# Default Profiles Burp Bounty Pro ships with **254 pre-configured profiles** covering CVE exploits, common vulnerabilities, technology detection, and sensitive data exposure. ## πŸ“Š Summary | Category | Count | | ---------------------------- | ------- | | 🎯 Active Scanning Profiles | 101 | | πŸ“© Passive Response Profiles | 95 | | πŸ“¨ Passive Request Profiles | 58 | | **Total** | **254** | ### ⚠️ Severity Distribution | Severity | Count | | -------------- | ----- | | πŸ”΄ High | 68 | | 🟠 Medium | 29 | | 🟑 Low | 8 | | πŸ”΅ Information | 149 | ## 🎯 Active Profiles by Category ### πŸ› CVE Exploits | Profile | Severity | Tags | | ----------------------------------------------------- | -------- | ------------------------ | | CVE-2017-9506\_Jira\_SSRF | Medium | CVEs | | CVE-2018-1271\_Spring\_MVC\_Path\_Traversal | High | CVEs | | CVE-2018-13379\_FortiOS\_Creds\_Disclosure | High | CVEs | | CVE-2019-11510\_Pulse\_Secure | High | CVEs | | CVE-2019-11580\_Atlassian\_Crowd\_RCE | High | CVEs | | CVE-2019-1653\_Cisco\_Wan\_VPN\_disclosure | High | CVEs | | CVE-2019-19781\_Citrix\_ADC\_Directory\_Traversal | Medium | CVEs | | CVE-2019-3799\_Spring\_Cloud\_Path\_Traversal | High | CVEs | | CVE-2019-5418\_Ruby on Rails | High | CVEs | | CVE-2019-5418\_Ruby on Rails - WAF bypass | High | CVEs | | CVE-2019-8442\_Jira\_Path\_Traversal | Medium | CVEs | | CVE-2019-8449\_Jira\_Unauthenticated\_Sensitive\_Info | Medium | CVEs | | CVE-2020-11738\_Wordpress\_Duplicator\_Plugin\_LFI | High | CVEs, Wordpress | | CVE-2020-13167\_Netsweeper\_code\_injection | High | CVEs | | CVE-2020-13379\_Grafana\_SSRF | High | CVEs | | CVE-2020-14179\_Jira\_Info\_Exposure | Medium | CVEs | | CVE-2020-14181\_Jira\_User\_Enum | Medium | CVEs | | CVE-2020-14815\_XSS | Medium | XSS | | CVE-2020-15129\_Traefik\_Open\_Redirect | Medium | CVEs | | CVE-2020-17506\_Artica\_Web\_Proxy\_Auth\_Bypass | High | CVEs | | CVE-2020-24312\_File\_Manager\_Wordpress\_Backups | High | CVEs, Wordpress | | CVE-2020-2551\_Oracle\_WebLogic | High | CVEs | | CVE-2020-3452\_Cisco\_ASA\_LFI | Medium | CVEs | | CVE-2020-5410\_Path\_Traversal\_Spring\_Cloud | Medium | CVEs | | CVE-2020-5412\_Spring\_Cloud\_Netflix | High | CVEs | | CVE-2020-5777\_MAMGI\_Auth\_Bypass | Medium | CVEs | | CVE-2020-5902\_F5-BigIP | High | CVEs | | CVE-2020-8209\_Citrix\_XenMobile\_PathTraversal | High | CVEs | | CVE-2020-8982\_Citrix\_ShareFile\_File\_Read | Medium | CVEs | | CVE-2020-9484\_Tomcat\_Groovy | High | CVEs | | CVE-2021-26086\_PathTraversal\_Atlassian\_Jira | Medium | CVEs | | CVE-2021-40438\_Apache\_mod\_proxy\_SSRF | High | CVEs | | CVE-2021-40539\_Zoho\_ManageEngine\_ADSelfService | High | CVEs | | CVE-2021-43798\_Grafana\_LFI | High | CVEs | | CVE-2021-44228\_RCE\_Log4j | High | RCE, CVEs | | CVE-2021-44228\_RCE\_Log4j\_GETPOST | High | RCE, CVEs | | CVE-2021-44228\_RCE\_Log4j\_urlEncode | High | RCE, CVEs | | CVE-2022-1388\_F5\_Big\_IP\_RCE | High | CVEs, RCE | | CVE-2022-26134\_Confluence\_RCE | High | CVEs, RCE | | CVE-2022-31474\_BackupBuddy\_LFI | Medium | CVEs | | CVE-2022-32276\_Grafana\_8.4.3 | Medium | CVEs | | CVE-2022-32276\_Grafana\_8.4.3\_poc2 | Medium | CVEs | | CVE-2022-42889\_Text4Shell | High | CVEs | | CVE-2023-24488\_Citrix\_XSS | Medium | All | | CVE-2025-55182\_React2Shell\_RCE | High | RCE, CVEs, React/Next.js | | CVE-2025-55182\_React2Shell\_RCE\_OOB | High | RCE, React/Next.js, CVEs | | CVE-2025-55182\_React2Shell\_RCE\_Windows | High | RCE, CVEs, React/Next.js | | CVE-2025-68613\_n8n\_Vulnerable\_Version | High | CVEs, RCE, n8n | ### πŸ’‰ XSS (Cross-Site Scripting) | Profile | Severity | Tags | | ----------------------------- | ----------- | ------------------------ | | Blind\_XSS | Medium | XSS, Blind XSS | | Openredirect\_to\_XSS | Medium | XSS | | Test\_XSS\_discover | Medium | XSS | | XSS | Information | XSS | | XSS\_DOM\_Context | Information | XSS, DOM\_Context | | XSS\_GETPOST | Medium | XSS | | XSS\_HTML\_Attribute\_Context | Information | XSS, HTML\_Attribute | | XSS\_HTML\_Comment\_Context | Information | XSS, HTML\_Comment | | XSS\_HTML\_Tag\_Context | Information | XSS, HTML\_Tag | | XSS\_HtmlUrlEncode | Information | XSS | | XSS\_JavaScript\_Context | Information | XSS, JavaScript\_Context | | XSS\_URLEncode | Information | XSS | | XSS\_URL\_Context | Information | XSS, URL\_Context | ### πŸ—„οΈ SQL Injection | Profile | Severity | Tags | | -------------------------------------- | -------- | ------------------------- | | SQLi | High | SQLi | | SQLi\_Collaborator | High | SQLi | | SQLi\_ContentLength | High | SQLi, SQLi\_ContentLength | | SQLi\_StausCode | High | SQLi, SQLi\_StatusCode | | SQLi\_Timebased | High | SQLi, SQLi\_TimeBased | | SQLi\_Timebased\_Encoded\_KeyCharacter | High | SQLi, SQLi\_TimeBased | | SQLi\_Timebased\_Encoded\_Space | High | SQLi, SQLi\_TimeBased | ### ⚑ RCE (Remote Code Execution) | Profile | Severity | Tags | | ------------------- | -------- | ---- | | Blind\_RCE\_Linux | High | RCE | | Blind\_RCE\_Windows | High | RCE | | Echo\_RCE | High | RCE | | Expect\_RCE | High | RCE | | PHP\_RCE | High | RCE | | RCE\_Linux | High | RCE | | RCE\_Windows | High | RCE | ### 🌐 SSRF (Server-Side Request Forgery) | Profile | Severity | Tags | | ------------------------------------------ | -------- | ------------------- | | OpenRedirect\_SSRF | High | SSRF, Open Redirect | | OpenRedirect\_SSRF\_Collaborator | Medium | SSRF, Open Redirect | | OpenRedirect\_SSRF\_Collaborator\_HTTP0\_9 | Medium | All | | OpenRedirect\_SSRF\_Collaborator\_HTTP1\_0 | Medium | All | | SSRF-Collaborator | Medium | SSRF | | SSRF-URLScheme | High | SSRF | | SSRF\_Collaborator\_HTTP0\_9 | Medium | SSRF | | SSRF\_Collaborator\_HTTP1\_0 | Medium | SSRF | ### πŸ”„ Open Redirect | Profile | Severity | Tags | | ------------------------------------- | -------- | ------------- | | OpenRedirect | Medium | Open Redirect | | OpenRedirect-ParameterPollution | Medium | Open Redirect | | OpenRedirect-ParameterPollution\_Path | Medium | Open Redirect | | OpenRedirect\_to\_Account\_Takeover | High | All | ### πŸ“„ XXE (XML External Entity) | Profile | Severity | Tags | | ------------ | -------- | ---- | | Blind\_XXE | High | XXE | | XXE\_Linux | High | XXE | | XXE\_Windows | High | XXE | ### πŸ“‚ Path Traversal | Profile | Severity | Tags | | ---------------------- | -------- | -------------- | | PathTraversal\_Linux | High | Path Traversal | | PathTraversal\_Windows | High | Path Traversal | ### πŸ”§ Other Active Profiles | Profile | Severity | Tags | | -------------------------------- | ----------- | ---------------- | | CORS Misconfiguration | Low | CORS | | CRLF | Medium | CRLF | | CouchDB\_Admin\_Exposure | Medium | CVEs | | DWR\_enpoints | Information | DRWuzz | | Drupal\_User\_Enum | Medium | Drupal | | Drupal\_User\_Enum\_Redirect | Medium | Drupal | | Fuzzing\_directories | Information | Fuzzing Files | | GitFinder | Low | Fuzzing Files | | GraphQL Alias Overloading | Medium | GraphQL | | GraphQL Batching | Medium | GraphQL | | GraphQL Circular Queries | Medium | GraphQL | | GraphQL Directives Overloading | Medium | GraphQL | | GraphQL Field Duplication | Medium | GraphQL | | Graphql