# Examples This page shows practical examples from the default rules shipped with Burp Bounty Pro. ## 🖥️ Technology Detection Rules ### 🔵 WordPress Rule **🎯 Goal:** Detect WordPress sites and automatically test for common WordPress vulnerabilities. ``` IF: Passive Response profile "Wordpress detection" matches THEN: Execute profiles: - Wordpress_user_enum_oembed - wordpress_users_enum_yoastseo - Wordpress_user_enum_json - Wordpress_directory_listing - Woody_Wordpress_RCE - CVE-2020-24312_File_Manager_Wordpress_Backups - Wordpress_Path_Traversal - Wordpress_Config_Accessible - easy_wp_smtp_listing_enabled - CVE-2020-11738_Wordpress_Duplicator_Plugin_LFI Scope: First Match ``` The passive profile detects WordPress indicators in responses (e.g., `wp-content`, `wp-includes`), then 10 active profiles test for user enumeration, directory listing, RCE, path traversal, and config exposure. ### 🔵 Jira Rule **🎯 Goal:** Detect Jira instances and test for known vulnerabilities. ``` IF: Passive Request profile "Jira_Request" matches THEN: Execute profiles: - CVE-2020-14179_Jira_Info_Exposure - CVE-2020-14181_Jira_User_Enum - CVE-2017-9506_Jira_SSRF - CVE-2019-8442_Jira_Path_Traversal - CVE-2019-8449_Jira_Unauthenticated_Sensitive_Info - Jira_unauthenticated_Info Scope: All Matches ``` ### 🍃 Spring Boot Rule **🎯 Goal:** Detect Spring Boot applications and test actuator endpoints. ``` IF: Passive Request profile "Springboot_Requests" matches THEN: Execute profile: Spring_Boot_Actuators Scope: All Matches ``` ### 💧 Drupal Rule **🎯 Goal:** Detect Drupal CMS and test for user enumeration. ``` IF: Passive Response profile "Drupal_Response" matches THEN: Execute profiles: - Drupal_User_Enum - Drupal_User_Enum_Redirect Scope: All Matches ``` ## 🔗 Combined Condition Rules ### 🛡️ Fortinet Rule **🎯 Goal:** Detect Fortinet/FortiGate panels and test for credential disclosure. ``` IF: Passive Request profile "Fortinet_Request" matches AND: Passive Response profile "Fortinet_Panel" matches THEN: Execute profile: CVE-2018-13379_FortiOS_Creds_Disclosure Scope: All Matches ``` This requires **both** request URL pattern AND response content to match before executing the CVE profile. This reduces false positives compared to checking only the URL. ### 🌐 Netsweeper Rule **🎯 Goal:** Detect Netsweeper appliance and test for code injection. ``` IF: Passive Request profile "Netsweeper_Request" matches AND: Passive Response profile "Netsweeper_Response" matches THEN: Execute profile: CVE-2020-13167_Netsweeper_code_injection Scope: All Matches ``` ### 🗄️ CouchDB Rule **🎯 Goal:** Detect CouchDB endpoints and test for admin exposure. ``` IF: Passive Request profile "CouchDB_Request" matches AND: Passive Response profile "CouchDB_Response" matches THEN: Execute profile: CouchDB_Admin_Exposure Scope: All Matches ``` ## 💉 Vulnerability Parameter Detection Rules ### 🗄️ SQL Injection Rule **🎯 Goal:** Detect parameters commonly vulnerable to SQL injection and test them. ``` IF: Passive Request profile "SQLi_Parameters" matches THEN: Execute profiles: - SQLi - SQLi_Timebased_Encoded_Space Scope: All Matches ``` The passive profile detects parameters like `id=`, `user_id=`, `query=`, `select=`, etc. ### 💉 XSS Rule **🎯 Goal:** Detect XSS-prone parameters and test with various payloads. ``` IF: Passive Request profile "XSS_Parameters" matches THEN: Execute profiles: - XSS - XSS_URLEncode - XSS_HtmlUrlEncode - XSS_GETPOST - XSS_HTML_Tag_Context - XSS_HTML_Attribute_Context - XSS_JavaScript_Context Scope: All Matches ``` ### ⚡ RCE Rule **🎯 Goal:** Detect RCE-prone parameters and test for command injection. ``` IF: Passive Request profile "RCE_Parameters" matches THEN: Execute profiles: - RCE_Linux - Blind_RCE_Linux - Blind_RCE_Windows - Echo_RCE - Expect_RCE - PHP_RCE - RCE_Windows Scope: All Matches ``` ### 📂 LFI Rule **🎯 Goal:** Detect file path parameters and test for Local File Inclusion. ``` IF: Passive Request profile "LFI_RFI_Parameters" matches OR: Passive Request profile "URL_Path_as_a_Value" matches THEN: Execute profiles: - PathTraversal_Linux - PathTraversal_Windows Scope: All Matches ``` ### 🔄 Open Redirect / SSRF Rule **🎯 Goal:** Detect URL-containing parameters and test for open redirect and SSRF. ``` IF: Passive Request profile "OpenRedirect_SSRF_Parameters" matches OR: Passive Request profile "URL_as_a_Value" matches OR: Passive Request profile "URL_Path_as_a_Value" matches THEN: Execute profiles: - OpenRedirect - OpenRedirect_SSRF_Collaborator - Openredirect_to_XSS - OpenRedirect_to_Account_Takeover - SSRF-Collaborator - SSRF-URLScheme - SSRF_Collaborator_HTTP1_0 - SSRF_Collaborator_HTTP0_9 - OpenRedirect-ParameterPollution - OpenRedirect-ParameterPollution_Path Scope: All Matches ``` ### 🔧 SSTI Rule **🎯 Goal:** Detect template injection parameters and test for SSTI. ``` IF: Passive Request profile "SSTI_Parameters" matches THEN: Execute profile: SSTI Scope: All Matches ``` ## ⚠️ Bulk Scanning Rules (Disabled by Default) These rules are powerful but resource-intensive — they're disabled by default. ### 🔄 Scan All Requests with All Profiles ``` IF: Passive Request profile "All_Requests_And_Parameters" matches THEN: Execute tag "All" Scope: All Matches Enabled: false ❌ ``` > ⚠️ **Warning:** This runs ALL active profiles against ALL requests. Can consume excessive RAM and CPU. Use only on small targets with caution. ### 🔄 Scan All Requests with Open Redirect Profiles ``` IF: Passive Request profile "All_Requests_And_Parameters" matches THEN: Execute tag "Open Redirect" Scope: All Matches Enabled: false ❌ ``` ### 🌐 Scan All Requests with SSRF Profiles ``` IF: Passive Request profile "All_Requests_And_Parameters" matches THEN: Execute tag "SSRF" Scope: All Matches Enabled: false ❌ ``` ### 🐛 Scan All Requests with Log4Shell ``` IF: Passive Request profile "All_Requests_And_Parameters" matches THEN: Execute profiles: - CVE-2021-44228_RCE_Log4j - CVE-2021-44228_RCE_Log4j_GETPOST - CVE-2021-44228_RCE_Log4j_urlEncode Scope: All Matches Enabled: false ❌ ```