# Default Profiles Burp Bounty Pro ships with **254 pre-configured profiles** covering CVE exploits, common vulnerabilities, technology detection, and sensitive data exposure. ## πŸ“Š Summary | Category | Count | | ---------------------------- | ------- | | 🎯 Active Scanning Profiles | 101 | | πŸ“© Passive Response Profiles | 95 | | πŸ“¨ Passive Request Profiles | 58 | | **Total** | **254** | ### ⚠️ Severity Distribution | Severity | Count | | -------------- | ----- | | πŸ”΄ High | 68 | | 🟠 Medium | 29 | | 🟑 Low | 8 | | πŸ”΅ Information | 149 | ## 🎯 Active Profiles by Category ### πŸ› CVE Exploits | Profile | Severity | Tags | | ----------------------------------------------------- | -------- | ------------------------ | | CVE-2017-9506\_Jira\_SSRF | Medium | CVEs | | CVE-2018-1271\_Spring\_MVC\_Path\_Traversal | High | CVEs | | CVE-2018-13379\_FortiOS\_Creds\_Disclosure | High | CVEs | | CVE-2019-11510\_Pulse\_Secure | High | CVEs | | CVE-2019-11580\_Atlassian\_Crowd\_RCE | High | CVEs | | CVE-2019-1653\_Cisco\_Wan\_VPN\_disclosure | High | CVEs | | CVE-2019-19781\_Citrix\_ADC\_Directory\_Traversal | Medium | CVEs | | CVE-2019-3799\_Spring\_Cloud\_Path\_Traversal | High | CVEs | | CVE-2019-5418\_Ruby on Rails | High | CVEs | | CVE-2019-5418\_Ruby on Rails - WAF bypass | High | CVEs | | CVE-2019-8442\_Jira\_Path\_Traversal | Medium | CVEs | | CVE-2019-8449\_Jira\_Unauthenticated\_Sensitive\_Info | Medium | CVEs | | CVE-2020-11738\_Wordpress\_Duplicator\_Plugin\_LFI | High | CVEs, Wordpress | | CVE-2020-13167\_Netsweeper\_code\_injection | High | CVEs | | CVE-2020-13379\_Grafana\_SSRF | High | CVEs | | CVE-2020-14179\_Jira\_Info\_Exposure | Medium | CVEs | | CVE-2020-14181\_Jira\_User\_Enum | Medium | CVEs | | CVE-2020-14815\_XSS | Medium | XSS | | CVE-2020-15129\_Traefik\_Open\_Redirect | Medium | CVEs | | CVE-2020-17506\_Artica\_Web\_Proxy\_Auth\_Bypass | High | CVEs | | CVE-2020-24312\_File\_Manager\_Wordpress\_Backups | High | CVEs, Wordpress | | CVE-2020-2551\_Oracle\_WebLogic | High | CVEs | | CVE-2020-3452\_Cisco\_ASA\_LFI | Medium | CVEs | | CVE-2020-5410\_Path\_Traversal\_Spring\_Cloud | Medium | CVEs | | CVE-2020-5412\_Spring\_Cloud\_Netflix | High | CVEs | | CVE-2020-5777\_MAMGI\_Auth\_Bypass | Medium | CVEs | | CVE-2020-5902\_F5-BigIP | High | CVEs | | CVE-2020-8209\_Citrix\_XenMobile\_PathTraversal | High | CVEs | | CVE-2020-8982\_Citrix\_ShareFile\_File\_Read | Medium | CVEs | | CVE-2020-9484\_Tomcat\_Groovy | High | CVEs | | CVE-2021-26086\_PathTraversal\_Atlassian\_Jira | Medium | CVEs | | CVE-2021-40438\_Apache\_mod\_proxy\_SSRF | High | CVEs | | CVE-2021-40539\_Zoho\_ManageEngine\_ADSelfService | High | CVEs | | CVE-2021-43798\_Grafana\_LFI | High | CVEs | | CVE-2021-44228\_RCE\_Log4j | High | RCE, CVEs | | CVE-2021-44228\_RCE\_Log4j\_GETPOST | High | RCE, CVEs | | CVE-2021-44228\_RCE\_Log4j\_urlEncode | High | RCE, CVEs | | CVE-2022-1388\_F5\_Big\_IP\_RCE | High | CVEs, RCE | | CVE-2022-26134\_Confluence\_RCE | High | CVEs, RCE | | CVE-2022-31474\_BackupBuddy\_LFI | Medium | CVEs | | CVE-2022-32276\_Grafana\_8.4.3 | Medium | CVEs | | CVE-2022-32276\_Grafana\_8.4.3\_poc2 | Medium | CVEs | | CVE-2022-42889\_Text4Shell | High | CVEs | | CVE-2023-24488\_Citrix\_XSS | Medium | All | | CVE-2025-55182\_React2Shell\_RCE | High | RCE, CVEs, React/Next.js | | CVE-2025-55182\_React2Shell\_RCE\_OOB | High | RCE, React/Next.js, CVEs | | CVE-2025-55182\_React2Shell\_RCE\_Windows | High | RCE, CVEs, React/Next.js | | CVE-2025-68613\_n8n\_Vulnerable\_Version | High | CVEs, RCE, n8n | ### πŸ’‰ XSS (Cross-Site Scripting) | Profile | Severity | Tags | | ----------------------------- | ----------- | ------------------------ | | Blind\_XSS | Medium | XSS, Blind XSS | | Openredirect\_to\_XSS | Medium | XSS | | Test\_XSS\_discover | Medium | XSS | | XSS | Information | XSS | | XSS\_DOM\_Context | Information | XSS, DOM\_Context | | XSS\_GETPOST | Medium | XSS | | XSS\_HTML\_Attribute\_Context | Information | XSS, HTML\_Attribute | | XSS\_HTML\_Comment\_Context | Information | XSS, HTML\_Comment | | XSS\_HTML\_Tag\_Context | Information | XSS, HTML\_Tag | | XSS\_HtmlUrlEncode | Information | XSS | | XSS\_JavaScript\_Context | Information | XSS, JavaScript\_Context | | XSS\_URLEncode | Information | XSS | | XSS\_URL\_Context | Information | XSS, URL\_Context | ### πŸ—„οΈ SQL Injection | Profile | Severity | Tags | | -------------------------------------- | -------- | ------------------------- | | SQLi | High | SQLi | | SQLi\_Collaborator | High | SQLi | | SQLi\_ContentLength | High | SQLi, SQLi\_ContentLength | | SQLi\_StausCode | High | SQLi, SQLi\_StatusCode | | SQLi\_Timebased | High | SQLi, SQLi\_TimeBased | | SQLi\_Timebased\_Encoded\_KeyCharacter | High | SQLi, SQLi\_TimeBased | | SQLi\_Timebased\_Encoded\_Space | High | SQLi, SQLi\_TimeBased | ### ⚑ RCE (Remote Code Execution) | Profile | Severity | Tags | | ------------------- | -------- | ---- | | Blind\_RCE\_Linux | High | RCE | | Blind\_RCE\_Windows | High | RCE | | Echo\_RCE | High | RCE | | Expect\_RCE | High | RCE | | PHP\_RCE | High | RCE | | RCE\_Linux | High | RCE | | RCE\_Windows | High | RCE | ### 🌐 SSRF (Server-Side Request Forgery) | Profile | Severity | Tags | | ------------------------------------------ | -------- | ------------------- | | OpenRedirect\_SSRF | High | SSRF, Open Redirect | | OpenRedirect\_SSRF\_Collaborator | Medium | SSRF, Open Redirect | | OpenRedirect\_SSRF\_Collaborator\_HTTP0\_9 | Medium | All | | OpenRedirect\_SSRF\_Collaborator\_HTTP1\_0 | Medium | All | | SSRF-Collaborator | Medium | SSRF | | SSRF-URLScheme | High | SSRF | | SSRF\_Collaborator\_HTTP0\_9 | Medium | SSRF | | SSRF\_Collaborator\_HTTP1\_0 | Medium | SSRF | ### πŸ”„ Open Redirect | Profile | Severity | Tags | | ------------------------------------- | -------- | ------------- | | OpenRedirect | Medium | Open Redirect | | OpenRedirect-ParameterPollution | Medium | Open Redirect | | OpenRedirect-ParameterPollution\_Path | Medium | Open Redirect | | OpenRedirect\_to\_Account\_Takeover | High | All | ### πŸ“„ XXE (XML External Entity) | Profile | Severity | Tags | | ------------ | -------- | ---- | | Blind\_XXE | High | XXE | | XXE\_Linux | High | XXE | | XXE\_Windows | High | XXE | ### πŸ“‚ Path Traversal | Profile | Severity | Tags | | ---------------------- | -------- | -------------- | | PathTraversal\_Linux | High | Path Traversal | | PathTraversal\_Windows | High | Path Traversal | ### πŸ”§ Other Active Profiles | Profile | Severity | Tags | | -------------------------------- | ----------- | ---------------- | | CORS Misconfiguration | Low | CORS | | CRLF | Medium | CRLF | | CouchDB\_Admin\_Exposure | Medium | CVEs | | DWR\_enpoints | Information | DRWuzz | | Drupal\_User\_Enum | Medium | Drupal | | Drupal\_User\_Enum\_Redirect | Medium | Drupal | | Fuzzing\_directories | Information | Fuzzing Files | | GitFinder | Low | Fuzzing Files | | GraphQL Alias Overloading | Medium | GraphQL | | GraphQL Batching | Medium | GraphQL | | GraphQL Circular Queries | Medium | GraphQL | | GraphQL Directives Overloading | Medium | GraphQL | | GraphQL Field Duplication | Medium | GraphQL | | Graphql Introspection | Low | Introspection | | Host\_Header\_Injection | High | All | | Java\_De-Serialization | Information | All | | Jira\_unauthenticated\_Info | Medium | CVEs | | Kubernetes\_API\_Exposed | Medium | All | | Open Firebase Database | High | All | | Password-Reset-Headers | High | Forgot Password | | Password-Reset-Params | High | Forgot Password | | Password-Reset-URL | High | Forgot Password | | SSTI | High | SSTI | | SVNFinder | Low | Fuzzing Files | | Source\_code | Information | All | | Spring\_Boot\_Actuators | High | Spring | | Swagger-Finder | Information | Fuzzing Files | | Symfony\_Debug | Medium | All | | Wordpress\_Config\_Accessible | High | Wordpress | | Wordpress\_Path\_Traversal | High | Wordpress | | Wordpress\_XMLRPC\_ListMethods | Low | Wordpress | | Wordpress\_XMLRPC\_Pingback | Low | Wordpress | | Wordpress\_directory\_listing | Low | Wordpress | | Wordpress\_user\_enum\_json | Low | Wordpress | | Wordpress\_user\_enum\_oembed | Low | Wordpress | | Woody\_Wordpress\_RCE | Medium | Wordpress | | X-Headers-Collaborator | Medium | X-Headers-Collab | | easy\_wp\_smtp\_listing\_enabled | High | Wordpress | | solarwinds\_default\_admin | High | All | | wordpress\_users\_enum\_yoastseo | Low | Wordpress | *** ## πŸ“© Passive Response Profiles (95) These profiles analyze HTTP responses for security issues, sensitive data, and technology indicators. | Profile | Severity | Description | | --------------------------------------------------- | ----------- | ------------------------------------------------ | | AWS\_Access\_Key\_ID | Information | πŸ”‘ Detects AWS Access Key IDs | | AWS\_Client\_Secret | Information | πŸ”‘ Detects AWS Client Secrets | | AWS\_Creds\_File | Information | πŸ“ Detects AWS credentials file references | | AWS\_EC2\_Url | Information | ☁️ Detects AWS EC2 metadata URLs | | AWS\_Region | Information | ☁️ Detects AWS region identifiers | | AccessToken | Information | πŸ”‘ Detects access tokens in responses | | AmazonAWS | Information | ☁️ Detects Amazon AWS URLs | | Amazon\_AWS\_Url | Information | ☁️ Detects Amazon AWS endpoint URLs | | Amazon\_MWS\_Auth\_Token | Information | πŸ”‘ Detects Amazon MWS authentication tokens | | Android\_WebView\_JS | Information | πŸ“± Detects Android WebView JavaScript interfaces | | ApiKeyResponse | Information | πŸ”‘ Detects API keys in responses | | Artica\_Web | Information | πŸ–₯️ Detects Artica Web Proxy | | Artifactory\_API\_Token | Information | πŸ”‘ Detects JFrog Artifactory API tokens | | Authorization\_Bearer | Information | πŸ”‘ Detects Bearer tokens in responses | | Azure\_Blob\_Discovered | Information | ☁️ Detects Azure Blob storage URLs | | Basic\_Auth\_Credentials | Information | πŸ”‘ Detects Basic Auth credentials | | Bitcoin\_Address | Information | πŸ’° Detects Bitcoin addresses | | CDN\_Detected | Information | 🌐 Detects CDN usage | | CMS\_Found | Information | πŸ–₯️ Detects CMS platforms | | Cache-Control | Information | πŸ›‘οΈ Analyzes Cache-Control headers | | Cisco\_ASA\_Device\_Found | Low | πŸ–₯️ Detects Cisco ASA devices | | Citrix\_Detection | Information | πŸ–₯️ Detects Citrix products | | Content-Security-Policy | Information | πŸ›‘οΈ Analyzes CSP headers | | CookieFlag-HttpOnly | Low | πŸͺ Checks for missing HttpOnly flag | | CookieFlag-SameSite | Information | πŸͺ Checks for SameSite cookie attribute | | CookieFlag-Secure | Low | πŸͺ Checks for missing Secure flag | | CouchDB\_Response | Information | πŸ—„οΈ Detects CouchDB responses | | DWREndpoints | Information | πŸ”— Detects DWR (Direct Web Remoting) endpoints | | Debug Pages | Information | ⚠️ Detects debug/error pages | | Debug\_variables | Information | ⚠️ Detects debug variables in responses | | DefaultRDP | Information | πŸ–₯️ Detects default RDP configurations | | DigitalOcean\_Space\_Discovered | Information | ☁️ Detects DigitalOcean Spaces | | DirectoryListing | Information | πŸ“‚ Detects directory listing | | Docker\_API\_Response | Information | 🐳 Detects Docker API responses | | DomainTakeOver\_Strings | Information | 🌐 Detects domain takeover indicators | | Drupal\_Response | Information | πŸ–₯️ Detects Drupal CMS | | EndpointsExtractor | Information | πŸ”— Extracts API endpoints from JS | | Env\_Vars | Information | ⚠️ Detects environment variables | | Facebook\_Client\_ID | Information | πŸ”‘ Detects Facebook Client IDs | | Facebook\_OAuth | Information | πŸ”‘ Detects Facebook OAuth tokens | | Fortinet\_Panel | Information | πŸ›‘οΈ Detects Fortinet admin panels | | GCP\_Service\_Account | Information | ☁️ Detects GCP service accounts | | GCP\_Urls | Information | ☁️ Detects Google Cloud Platform URLs | | Gmail\_Oauth\_2.0 | Information | πŸ”‘ Detects Gmail OAuth tokens | | Google\_Cloud\_Buckets | Information | ☁️ Detects Google Cloud Storage buckets | | Hidden Parameters | Information | πŸ” Detects hidden form parameters | | Interesting\_Keyworks | Information | πŸ” Detects interesting keywords | | JS\_Variables | Information | πŸ“ Extracts JavaScript variables | | Jenkins\_Response | Information | πŸ–₯️ Detects Jenkins CI | | Joomla detection | Information | πŸ–₯️ Detects Joomla CMS | | Joomla-CVE-2015-7297 | High | πŸ› Detects Joomla CVE-2015-7297 | | Kubernetes\_Response | Information | ☸️ Detects Kubernetes | | LinkedIn\_Secret | Information | πŸ”‘ Detects LinkedIn API secrets | | MAC\_Address | Information | πŸ”— Detects MAC addresses | | MAGMI\_Response | Information | πŸ–₯️ Detects MAGMI (Magento Mass Importer) | | Netsweeper\_Response | Information | πŸ–₯️ Detects Netsweeper | | NoSQL\_Session\_Token | Information | πŸ”‘ Detects NoSQL session tokens | | NuGet\_Api\_Key | Information | πŸ”‘ Detects NuGet API keys | | Octopus\_API\_Key | Information | πŸ”‘ Detects Octopus Deploy API keys | | Outlook\_Team | Information | πŸ“§ Detects Outlook/Teams info | | Paypal\_Braintree\_access\_token | Information | πŸ”‘ Detects PayPal Braintree tokens | | Picatic\_API\_Key | Information | πŸ”‘ Detects Picatic API keys | | Private\_SSH\_Key | Information | πŸ”‘ Detects private SSH keys | | Reflected\_values\_greater\_than\_three\_characters | Information | πŸͺž Detects reflected values | | SQL\_Message\_Detected | Information | πŸ—„οΈ Detects SQL error messages | | ServerBannerResponse | Information | πŸ–₯️ Detects server banners | | Software\_Version | Information | πŸ“Š Detects software version strings | | Solarwinds\_Orion\_Response | Information | πŸ–₯️ Detects SolarWinds Orion | | SonarQube\_API\_Key\_Docs | Information | πŸ”‘ Detects SonarQube API keys | | StackHawk\_API\_Key | Information | πŸ”‘ Detects StackHawk API keys | | Strict-Transport-Security | Information | πŸ›‘οΈ Checks HSTS header | | Subdomain\_takeover | Low | 🌐 Detects subdomain takeover indicators | | Swagger\_found | Information | πŸ“„ Detects Swagger/OpenAPI docs | | Symfony\_Response | Information | πŸ–₯️ Detects Symfony framework | | Tomcat\_Response\_Detection | Information | πŸ–₯️ Detects Apache Tomcat | | Traefik\_Response | Information | πŸ–₯️ Detects Traefik proxy | | WAF\_Found | Information | πŸ›‘οΈ Detects Web Application Firewalls | | WP\_Config | Information | ⚠️ Detects WordPress config exposure | | Wordpress detection | Information | πŸ–₯️ Detects WordPress CMS | | Wordpress-SensitiveDirectories | Information | πŸ“‚ Detects sensitive WP directories | | X-Content-Type-Options | Information | πŸ›‘οΈ Checks X-Content-Type-Options | | X-Frame-Options | Information | πŸ›‘οΈ Checks X-Frame-Options | | vBulletin\_Response | Information | πŸ–₯️ Detects vBulletin forum | | Docker\_API\_Response | Information | 🐳 Detects Docker API | *** ## πŸ“¨ Passive Request Profiles (58) These profiles analyze HTTP requests to detect interesting parameters, endpoints, and technology indicators. | Profile | Severity | Description | | ------------------------------ | ----------- | ----------------------------------------- | | Action\_parameters | Information | βš™οΈ Detects action-related parameters | | All\_Requests\_And\_Parameters | Information | 🌐 Matches all requests (for bulk rules) | | AmazonAWSRequest | Information | ☁️ Detects AWS API requests | | ApiKeyRequest | Information | πŸ”‘ Detects API key parameters in requests | | Api\_path | Information | πŸ”— Detects API path patterns | | Artica\_Web\_Request | Information | πŸ–₯️ Detects Artica Web requests | | AuthorizationBearerToken | Information | πŸ”‘ Detects Bearer tokens in requests | | Cisco\_Request\_Detected | Information | πŸ–₯️ Detects Cisco-related requests | | CouchDB\_Request | Information | πŸ—„οΈ Detects CouchDB requests | | Debug\_Logic\_Parameters | Information | ⚠️ Detects debug parameters | | ErrorPages-JobApps | Information | ⚠️ Detects error page requests | | Firebase DB detected | Information | πŸ”₯ Detects Firebase requests | | Fortinet\_Request | Information | πŸ›‘οΈ Detects Fortinet requests | | GraphQL\_Endpoint | Information | πŸ”— Detects GraphQL endpoints | | IDOR\_parameters | Information | πŸ”“ Detects IDOR-prone parameters | | Jira\_Request | Information | πŸ“‹ Detects Jira requests | | Key\_Parameters | Information | πŸ”‘ Detects key/token parameters | | LFI\_RFI\_Parameters | Information | πŸ“‚ Detects LFI/RFI-prone parameters | | MAGMI\_Request | Information | πŸ–₯️ Detects MAGMI requests | | Netsweeper\_Request | Information | πŸ–₯️ Detects Netsweeper requests | | OAuth\_parameters | Information | πŸ”‘ Detects OAuth parameters | | OpenRedirect\_SSRF\_Parameters | Information | πŸ”„ Detects redirect/URL parameters | | RCE\_Parameters | Information | ⚑ Detects RCE-prone parameters | | RegisterUser\_parameters | Information | πŸ‘€ Detects registration parameters | | SQLi\_Parameters | Information | πŸ—„οΈ Detects SQLi-prone parameters | | SSTI\_Parameters | Information | πŸ”§ Detects SSTI-prone parameters | | Secret-keywords-SecLists | Information | πŸ”‘ Detects secret keywords | | Secrets\_Request | Information | πŸ”‘ Detects secrets in requests | | Solarwinds\_Orion\_Request | Information | πŸ–₯️ Detects SolarWinds requests | | Springboot\_Requests | Information | πŸƒ Detects Spring Boot requests | | Swagger\_Request | Information | πŸ“„ Detects Swagger requests | | Token\_Parameters | Information | πŸ”‘ Detects token parameters | | URL\_Path\_as\_a\_Value | Information | πŸ”— Detects URL paths in parameters | | URL\_as\_a\_Value | Information | πŸ”— Detects URLs in parameters | | UUID\_Request | Information | πŸ”’ Detects UUIDs in requests | | UserEnum\_parameters | Information | πŸ‘€ Detects user enumeration parameters | | WeblogicServer-UDDI\_Explorer | Information | πŸ–₯️ Detects WebLogic UDDI | | Weblogic\_Request | Information | πŸ–₯️ Detects WebLogic requests | | XSS\_Parameters | Information | πŸ’‰ Detects XSS-prone parameters | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/reference/default-profiles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.