Introspection | Low | Introspection | | Host\_Header\_Injection | High | All | | Java\_De-Serialization | Information | All | | Jira\_unauthenticated\_Info | Medium | CVEs | | Kubernetes\_API\_Exposed | Medium | All | | Open Firebase Database | High | All | | Password-Reset-Headers | High | Forgot Password | | Password-Reset-Params | High | Forgot Password | | Password-Reset-URL | High | Forgot Password | | SSTI | High | SSTI | | SVNFinder | Low | Fuzzing Files | | Source\_code | Information | All | | Spring\_Boot\_Actuators | High | Spring | | Swagger-Finder | Information | Fuzzing Files | | Symfony\_Debug | Medium | All | | Wordpress\_Config\_Accessible | High | Wordpress | | Wordpress\_Path\_Traversal | High | Wordpress | | Wordpress\_XMLRPC\_ListMethods | Low | Wordpress | | Wordpress\_XMLRPC\_Pingback | Low | Wordpress | | Wordpress\_directory\_listing | Low | Wordpress | | Wordpress\_user\_enum\_json | Low | Wordpress | | Wordpress\_user\_enum\_oembed | Low | Wordpress | | Woody\_Wordpress\_RCE | Medium | Wordpress | | X-Headers-Collaborator | Medium | X-Headers-Collab | | easy\_wp\_smtp\_listing\_enabled | High | Wordpress | | solarwinds\_default\_admin | High | All | | wordpress\_users\_enum\_yoastseo | Low | Wordpress | *** ## πŸ“© Passive Response Profiles (95) These profiles analyze HTTP responses for security issues, sensitive data, and technology indicators. | Profile | Severity | Description | | --------------------------------------------------- | ----------- | ------------------------------------------------ | | AWS\_Access\_Key\_ID | Information | πŸ”‘ Detects AWS Access Key IDs | | AWS\_Client\_Secret | Information | πŸ”‘ Detects AWS Client Secrets | | AWS\_Creds\_File | Information | πŸ“ Detects AWS credentials file references | | AWS\_EC2\_Url | Information | ☁️ Detects AWS EC2 metadata URLs | | AWS\_Region | Information | ☁️ Detects AWS region identifiers | | AccessToken | Information | πŸ”‘ Detects access tokens in responses | | AmazonAWS | Information | ☁️ Detects Amazon AWS URLs | | Amazon\_AWS\_Url | Information | ☁️ Detects Amazon AWS endpoint URLs | | Amazon\_MWS\_Auth\_Token | Information | πŸ”‘ Detects Amazon MWS authentication tokens | | Android\_WebView\_JS | Information | πŸ“± Detects Android WebView JavaScript interfaces | | ApiKeyResponse | Information | πŸ”‘ Detects API keys in responses | | Artica\_Web | Information | πŸ–₯️ Detects Artica Web Proxy | | Artifactory\_API\_Token | Information | πŸ”‘ Detects JFrog Artifactory API tokens | | Authorization\_Bearer | Information | πŸ”‘ Detects Bearer tokens in responses | | Azure\_Blob\_Discovered | Information | ☁️ Detects Azure Blob storage URLs | | Basic\_Auth\_Credentials | Information | πŸ”‘ Detects Basic Auth credentials | | Bitcoin\_Address | Information | πŸ’° Detects Bitcoin addresses | | CDN\_Detected | Information | 🌐 Detects CDN usage | | CMS\_Found | Information | πŸ–₯️ Detects CMS platforms | | Cache-Control | Information | πŸ›‘οΈ Analyzes Cache-Control headers | | Cisco\_ASA\_Device\_Found | Low | πŸ–₯️ Detects Cisco ASA devices | | Citrix\_Detection | Information | πŸ–₯️ Detects Citrix products | | Content-Security-Policy | Information | πŸ›‘οΈ Analyzes CSP headers | | CookieFlag-HttpOnly | Low | πŸͺ Checks for missing HttpOnly flag | | CookieFlag-SameSite | Information | πŸͺ Checks for SameSite cookie attribute | | CookieFlag-Secure | Low | πŸͺ Checks for missing Secure flag | | CouchDB\_Response | Information | πŸ—„οΈ Detects CouchDB responses | | DWREndpoints | Information | πŸ”— Detects DWR (Direct Web Remoting) endpoints | | Debug