# Overview Profiles are the building blocks of Burp Bounty Pro. Each profile defines a complete vulnerability test: what payloads to send, where to inject them, and how to determine if the test was successful. ## πŸ“‚ Profile Types Burp Bounty Pro supports three types of profiles, identified by the `Scanner` field: | Scanner Value | Type | Description | | ------------- | -------------------- | ------------------------------------------ | | 🎯 1 | **Active** | Sends payloads to test for vulnerabilities | | πŸ“© 2 | **Passive Response** | Analyzes HTTP responses for patterns | | πŸ“¨ 3 | **Passive Request** | Analyzes HTTP requests for patterns | ## πŸ“„ Profile File Format Profiles are stored as JSON files with the `.bb` extension. Each file contains an array of profile objects: ```json [ { "ProfileName": "My_Profile", "Name": "", "Enabled": true, "Scanner": 1, "Author": "@yourname", "Payloads": [...], "Grep": [...], "MatchType": 1, ... } ] ``` ## πŸ—οΈ Profile Structure ### πŸ“Œ Core Fields | Field | Type | Description | | ------------- | --------- | ------------------------------------------------------------- | | `ProfileName` | String | Unique identifier for the profile | | `Name` | String | Display name (optional) | | `Enabled` | Boolean | Whether the profile is active | | `Scanner` | Integer | Profile type: 1=Active, 2=Passive Response, 3=Passive Request | | `Author` | String | Profile creator | | `Tags` | String\[] | Tags for categorization and rule targeting | ### πŸ’‰ Payload Configuration (Active profiles) | Field | Type | Description | | ------------------ | --------- | ---------------------------------------------- | | `Payloads` | String\[] | List of payloads (format: `"enabled,payload"`) | | `Encoder` | String\[] | Encoding transformations to apply | | `UrlEncode` | Boolean | URL-encode the payload | | `CharsToUrlEncode` | String | Specific characters to URL-encode | | `payloadsFile` | String | Path to external payloads file | | `payloadPosition` | Integer | 1=Replace, 2=Append, 3=Insert | ### πŸ” Detection Configuration | Field | Type | Description | | ----------------- | --------- | ---------------------------------------------------------------- | | `Grep` | String\[] | Match patterns (format: `"enabled,operator,type,scope,pattern"`) | | `MatchType` | Integer | Detection method (1-9) | | `grepsFile` | String | Path to external greps file | | `PayloadResponse` | Boolean | Check if payload is reflected in response | | `NotResponse` | Boolean | Invert match (vulnerability when pattern NOT found) | | `CaseSensitive` | Boolean | Case-sensitive matching | ### πŸ”½ Response Filtering | Field | Type | Description | | ---------------------- | ------- | ------------------------------------ | | `ExcludeHTTP` | Boolean | Exclude HTTP header from match scope | | `OnlyHTTP` | Boolean | Only match in HTTP headers | | `IsContentType` | Boolean | Filter by Content-Type | | `ContentType` | String | Expected Content-Type value | | `NegativeCT` | Boolean | Invert Content-Type filter | | `IsResponseCode` | Boolean | Filter by HTTP status code | | `ResponseCode` | String | Expected status code | | `NegativeRC` | Boolean | Invert status code filter | | `isurlextension` | Boolean | Filter by URL file extension | | `urlextension` | String | File extension pattern | | `NegativeUrlExtension` | Boolean | Invert extension filter | ### πŸ“‘ Request Configuration | Field | Type | Description | | -------------------- | ---------- | -------------------------------------- | | `requestType` | Integer | 1=Standard, 2=Raw request | | `rawRequest` | String | Raw HTTP request template (for type 2) | | `InsertionPointType` | Integer\[] | Insertion point types to test | | `Scope` | Integer | Scanning scope | | `RedirType` | Integer | Redirect handling mode | | `MaxRedir` | Integer | Maximum number of redirects to follow | ### πŸ”„ Request Modification | Field | Type | Description | | ----------------------- | --------- | ----------------------------------- | | `changeHttpRequest` | Boolean | Modify the HTTP request method | | `changeHttpRequestType` | Integer | 1=POSTβ†’GET, 2=GETβ†’POST, 3=Toggle | | `Header` | Object\[] | Match and Replace rules for headers | | `NewHeaders` | String\[] | Headers to use as insertion points | | `isHeaderValue` | Boolean | Use header value as insertion point | ### ⏱️ Time-Based Detection | Field | Type | Description | | ---------- | ------- | --------------------------- | | `isTime` | Boolean | Enable time-based detection | | `TimeOut1` | String | First timing threshold | | `TimeOut2` | String | Second timing threshold | ### πŸ“ Content Length Detection | Field | Type | Description | | ----------------- | ------- | -------------------------------- | | `iscontentLength` | Boolean | Enable content length comparison | | `contentLength` | String | Content length threshold | ### πŸ“Š Variation Detection | Field | Type | Description | | --------------------- | --------- | ------------------------------ | | `VariationAttributes` | String\[] | Response attributes to compare | ### πŸ› Issue Properties | Field | Type | Description | | ----------------------- | ------ | --------------------------------------------------------------------- | | `IssueName` | String | Vulnerability name | | `IssueSeverity` | String | High, Medium, Low, Information, False positive | | `IssueConfidence` | String | Certain, Firm, Tentative | | `IssueDetail` | String | Detailed description (supports `` and `` placeholders) | | `IssueBackground` | String | Background information about the vulnerability | | `RemediationDetail` | String | How to fix the vulnerability | | `RemediationBackground` | String | General remediation guidance | ### πŸ”— Multi-Step | Field | Type | Description | | ------- | ------- | ----------------------------------------------- | | `steps` | Step\[] | Array of scanning steps for multi-step profiles | ### βš™οΈ Other | Field | Type | Description | | ------------------ | ------- | ------------------------------------ | | `sequence` | Boolean | Sequence mode | | `Scanas` | Boolean | Scan-as mode | | `Scantype` | Integer | Scan type | | `pathDiscovery` | Boolean | Enable path discovery | | `showIssue` | Boolean | Show issue dialog | | `HttpResponseCode` | String | Additional HTTP response code filter | ## πŸ› οΈ Managing Profiles ### πŸ“₯ Import 1. Go to **Profiles** tab 2. Click **Import** 3. Select one or more `.bb` files 4. βœ… Profiles are loaded into the appropriate category (Active, Passive Request, Passive Response) ### πŸ“€ Export 1. Select profiles in the table 2. Click **Export** 3. Choose a save location 4. βœ… Profiles are saved as `.bb` JSON files ### πŸ“‹ Duplicate 1. Select a profile 2. Click **Duplicate** 3. βœ… A copy is created with an auto-generated name suffix ### ✏️ Edit πŸ–±οΈ Double-click any profile to open the non-modal editor dialog. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/profiles/overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.