search

πŸ‘οΈCreating Passive Profiles

Passive profiles analyze HTTP traffic without sending additional requests. They are ideal for detecting sensitive information, security misconfigurations, and technology fingerprints.

hashtag
πŸ“© Passive Response Profile

hashtag
πŸ€” When to Use

Use Passive Response profiles to analyze server responses for:

  • πŸ›‘οΈ Missing or misconfigured security headers

  • πŸ”‘ Sensitive data exposure (API keys, tokens, passwords)

  • πŸ–₯️ Technology indicators and version numbers

  • ⚠️ Error messages and debug information

  • 🌐 Domain takeover indicators

hashtag
πŸ“ Step-by-Step Creation

hashtag
1️⃣ Open the Profile Editor

  1. Go to Burp Bounty Pro > Profiles > Passive Response Profiles tab

  2. Click Add

hashtag
2️⃣ Basic Information

hashtag
3️⃣ Define Grep Patterns

For Passive Response profiles, grep patterns are matched against the HTTP response (headers and/or body).

πŸ›‘οΈ Example: Detect missing Content-Security-Policy header

With NotResponse: true, this reports an issue when the header is NOT found.

πŸ”‘ Example: Detect exposed API keys

☁️ Example: Detect AWS credentials in responses

hashtag
4️⃣ Configure Match Options

Option
Description

πŸ”„ NotResponse

Set to true to report when pattern is NOT found (e.g., missing headers)

πŸ”€ CaseSensitive

Set to true for case-sensitive matching

🚫 ExcludeHTTP

Exclude HTTP headers from the match scope

πŸ“‹ OnlyHTTP

Only match in HTTP headers

hashtag
5️⃣ Set Issue Properties

hashtag
πŸ“š Complete Example: Server Banner Detection

hashtag
πŸ“¨ Passive Request Profile

hashtag
πŸ€” When to Use

Use Passive Request profiles to analyze outgoing requests for:

  • πŸ’‰ Interesting parameter names (candidates for SQLi, XSS, SSRF, RCE)

  • πŸ”— API endpoint patterns

  • πŸ–₯️ Technology-specific URL patterns (Jira, WordPress, Spring Boot, etc.)

  • πŸ”‘ Authentication tokens and session IDs

  • πŸ“ URLs containing file paths or redirect parameters

hashtag
πŸ“ Step-by-Step Creation

hashtag
1️⃣ Open the Profile Editor

  1. Go to Burp Bounty Pro > Profiles > Passive Request Profiles tab

  2. Click Add

hashtag
2️⃣ Basic Information

hashtag
3️⃣ Define Grep Patterns

For Passive Request profiles, grep patterns are matched against the HTTP request (URL, headers, and/or body).

🌐 Example: Detect SSRF-prone parameters

πŸ–₯️ Example: Detect WordPress requests

πŸ“‹ Example: Detect Jira requests

hashtag
4️⃣ Set Issue Properties

hashtag
πŸ“š Complete Example: SQLi Parameter Detection

hashtag
πŸ“Š Key Differences: Response vs Request Profiles

Aspect
Passive Response (Scanner=2)
Passive Request (Scanner=3)

πŸ” Analyzes

Server responses

Client requests

⏱️ Timing

After server responds

Before/when request is sent

🎯 Common use

Data exposure, misconfigurations

Parameter discovery, tech detection

πŸ’‰ Payloads

Not used

Not used

πŸ“ Insertion Points

Not used

Not used

🧠 Smart Scan

Can trigger active profiles via Rules

Can trigger active profiles via Rules

hashtag
πŸ’‘ Tips

  • πŸ”„ Use NotResponse for missing headers β€” Set NotResponse: true to detect when expected patterns are absent

  • 🧠 Combine with Rules β€” Passive profiles are most powerful when combined with Smart Scan rules to trigger targeted active scans

  • 🌐 Keep patterns broad for discovery β€” Passive profiles for parameter discovery should cast a wide net

  • 🎯 Keep patterns specific for detection β€” Passive profiles for vulnerability/data detection should be precise to avoid noise

  • 🏷️ Use Tags β€” Tag your profiles to make them easy to reference in Rules

PreviousCreating Active ProfilesNextMulti-Step Profiles

Last updated