👁️Passive Scan

Passive scanning analyzes HTTP traffic passing through Burp Suite without sending any additional requests. It can run automatically in the background (Live Passive Scan) or be launched manually against selected requests with fine-grained tag-based filtering.

📝 Types of Passive Profiles

Burp Bounty Pro has two types of passive profiles:

📩 Passive Response Profiles

Scanner type: 2

Analyze HTTP responses received from the server. Use these to detect:

• 🔑 Sensitive information disclosure (API keys, tokens, credentials)

• 🛡️ Security header misconfigurations (CSP, HSTS, X-Frame-Options)

• 🖥️ Technology fingerprinting (server banners, framework detection)

• ⚠️ Error messages and debug information

• 🌐 Domain takeover indicators

• 🔐 Hardcoded secrets and configuration data

How it works:

1. Burp Suite receives an HTTP response

2. All enabled Passive Response profiles are checked against the response

3. Each profile's grep patterns are matched against the response body and/or headers

4. If conditions match, an information issue is reported

📨 Passive Request Profiles

Scanner type: 3

Analyze HTTP requests sent by the browser or client. Use these to detect:

• 💉 Interesting parameters (SQLi, XSS, SSRF, RCE candidates)

• 🔗 API endpoints and technology indicators

• 🔑 Authentication tokens and session identifiers

• 🖥️ URL patterns suggesting specific technologies (Jira, WordPress, etc.)

• 🐛 Debug and testing parameters

How it works:

1. Burp Suite intercepts an HTTP request

2. All enabled Passive Request profiles are checked against the request

3. Each profile's grep patterns are matched against the request URL, headers, and/or body

4. If conditions match, an information issue is reported

🚀 Launching a Passive Scan

🖱️ Manual Passive Scan (Context Menu)

You can manually launch passive scans against selected requests from anywhere in Burp Suite:

1. Select one or more requests in Proxy History, Target Site Map, Repeater, or any other Burp tool

2. Right-click and select Passive Scan

3. Choose the scope of the scan from the submenu:

🏷️ Tag-Based Passive Scan Submenu

Each menu item shows the count of matching profiles in parentheses. Tags are sorted alphabetically, with "All" always at the top.

Benefits of tag-based launching:

• 🎯 Focused scanning — Run only the passive profiles relevant to your current task

• ⚡ Faster results — Skip irrelevant profiles to reduce processing time

• 📂 Organized workflow — Group profiles by vulnerability class, technology, or engagement

💡 Example: You've just discovered a new WordPress site. Right-click the request, select Passive Scan > Passive Response > Technology to quickly check what technologies are detected, without running all 125 passive profiles.

🔄 Live Passive Scan (Automatic)

Live Passive Scan runs automatically in the background as traffic passes through Burp Suite:

1. Go to the Burp Bounty Pro tab > Dashboard

2. Toggle the Live Passive Scan button to "on"

3. All HTTP traffic passing through Burp Suite is automatically analyzed by enabled passive profiles

4. When enabled, the Scope Only checkbox restricts scanning to in-scope targets

🔗 URL Filtering

When launching passive scans manually, the URL filter popup appears (same as Active Scan), giving you control over:

• ✅ Which URLs to include/exclude

• 🌐 Domain filtering

• 📄 File extension filtering

• 🔄 Match and Replace rules for request modification

🔄 Passive Scan Flow

📝 Managing Passive Profiles

📊 Profile Tables

Passive profiles are displayed in two tables within the Profiles tab:

🖱️ Context Menu (Right-Click)

Right-click on one or more selected profiles to access:

💡 Tip: Select multiple profiles with Ctrl+Click or Shift+Click, then right-click Set New Tag to tag them all at once. This is a fast way to organize your passive profiles into categories.

🧠 Integration with Smart Scan

Passive scan findings are the foundation of Smart Scan rules. When a passive profile matches, it can automatically trigger active scanning:

For example:

• 📨 Passive Request profile detects WordPress URLs → Rule triggers WordPress vulnerability profiles

• 📩 Passive Response profile detects Jira headers → Rule triggers Jira CVE profiles

• 📨 Passive Request profile detects SQLi-like parameters → Rule triggers SQLi active profiles

See Smart Scan for details.

🚫 Excluded File Extensions

To reduce noise, passive scanning automatically excludes responses with these file extensions:

jpg, gif, png, css, svg, woff, woff2, ttf, eot, ico, pdf, swf, mp3, mp4, avi, mov

📖 Creating Passive Profiles

Passive profiles use the same grep/match system as active profiles but without payloads or insertion points. See:

• 📝 Creating Passive Profiles

• 🔍 Grep Options

• 🏷️ Tags — How to organize profiles with tags

📚 Examples

🛡️ Detecting Missing Security Headers

A Passive Response profile that checks for missing Strict-Transport-Security header:

The NotResponse: true flag inverts the match — the issue is reported when the pattern is NOT found.

💉 Detecting Interesting Parameters

A Passive Request profile that detects URL parameters commonly associated with SQL injection:

🔄 Workflow: Tag-Based Passive Scan

1. 🏷️ Organize passive profiles with descriptive tags:

   • Security header profiles → Security_Headers

   • Secret detection profiles → Secrets

   • Parameter detection profiles → Parameters

   • Cookie analysis profiles → Cookie_Security

2. 🎯 Launch focused scans from the context menu:

   • Quick security header audit → Passive Response > Security_Headers

   • Check for leaked secrets → Passive Response > Secrets

   • Identify interesting parameters → Passive Request > Parameters

3. 🧠 Combine with Smart Scan for automation:

   • Parameter detection → automatically trigger SQLi/XSS active profiles

   • Technology detection → automatically trigger CVE profiles