Pages | Information | ⚠️ Detects debug/error pages | | Debug\_variables | Information | ⚠️ Detects debug variables in responses | | DefaultRDP | Information | πŸ–₯️ Detects default RDP configurations | | DigitalOcean\_Space\_Discovered | Information | ☁️ Detects DigitalOcean Spaces | | DirectoryListing | Information | πŸ“‚ Detects directory listing | | Docker\_API\_Response | Information | 🐳 Detects Docker API responses | | DomainTakeOver\_Strings | Information | 🌐 Detects domain takeover indicators | | Drupal\_Response | Information | πŸ–₯️ Detects Drupal CMS | | EndpointsExtractor | Information | πŸ”— Extracts API endpoints from JS | | Env\_Vars | Information | ⚠️ Detects environment variables | | Facebook\_Client\_ID | Information | πŸ”‘ Detects Facebook Client IDs | | Facebook\_OAuth | Information | πŸ”‘ Detects Facebook OAuth tokens | | Fortinet\_Panel | Information | πŸ›‘οΈ Detects Fortinet admin panels | | GCP\_Service\_Account | Information | ☁️ Detects GCP service accounts | | GCP\_Urls | Information | ☁️ Detects Google Cloud Platform URLs | | Gmail\_Oauth\_2.0 | Information | πŸ”‘ Detects Gmail OAuth tokens | | Google\_Cloud\_Buckets | Information | ☁️ Detects Google Cloud Storage buckets | | Hidden Parameters | Information | πŸ” Detects hidden form parameters | | Interesting\_Keyworks | Information | πŸ” Detects interesting keywords | | JS\_Variables | Information | πŸ“ Extracts JavaScript variables | | Jenkins\_Response | Information | πŸ–₯️ Detects Jenkins CI | | Joomla detection | Information | πŸ–₯️ Detects Joomla CMS | | Joomla-CVE-2015-7297 | High | πŸ› Detects Joomla CVE-2015-7297 | | Kubernetes\_Response | Information | ☸️ Detects Kubernetes | | LinkedIn\_Secret | Information | πŸ”‘ Detects LinkedIn API secrets | | MAC\_Address | Information | πŸ”— Detects MAC addresses | | MAGMI\_Response | Information | πŸ–₯️ Detects MAGMI (Magento Mass Importer) | | Netsweeper\_Response | Information | πŸ–₯️ Detects Netsweeper | | NoSQL\_Session\_Token | Information | πŸ”‘ Detects NoSQL session tokens | | NuGet\_Api\_Key | Information | πŸ”‘ Detects NuGet API keys | | Octopus\_API\_Key | Information | πŸ”‘ Detects Octopus Deploy API keys | | Outlook\_Team | Information | πŸ“§ Detects Outlook/Teams info | | Paypal\_Braintree\_access\_token | Information | πŸ”‘ Detects PayPal Braintree tokens | | Picatic\_API\_Key | Information | πŸ”‘ Detects Picatic API keys | | Private\_SSH\_Key | Information | πŸ”‘ Detects private SSH keys | | Reflected\_values\_greater\_than\_three\_characters | Information | πŸͺž Detects reflected values | | SQL\_Message\_Detected | Information | πŸ—„οΈ Detects SQL error messages | | ServerBannerResponse | Information | πŸ–₯️ Detects server banners | | Software\_Version | Information | πŸ“Š Detects software version strings | | Solarwinds\_Orion\_Response | Information | πŸ–₯️ Detects SolarWinds Orion | | SonarQube\_API\_Key\_Docs | Information | πŸ”‘ Detects SonarQube API keys | | StackHawk\_API\_Key | Information | πŸ”‘ Detects StackHawk API keys | | Strict-Transport-Security | Information | πŸ›‘οΈ Checks HSTS header | | Subdomain\_takeover | Low | 🌐 Detects subdomain takeover indicators | | Swagger\_found | Information | πŸ“„ Detects Swagger/OpenAPI docs | | Symfony\_Response | Information | πŸ–₯️ Detects Symfony framework | | Tomcat\_Response\_Detection | Information | πŸ–₯️ Detects Apache Tomcat | | Traefik\_Response | Information | πŸ–₯️ Detects Traefik proxy | | WAF\_Found | Information | πŸ›‘οΈ Detects Web Application Firewalls | | WP\_Config | Information | ⚠️ Detects WordPress config