Burp Bounty Pro – Passive Request Profiles

Description

In this video you will see how the Burp Bounty Pro extension helps you identify possible vulnerable parameters.

• On the one hand you can look for a simple string or regex in the NAME of the parameter.

• On the other hand, you can also look for a simple string or regex in the parameter VALUE.

You can search for these parameter properties in the following fields:

• All Parameters
• POST Parameter
• GET Parameter
• Cookie
• JSON Parameter
• XML Parameter
• POST Multipart
• XML Multipart
   

Next, we are going to see how you can search for possible Names or Values of parameters vulnerable to all kinds of vulnerabilities, for example to SQL injection, RCE, SSRF, etc. while you browse the web.
 

Passive Request Profile

Profiles for detect common parameters vulnerables to SQLi/RCE/SSRF/Open Redirection
 

Reduced list of parameter names via regex, potentially vulnerable to SQLi:

• .*_id
• ^search$

Reduced list of parameter names through simple strings, potentially vulnerable to RCE:

• cmd
• exec
• read
• run

Reduced list of parameter values via regex, potentially vulnerable to SSRF/OpenRedirect:

• http.*
• .*\.[a-zA-Z]{3,4}($|\?.*)

Reduced list of parameter values through simple string, potentially vulnerable to authorization bypass:

• save

• read

  (You can try edit, write, etc)

The last profiles are the included in Burp Bounty Pro, with a lot of common potentially vulnerable parameters.

 
Once these parameters are detected you can use the Smart Scan to carry out automatic attacks 🙂