# Examples

This page shows practical examples from the default rules shipped with Burp Bounty Pro.

## 🖥️ Technology Detection Rules

### 🔵 WordPress Rule

**🎯 Goal:** Detect WordPress sites and automatically test for common WordPress vulnerabilities.

```
IF: Passive Response profile "Wordpress detection" matches
THEN: Execute profiles:
  - Wordpress_user_enum_oembed
  - wordpress_users_enum_yoastseo
  - Wordpress_user_enum_json
  - Wordpress_directory_listing
  - Woody_Wordpress_RCE
  - CVE-2020-24312_File_Manager_Wordpress_Backups
  - Wordpress_Path_Traversal
  - Wordpress_Config_Accessible
  - easy_wp_smtp_listing_enabled
  - CVE-2020-11738_Wordpress_Duplicator_Plugin_LFI
Scope: First Match
```

The passive profile detects WordPress indicators in responses (e.g., `wp-content`, `wp-includes`), then 10 active profiles test for user enumeration, directory listing, RCE, path traversal, and config exposure.

### 🔵 Jira Rule

**🎯 Goal:** Detect Jira instances and test for known vulnerabilities.

```
IF: Passive Request profile "Jira_Request" matches
THEN: Execute profiles:
  - CVE-2020-14179_Jira_Info_Exposure
  - CVE-2020-14181_Jira_User_Enum
  - CVE-2017-9506_Jira_SSRF
  - CVE-2019-8442_Jira_Path_Traversal
  - CVE-2019-8449_Jira_Unauthenticated_Sensitive_Info
  - Jira_unauthenticated_Info
Scope: All Matches
```

### 🍃 Spring Boot Rule

**🎯 Goal:** Detect Spring Boot applications and test actuator endpoints.

```
IF: Passive Request profile "Springboot_Requests" matches
THEN: Execute profile: Spring_Boot_Actuators
Scope: All Matches
```

### 💧 Drupal Rule

**🎯 Goal:** Detect Drupal CMS and test for user enumeration.

```
IF: Passive Response profile "Drupal_Response" matches
THEN: Execute profiles:
  - Drupal_User_Enum
  - Drupal_User_Enum_Redirect
Scope: All Matches
```

## 🔗 Combined Condition Rules

### 🛡️ Fortinet Rule

**🎯 Goal:** Detect Fortinet/FortiGate panels and test for credential disclosure.

```
IF: Passive Request profile "Fortinet_Request" matches
AND: Passive Response profile "Fortinet_Panel" matches
THEN: Execute profile: CVE-2018-13379_FortiOS_Creds_Disclosure
Scope: All Matches
```

This requires **both** request URL pattern AND response content to match before executing the CVE profile. This reduces false positives compared to checking only the URL.

### 🌐 Netsweeper Rule

**🎯 Goal:** Detect Netsweeper appliance and test for code injection.

```
IF: Passive Request profile "Netsweeper_Request" matches
AND: Passive Response profile "Netsweeper_Response" matches
THEN: Execute profile: CVE-2020-13167_Netsweeper_code_injection
Scope: All Matches
```

### 🗄️ CouchDB Rule

**🎯 Goal:** Detect CouchDB endpoints and test for admin exposure.

```
IF: Passive Request profile "CouchDB_Request" matches
AND: Passive Response profile "CouchDB_Response" matches
THEN: Execute profile: CouchDB_Admin_Exposure
Scope: All Matches
```

## 💉 Vulnerability Parameter Detection Rules

### 🗄️ SQL Injection Rule

**🎯 Goal:** Detect parameters commonly vulnerable to SQL injection and test them.

```
IF: Passive Request profile "SQLi_Parameters" matches
THEN: Execute profiles:
  - SQLi
  - SQLi_Timebased_Encoded_Space
Scope: All Matches
```

The passive profile detects parameters like `id=`, `user_id=`, `query=`, `select=`, etc.

### 💉 XSS Rule

**🎯 Goal:** Detect XSS-prone parameters and test with various payloads.

```
IF: Passive Request profile "XSS_Parameters" matches
THEN: Execute profiles:
  - XSS
  - XSS_URLEncode
  - XSS_HtmlUrlEncode
  - XSS_GETPOST
  - XSS_HTML_Tag_Context
  - XSS_HTML_Attribute_Context
  - XSS_JavaScript_Context
Scope: All Matches
```

### ⚡ RCE Rule

**🎯 Goal:** Detect RCE-prone parameters and test for command injection.

```
IF: Passive Request profile "RCE_Parameters" matches
THEN: Execute profiles:
  - RCE_Linux
  - Blind_RCE_Linux
  - Blind_RCE_Windows
  - Echo_RCE
  - Expect_RCE
  - PHP_RCE
  - RCE_Windows
Scope: All Matches
```

### 📂 LFI Rule

**🎯 Goal:** Detect file path parameters and test for Local File Inclusion.

```
IF: Passive Request profile "LFI_RFI_Parameters" matches
OR: Passive Request profile "URL_Path_as_a_Value" matches
THEN: Execute profiles:
  - PathTraversal_Linux
  - PathTraversal_Windows
Scope: All Matches
```

### 🔄 Open Redirect / SSRF Rule

**🎯 Goal:** Detect URL-containing parameters and test for open redirect and SSRF.

```
IF: Passive Request profile "OpenRedirect_SSRF_Parameters" matches
OR: Passive Request profile "URL_as_a_Value" matches
OR: Passive Request profile "URL_Path_as_a_Value" matches
THEN: Execute profiles:
  - OpenRedirect
  - OpenRedirect_SSRF_Collaborator
  - Openredirect_to_XSS
  - OpenRedirect_to_Account_Takeover
  - SSRF-Collaborator
  - SSRF-URLScheme
  - SSRF_Collaborator_HTTP1_0
  - SSRF_Collaborator_HTTP0_9
  - OpenRedirect-ParameterPollution
  - OpenRedirect-ParameterPollution_Path
Scope: All Matches
```

### 🔧 SSTI Rule

**🎯 Goal:** Detect template injection parameters and test for SSTI.

```
IF: Passive Request profile "SSTI_Parameters" matches
THEN: Execute profile: SSTI
Scope: All Matches
```

## ⚠️ Bulk Scanning Rules (Disabled by Default)

These rules are powerful but resource-intensive — they're disabled by default.

### 🔄 Scan All Requests with All Profiles

```
IF: Passive Request profile "All_Requests_And_Parameters" matches
THEN: Execute tag "All"
Scope: All Matches
Enabled: false ❌
```

> ⚠️ **Warning:** This runs ALL active profiles against ALL requests. Can consume excessive RAM and CPU. Use only on small targets with caution.

### 🔄 Scan All Requests with Open Redirect Profiles

```
IF: Passive Request profile "All_Requests_And_Parameters" matches
THEN: Execute tag "Open Redirect"
Scope: All Matches
Enabled: false ❌
```

### 🌐 Scan All Requests with SSRF Profiles

```
IF: Passive Request profile "All_Requests_And_Parameters" matches
THEN: Execute tag "SSRF"
Scope: All Matches
Enabled: false ❌
```

### 🐛 Scan All Requests with Log4Shell

```
IF: Passive Request profile "All_Requests_And_Parameters" matches
THEN: Execute profiles:
  - CVE-2021-44228_RCE_Log4j
  - CVE-2021-44228_RCE_Log4j_GETPOST
  - CVE-2021-44228_RCE_Log4j_urlEncode
Scope: All Matches
Enabled: false ❌
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bountysecurity.ai/rules/examples.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.