πŸ“‹Overview

Profiles are the building blocks of Burp Bounty Pro. Each profile defines a complete vulnerability test: what payloads to send, where to inject them, and how to determine if the test was successful.

πŸ“‚ Profile Types

Burp Bounty Pro supports three types of profiles, identified by the Scanner field:

Scanner Value
Type
Description

🎯 1

Active

Sends payloads to test for vulnerabilities

πŸ“© 2

Passive Response

Analyzes HTTP responses for patterns

πŸ“¨ 3

Passive Request

Analyzes HTTP requests for patterns

πŸ“„ Profile File Format

Profiles are stored as JSON files with the .bb extension. Each file contains an array of profile objects:

[
  {
    "ProfileName": "My_Profile",
    "Name": "",
    "Enabled": true,
    "Scanner": 1,
    "Author": "@yourname",
    "Payloads": [...],
    "Grep": [...],
    "MatchType": 1,
    ...
  }
]

πŸ—οΈ Profile Structure

πŸ“Œ Core Fields

Field
Type
Description

ProfileName

String

Unique identifier for the profile

Name

String

Display name (optional)

Enabled

Boolean

Whether the profile is active

Scanner

Integer

Profile type: 1=Active, 2=Passive Response, 3=Passive Request

Author

String

Profile creator

Tags

String[]

Tags for categorization and rule targeting

πŸ’‰ Payload Configuration (Active profiles)

Field
Type
Description

Payloads

String[]

List of payloads (format: "enabled,payload")

Encoder

String[]

Encoding transformations to apply

UrlEncode

Boolean

URL-encode the payload

CharsToUrlEncode

String

Specific characters to URL-encode

payloadsFile

String

Path to external payloads file

payloadPosition

Integer

1=Replace, 2=Append, 3=Insert

πŸ” Detection Configuration

Field
Type
Description

Grep

String[]

Match patterns (format: "enabled,operator,type,scope,pattern")

MatchType

Integer

Detection method (1-9)

grepsFile

String

Path to external greps file

PayloadResponse

Boolean

Check if payload is reflected in response

NotResponse

Boolean

Invert match (vulnerability when pattern NOT found)

CaseSensitive

Boolean

Case-sensitive matching

πŸ”½ Response Filtering

Field
Type
Description

ExcludeHTTP

Boolean

Exclude HTTP header from match scope

OnlyHTTP

Boolean

Only match in HTTP headers

IsContentType

Boolean

Filter by Content-Type

ContentType

String

Expected Content-Type value

NegativeCT

Boolean

Invert Content-Type filter

IsResponseCode

Boolean

Filter by HTTP status code

ResponseCode

String

Expected status code

NegativeRC

Boolean

Invert status code filter

isurlextension

Boolean

Filter by URL file extension

urlextension

String

File extension pattern

NegativeUrlExtension

Boolean

Invert extension filter

πŸ“‘ Request Configuration

Field
Type
Description

requestType

Integer

1=Standard, 2=Raw request

rawRequest

String

Raw HTTP request template (for type 2)

InsertionPointType

Integer[]

Insertion point types to test

Scope

Integer

Scanning scope

RedirType

Integer

Redirect handling mode

MaxRedir

Integer

Maximum number of redirects to follow

πŸ”„ Request Modification

Field
Type
Description

changeHttpRequest

Boolean

Modify the HTTP request method

changeHttpRequestType

Integer

1=POST→GET, 2=GET→POST, 3=Toggle

Header

Object[]

Match and Replace rules for headers

NewHeaders

String[]

Headers to use as insertion points

isHeaderValue

Boolean

Use header value as insertion point

⏱️ Time-Based Detection

Field
Type
Description

isTime

Boolean

Enable time-based detection

TimeOut1

String

First timing threshold

TimeOut2

String

Second timing threshold

πŸ“ Content Length Detection

Field
Type
Description

iscontentLength

Boolean

Enable content length comparison

contentLength

String

Content length threshold

πŸ“Š Variation Detection

Field
Type
Description

VariationAttributes

String[]

Response attributes to compare

πŸ› Issue Properties

Field
Type
Description

IssueName

String

Vulnerability name

IssueSeverity

String

High, Medium, Low, Information, False positive

IssueConfidence

String

Certain, Firm, Tentative

IssueDetail

String

Detailed description (supports <payload> and <grep> placeholders)

IssueBackground

String

Background information about the vulnerability

RemediationDetail

String

How to fix the vulnerability

RemediationBackground

String

General remediation guidance

πŸ”— Multi-Step

Field
Type
Description

steps

Step[]

Array of scanning steps for multi-step profiles

βš™οΈ Other

Field
Type
Description

sequence

Boolean

Sequence mode

Scanas

Boolean

Scan-as mode

Scantype

Integer

Scan type

pathDiscovery

Boolean

Enable path discovery

showIssue

Boolean

Show issue dialog

HttpResponseCode

String

Additional HTTP response code filter

πŸ› οΈ Managing Profiles

πŸ“₯ Import

  1. Go to Profiles tab

  2. Click Import

  3. Select one or more .bb files

  4. βœ… Profiles are loaded into the appropriate category (Active, Passive Request, Passive Response)

πŸ“€ Export

  1. Select profiles in the table

  2. Click Export

  3. Choose a save location

  4. βœ… Profiles are saved as .bb JSON files

πŸ“‹ Duplicate

  1. Select a profile

  2. Click Duplicate

  3. βœ… A copy is created with an auto-generated name suffix

✏️ Edit

πŸ–±οΈ Double-click any profile to open the non-modal editor dialog.

Last updated