# Creating Passive Profiles
Passive profiles analyze HTTP traffic without sending additional requests. They are ideal for detecting sensitive information, security misconfigurations, and technology fingerprints.
## 📩 Passive Response Profile
### 🤔 When to Use
Use Passive Response profiles to analyze server responses for:
* 🛡️ Missing or misconfigured security headers
* 🔑 Sensitive data exposure (API keys, tokens, passwords)
* 🖥️ Technology indicators and version numbers
* ⚠️ Error messages and debug information
* 🌐 Domain takeover indicators
### 📝 Step-by-Step Creation
#### 1️⃣ Open the Profile Editor
1. Go to **Burp Bounty Pro** > **Profiles** > **Passive Response Profiles** tab
2. Click **Add**
#### 2️⃣ Basic Information
```json
{
"ProfileName": "Missing_CSP_Header",
"Scanner": 2,
"Author": "@researcher",
"Enabled": true,
"Tags": ["All", "Security Headers"]
}
```
#### 3️⃣ Define Grep Patterns
For Passive Response profiles, grep patterns are matched against the HTTP response (headers and/or body).
**🛡️ Example: Detect missing Content-Security-Policy header**
```
true,,Simple String,Only in Headers,Content-Security-Policy
```
With `NotResponse: true`, this reports an issue when the header is **NOT** found.
**🔑 Example: Detect exposed API keys**
```
true,,Regex,,(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]
```
**☁️ Example: Detect AWS credentials in responses**
```
true,,Regex,,AKIA[0-9A-Z]{16}
true,OR,Regex,,(?i)aws_secret_access_key\s*=\s*[a-zA-Z0-9/+=]{40}
```
#### 4️⃣ Configure Match Options
| Option | Description |
| ------------------ | ------------------------------------------------------------------------- |
| 🔄 `NotResponse` | Set to `true` to report when pattern is NOT found (e.g., missing headers) |
| 🔤 `CaseSensitive` | Set to `true` for case-sensitive matching |
| 🚫 `ExcludeHTTP` | Exclude HTTP headers from the match scope |
| 📋 `OnlyHTTP` | Only match in HTTP headers |
#### 5️⃣ Set Issue Properties
```json
{
"IssueName": "Missing Content-Security-Policy Header",
"IssueSeverity": "Information",
"IssueConfidence": "Certain",
"IssueDetail": "The response does not include a Content-Security-Policy header."
}
```
### 📚 Complete Example: Server Banner Detection
```json
[
{
"ProfileName": "ServerBannerResponse",
"Enabled": true,
"Scanner": 2,
"Author": "@bountysecurity",
"Payloads": [],
"Grep": [
"true,,Regex,Only in Headers,Server:\\s.*"
],
"Tags": ["All"],
"MatchType": 1,
"CaseSensitive": false,
"IssueName": "ServerBannerResponse",
"IssueSeverity": "Information",
"IssueConfidence": "Certain",
"IssueDetail": "
- GREP:
"
}
]
```
***
## 📨 Passive Request Profile
### 🤔 When to Use
Use Passive Request profiles to analyze outgoing requests for:
* 💉 Interesting parameter names (candidates for SQLi, XSS, SSRF, RCE)
* 🔗 API endpoint patterns
* 🖥️ Technology-specific URL patterns (Jira, WordPress, Spring Boot, etc.)
* 🔑 Authentication tokens and session IDs
* 📁 URLs containing file paths or redirect parameters
### 📝 Step-by-Step Creation
#### 1️⃣ Open the Profile Editor
1. Go to **Burp Bounty Pro** > **Profiles** > **Passive Request Profiles** tab
2. Click **Add**
#### 2️⃣ Basic Information
```json
{
"ProfileName": "SSRF_Parameters",
"Scanner": 3,
"Author": "@researcher",
"Enabled": true,
"Tags": ["All", "SSRF"]
}
```
#### 3️⃣ Define Grep Patterns
For Passive Request profiles, grep patterns are matched against the HTTP request (URL, headers, and/or body).
**🌐 Example: Detect SSRF-prone parameters**
```
true,,Regex,,[?&](url|uri|path|dest|redirect|src|source|file|document|folder|root|pg|style|pdf|template|php_path|doc)=
```
**🖥️ Example: Detect WordPress requests**
```
true,,Regex,,/wp-(admin|content|includes|login|json)/
true,OR,Simple String,,/xmlrpc.php
true,OR,Simple String,,/wp-cron.php
```
**📋 Example: Detect Jira requests**
```
true,,Regex,,/jira/
true,OR,Regex,,/rest/api/
true,OR,Regex,,/plugins/servlet/
```
#### 4️⃣ Set Issue Properties
```json
{
"IssueName": "SSRF-Prone Parameters Detected",
"IssueSeverity": "Information",
"IssueConfidence": "Firm",
"IssueDetail": "Request contains parameters commonly associated with SSRF vulnerabilities.
- GREP:
"
}
```
### 📚 Complete Example: SQLi Parameter Detection
```json
[
{
"ProfileName": "SQLi_Parameters",
"Enabled": true,
"Scanner": 3,
"Author": "@bountysecurity",
"Payloads": [],
"Grep": [
"true,,Regex,,[?&](id|user_id|item|no|number|order)=",
"true,OR,Regex,,[?&](select|report|role|update|query)=",
"true,OR,Regex,,[?&](col|row|search|table|field)="
],
"Tags": ["All"],
"MatchType": 2,
"CaseSensitive": false,
"IssueName": "SQLi_Parameters",
"IssueSeverity": "Information",
"IssueConfidence": "Firm",
"IssueDetail": "Interesting parameters found that could be vulnerable to SQL Injection.
- GREP:
"
}
]
```
***
## 📊 Key Differences: Response vs Request Profiles
| Aspect | Passive Response (Scanner=2) | Passive Request (Scanner=3) |
| ------------------- | ------------------------------------- | ------------------------------------- |
| 🔍 Analyzes | Server responses | Client requests |
| ⏱️ Timing | After server responds | Before/when request is sent |
| 🎯 Common use | Data exposure, misconfigurations | Parameter discovery, tech detection |
| 💉 Payloads | Not used | Not used |
| 📍 Insertion Points | Not used | Not used |
| 🧠 Smart Scan | Can trigger active profiles via Rules | Can trigger active profiles via Rules |
## 💡 Tips
* 🔄 **Use `NotResponse` for missing headers** — Set `NotResponse: true` to detect when expected patterns are absent
* 🧠 **Combine with Rules** — Passive profiles are most powerful when combined with Smart Scan rules to trigger targeted active scans
* 🌐 **Keep patterns broad for discovery** — Passive profiles for parameter discovery should cast a wide net
* 🎯 **Keep patterns specific for detection** — Passive profiles for vulnerability/data detection should be precise to avoid noise
* 🏷️ **Use Tags** — Tag your profiles to make them easy to reference in Rules