# Overview Profiles are the building blocks of Burp Bounty Pro. Each profile defines a complete vulnerability test: what payloads to send, where to inject them, and how to determine if the test was successful. ## πŸ“‚ Profile Types Burp Bounty Pro supports three types of profiles, identified by the `Scanner` field: | Scanner Value | Type | Description | | ------------- | -------------------- | ------------------------------------------ | | 🎯 1 | **Active** | Sends payloads to test for vulnerabilities | | πŸ“© 2 | **Passive Response** | Analyzes HTTP responses for patterns | | πŸ“¨ 3 | **Passive Request** | Analyzes HTTP requests for patterns | ## πŸ“„ Profile File Format Profiles are stored as JSON files with the `.bb` extension. Each file contains an array of profile objects: ```json [ { "ProfileName": "My_Profile", "Name": "", "Enabled": true, "Scanner": 1, "Author": "@yourname", "Payloads": [...], "Grep": [...], "MatchType": 1, ... } ] ``` ## πŸ—οΈ Profile Structure ### πŸ“Œ Core Fields | Field | Type | Description | | ------------- | --------- | ------------------------------------------------------------- | | `ProfileName` | String | Unique identifier for the profile | | `Name` | String | Display name (optional) | | `Enabled` | Boolean | Whether the profile is active | | `Scanner` | Integer | Profile type: 1=Active, 2=Passive Response, 3=Passive Request | | `Author` | String | Profile creator | | `Tags` | String\[] | Tags for categorization and rule targeting | ### πŸ’‰ Payload Configuration (Active profiles) | Field | Type | Description | | ------------------ | --------- | ---------------------------------------------- | | `Payloads` | String\[] | List of payloads (format: `"enabled,payload"`) | | `Encoder` | String\[] | Encoding transformations to apply | | `UrlEncode` | Boolean | URL-encode the payload | | `CharsToUrlEncode` | String | Specific characters to URL-encode | | `payloadsFile` | String | Path to external payloads file | | `payloadPosition` | Integer | 1=Replace, 2=Append, 3=Insert | ### πŸ” Detection Configuration | Field | Type | Description | | ----------------- | --------- | ---------------------------------------------------------------- | | `Grep` | String\[] | Match patterns (format: `"enabled,operator,type,scope,pattern"`) | | `MatchType` | Integer | Detection method (1-9) | | `grepsFile` | String | Path to external greps file | | `PayloadResponse` | Boolean | Check if payload is reflected in response | | `NotResponse` | Boolean | Invert match (vulnerability when pattern NOT found) | | `CaseSensitive` | Boolean | Case-sensitive matching | ### πŸ”½ Response Filtering | Field | Type | Description | | ---------------------- | ------- | ------------------------------------ | | `ExcludeHTTP` | Boolean | Exclude HTTP header from match scope | | `OnlyHTTP` | Boolean | Only match in HTTP headers | | `IsContentType` | Boolean | Filter by Content-Type | | `ContentType` | String | Expected Content-Type value | | `NegativeCT` | Boolean | Invert Content-Type filter | | `IsResponseCode` | Boolean | Filter by HTTP status code | | `ResponseCode` | String | Expected status code | | `NegativeRC` | Boolean | Invert status code filter | | `isurlextension` | Boolean | Filter by URL file extension | | `urlextension` | String | File extension pattern | | `NegativeUrlExtension` | Boolean | Invert extension filter | ### πŸ“‘ Request Configuration | Field | Type | Description | | -------------------- | ---------- | -------------------------------------- | | `requestType` | Integer | 1=Standard, 2=Raw request | | `rawRequest` | String | Raw HTTP request template (for type 2) | | `InsertionPointType` | Integer\[] | Insertion point types to test | | `Scope` | Integer | Scanning scope | | `RedirType` | Integer | Redirect handling mode | | `MaxRedir` | Integer | Maximum number of redirects to follow | ### πŸ”„ Request Modification | Field | Type | Description | | ----------------------- | --------- | ----------------------------------- | | `changeHttpRequest` | Boolean | Modify the HTTP request method | | `changeHttpRequestType` | Integer | 1=POSTβ†’GET, 2=GETβ†’POST, 3=Toggle | | `Header` | Object\[] | Match and Replace rules for headers | | `NewHeaders` | String\[] | Headers to use as insertion points | | `isHeaderValue` | Boolean | Use header value as insertion point | ### ⏱️ Time-Based Detection | Field | Type | Description | | ---------- | ------- | --------------------------- | | `isTime` | Boolean | Enable time-based detection | | `TimeOut1` | String | First timing threshold | | `TimeOut2` | String | Second timing threshold | ### πŸ“ Content Length Detection | Field | Type | Description | | ----------------- | ------- | -------------------------------- | | `iscontentLength` | Boolean | Enable content length comparison | | `contentLength` | String | Content length threshold | ### πŸ“Š Variation Detection | Field | Type | Description | | --------------------- | --------- | ------------------------------ | | `VariationAttributes` | String\[] | Response attributes to compare | ### πŸ› Issue Properties | Field | Type | Description | | ----------------------- | ------ | --------------------------------------------------------------------- | | `IssueName` | String | Vulnerability name | | `IssueSeverity` | String | High, Medium, Low, Information, False positive | | `IssueConfidence` | String | Certain, Firm, Tentative | | `IssueDetail` | String | Detailed description (supports `` and `` placeholders) | | `IssueBackground` | String | Background information about the vulnerability | | `RemediationDetail` | String | How to fix the vulnerability | | `RemediationBackground` | String | General remediation guidance | ### πŸ”— Multi-Step | Field | Type | Description | | ------- | ------- | ----------------------------------------------- | | `steps` | Step\[] | Array of scanning steps for multi-step profiles | ### βš™οΈ Other | Field | Type | Description | | ------------------ | ------- | ------------------------------------ | | `sequence` | Boolean | Sequence mode | | `Scanas` | Boolean | Scan-as mode | | `Scantype` | Integer | Scan type | | `pathDiscovery` | Boolean | Enable path discovery | | `showIssue` | Boolean | Show issue dialog | | `HttpResponseCode` | String | Additional HTTP response code filter | ## πŸ› οΈ Managing Profiles ### πŸ“₯ Import 1. Go to **Profiles** tab 2. Click **Import** 3. Select one or more `.bb` files 4. βœ… Profiles are loaded into the appropriate category (Active, Passive Request, Passive Response) ### πŸ“€ Export 1. Select profiles in the table 2. Click **Export** 3. Choose a save location 4. βœ… Profiles are saved as `.bb` JSON files ### πŸ“‹ Duplicate 1. Select a profile 2. Click **Duplicate** 3. βœ… A copy is created with an auto-generated name suffix ### ✏️ Edit πŸ–±οΈ Double-click any profile to open the non-modal editor dialog.