 2️⃣ Basic Information

```json
{
  "ProfileName": "Missing_CSP_Header",
  "Scanner": 2,
  "Author": "@researcher",
  "Enabled": true,
  "Tags": ["All", "Security Headers"]
}
```

#### 3️⃣ Define Grep Patterns

For Passive Response profiles, grep patterns are matched against the HTTP response (headers and/or body).

**🛡️ Example: Detect missing Content-Security-Policy header**

```
true,,Simple String,Only in Headers,Content-Security-Policy
```

With `NotResponse: true`, this reports an issue when the header is **NOT** found.

**🔑 Example: Detect exposed API keys**

```
true,,Regex,,(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]
```

**☁️ Example: Detect AWS credentials in responses**

```
true,,Regex,,AKIA[0-9A-Z]{16}
true,OR,Regex,,(?i)aws_secret_access_key\s*=\s*[a-zA-Z0-9/+=]{40}
```

#### 4️⃣ Configure Match Options

| Option             | Description                                                               |
| ------------------ | ------------------------------------------------------------------------- |
| 🔄 `NotResponse`   | Set to `true` to report when pattern is NOT found (e.g., missing headers) |
| 🔤 `CaseSensitive` | Set to `true` for case-sensitive matching                                 |
| 🚫 `ExcludeHTTP`   | Exclude HTTP headers from the match scope                                 |
| 📋 `OnlyHTTP`      | Only match in HTTP headers                                                |

#### 5️⃣ Set Issue Properties

```json
{
  "IssueName": "Missing Content-Security-Policy Header",
  "IssueSeverity": "Information",
  "IssueConfidence": "Certain",
  "IssueDetail": "The response does not include a Content-Security-Policy header."
}
```

### 📚 Complete Example: Server Banner Detection

```json
[
  {
    "ProfileName": "ServerBannerResponse",
    "Enabled": true,
    "Scanner": 2,
    "Author": "@bountysecurity",
    "Payloads": [],
    "Grep": [
      "true,,Regex,Only in Headers,Server:\\s.*"
    ],
    "Tags": ["All"],
    "MatchType": 1,
    "CaseSensitive": false,
    "IssueName": "ServerBannerResponse",
    "IssueSeverity": "Information",
    "IssueConfidence": "Certain",
    "IssueDetail": "<br/>- GREP: <br/><grep>"
  }
]
```

***

## 📨 Passive Request Profile

### 🤔 When to Use

Use Passive Request profiles to analyze outgoing requests for:

* 💉 Interesting parameter names (candidates for SQLi, XSS, SSRF, RCE)
* 🔗 API endpoint patterns
* 🖥️ Technology-specific URL patterns (Jira, WordPress, Spring Boot, etc.)
* 🔑 Authentication tokens and session IDs
* 📁 URLs containing file paths or redirect parameters

### 📝 Step-by-Step Creation

#### 1️⃣ Open the Profile Editor

1. Go to **Burp Bounty Pro** > **Profiles** > **Passive Request Profiles** tab
2. Click **Add**

#### 2️⃣ Basic Information

```json
{
  "ProfileName": "SSRF_Parameters",
  "Scanner": 3,
  "Author": "@researcher",
  "Enabled": true,
  "Tags": ["All", "SSRF"]
}
```

#### 3️⃣ Define Grep Patterns

For Passive Request profiles, grep patterns are matched against the HTTP request (URL, headers, and/or body).

**🌐 Example: Detect SSRF-prone parameters**

```
true,,Regex,,[?&](url|uri|path|dest|redirect|src|source|file|document|folder|root|pg|style|pdf|template|php_path|doc)=
```

**🖥️ Example: Detect WordPress requests**

```
true,,Regex,,/wp-(admin|content|includes|login|json)/
true,OR,Simple String,,/xmlrpc.php
true,OR,Simple String,,/wp-cron.php
```

**📋 Example: Detect Jira requests**

```
true,,Regex,,/jira/
true,OR,Regex,,/rest/api/
true,OR,Regex,,/plugins/servlet/
```

#### 4️⃣ Set Issue Properties

```json
{
  "IssueName": "SSRF-Prone Parameters Detected",
  "IssueSeverity": "Information",
  "IssueConfidence": "Firm",
  "IssueDetail": "Request contains parameters commonly associated with SSRF vulnerabilities.<br/><br/>- GREP: <br/><grep>"
}
```

### 📚 Complete Example: SQLi Parameter Detection

```json
[
  {
    "ProfileName": "SQLi_Parameters",
    "Enabled": true,
    "Scanner": 3,
    "Author": "@bountysecurity",
    "Payloads": [],
    "Grep": [
      "true,,Regex,,[?&](id|user_id|item|no|number|order)=",
      "true,OR,Regex,,[?&](select|report|role|update|query)=",
      "true,OR,Regex,,[?&](col|row|search|table|field)="
    ],
    "Tags": ["All"],
    "MatchType": 2,
    "CaseSensitive": false,
    "IssueName": "SQLi_Parameters",
    "IssueSeverity": "Information",
    "IssueConfidence": "Firm",
    "IssueDetail": "Interesting parameters found that could be vulnerable to SQL Injection.<br/>- GREP: <br/><grep>"
  }
]
```

***

## 📊 Key Differences: Response vs Request Profiles

| Aspect              | Passive Response (Scanner=2)          | Passive Request (Scanner=3)           |
| ------------------- | ------------------------------------- | ------------------------------------- |
| 🔍 Analyzes         | Server responses                      | Client requests                       |
| ⏱️ Timing           | After server responds                 | Before/when request is sent           |
| 🎯 Common use       | Data exposure, misconfigurations      | Parameter discovery, tech detection   |
| 💉 Payloads         | Not used                              | Not used                              |
| 📍 Insertion Points | Not used                              | Not used                              |
| 🧠 Smart Scan       | Can trigger active profiles via Rules | Can trigger active profiles via Rules |

## 💡 Tips

* 🔄 **Use `NotResponse` for missing headers** — Set `NotResponse: true` to detect when expected patterns are absent
* 🧠 **Combine with Rules** — Passive profiles are most powerful when combined with Smart Scan rules to trigger targeted active scans
* 🌐 **Keep patterns broad for discovery** — Passive profiles for parameter discovery should cast a wide net
* 🎯 **Keep patterns specific for detection** — Passive profiles for vulnerability/data detection should be precise to avoid noise
* 🏷️ **Use Tags** — Tag your profiles to make them easy to reference in Rules


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bountysecurity.ai/profiles/creating-passive-profile.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.