exposure | | Wordpress detection | Information | πŸ–₯️ Detects WordPress CMS | | Wordpress-SensitiveDirectories | Information | πŸ“‚ Detects sensitive WP directories | | X-Content-Type-Options | Information | πŸ›‘οΈ Checks X-Content-Type-Options | | X-Frame-Options | Information | πŸ›‘οΈ Checks X-Frame-Options | | vBulletin\_Response | Information | πŸ–₯️ Detects vBulletin forum | | Docker\_API\_Response | Information | 🐳 Detects Docker API | *** ## πŸ“¨ Passive Request Profiles (58) These profiles analyze HTTP requests to detect interesting parameters, endpoints, and technology indicators. | Profile | Severity | Description | | ------------------------------ | ----------- | ----------------------------------------- | | Action\_parameters | Information | βš™οΈ Detects action-related parameters | | All\_Requests\_And\_Parameters | Information | 🌐 Matches all requests (for bulk rules) | | AmazonAWSRequest | Information | ☁️ Detects AWS API requests | | ApiKeyRequest | Information | πŸ”‘ Detects API key parameters in requests | | Api\_path | Information | πŸ”— Detects API path patterns | | Artica\_Web\_Request | Information | πŸ–₯️ Detects Artica Web requests | | AuthorizationBearerToken | Information | πŸ”‘ Detects Bearer tokens in requests | | Cisco\_Request\_Detected | Information | πŸ–₯️ Detects Cisco-related requests | | CouchDB\_Request | Information | πŸ—„οΈ Detects CouchDB requests | | Debug\_Logic\_Parameters | Information | ⚠️ Detects debug parameters | | ErrorPages-JobApps | Information | ⚠️ Detects error page requests | | Firebase DB detected | Information | πŸ”₯ Detects Firebase requests | | Fortinet\_Request | Information | πŸ›‘οΈ Detects Fortinet requests | | GraphQL\_Endpoint | Information | πŸ”— Detects GraphQL endpoints | | IDOR\_parameters | Information | πŸ”“ Detects IDOR-prone parameters | | Jira\_Request | Information | πŸ“‹ Detects Jira requests | | Key\_Parameters | Information | πŸ”‘ Detects key/token parameters | | LFI\_RFI\_Parameters | Information | πŸ“‚ Detects LFI/RFI-prone parameters | | MAGMI\_Request | Information | πŸ–₯️ Detects MAGMI requests | | Netsweeper\_Request | Information | πŸ–₯️ Detects Netsweeper requests | | OAuth\_parameters | Information | πŸ”‘ Detects OAuth parameters | | OpenRedirect\_SSRF\_Parameters | Information | πŸ”„ Detects redirect/URL parameters | | RCE\_Parameters | Information | ⚑ Detects RCE-prone parameters | | RegisterUser\_parameters | Information | πŸ‘€ Detects registration parameters | | SQLi\_Parameters | Information | πŸ—„οΈ Detects SQLi-prone parameters | | SSTI\_Parameters | Information | πŸ”§ Detects SSTI-prone parameters | | Secret-keywords-SecLists | Information | πŸ”‘ Detects secret keywords | | Secrets\_Request | Information | πŸ”‘ Detects secrets in requests | | Solarwinds\_Orion\_Request | Information | πŸ–₯️ Detects SolarWinds requests | | Springboot\_Requests | Information | πŸƒ Detects Spring Boot requests | | Swagger\_Request | Information | πŸ“„ Detects Swagger requests | | Token\_Parameters | Information | πŸ”‘ Detects token parameters | | URL\_Path\_as\_a\_Value | Information | πŸ”— Detects URL paths in parameters | | URL\_as\_a\_Value | Information | πŸ”— Detects URLs in parameters | | UUID\_Request | Information | πŸ”’ Detects UUIDs in requests | | UserEnum\_parameters | Information | πŸ‘€ Detects user enumeration parameters | | WeblogicServer-UDDI\_Explorer | Information | πŸ–₯️ Detects WebLogic UDDI | | Weblogic\_Request | Information | πŸ–₯️ Detects WebLogic requests | | XSS\_Parameters | Information | πŸ’‰ Detects XSS-prone parameters |