login

Burp Suite, the leading toolkit for web application security testing

Payload Types

Burp Intruder includes the following payload types:

Simple List

This is the simplest payload type, and lets you configure a simple list of strings that are used as payloads.

You can manually add items to the list using the text box and the "Add" button, or you can paste a list from the clipboard, or load from file.

Predefined Payload Lists

[Pro version] In various payload types that employ lists of items, you can use the "Add from list" drop-down menu to add predefined lists of useful payloads, such as common usernames and passwords, fuzz strings, etc. Note that you can customize the predefined payload lists using the "Configure predefined payload lists" item from the Intruder menu. You can choose your own directory containing payload files, and also copy all of Burp's built-in payload lists into your custom directory, to edit or use alongside your own payloads lists.

Runtime File

This payload type lets you configure a file from which to read payload strings at runtime. This is useful when a very large list of payloads is needed, to avoid holding the entire list in memory. One payload is read from each line of the file, hence payloads may not contain newline characters.

Custom Iterator

This payload type lets you configure multiple lists of items, and generate payloads using all permutations of items in the lists. It provides a powerful way to generate custom permutations of characters or other items according to a given template. For example, a payroll application may identify individuals using a personnel number of the form AB/12; you may need to iterate through all possible personnel numbers to obtain the details of all individuals.

The custom iterator defines up to 8 different "positions" which are used to generate permutations. Each position is configured with a list of items, and an optional "separator" string, which is inserted between that position and the next. In the example already mentioned, positions 1 and 2 would be configured with the items A - Z, positions 3 and 4 with the items 0 - 9, and position 2 would be set with the separator character /. When the attack is executed, the custom iterator iterates through each item in each position, to cover all possible permutations. Hence, in this example, the total number of payloads is equal to 26 * 26 * 10 * 10.

The list items can be edited in the same way as described for the simple list payload type. The "Clear all" button removes all configuration from all positions of the custom iterator.

The "Choose a preset scheme" drop-down menu can be used to select a preconfigured setup for the custom iterator. These can be used for various standard attacks or modified for customized attacks. Available schemes are "directory / file . extension", which can be used to generate URLs, and "password + digit" which can be used to generate an extended wordlist for password guessing attacks.

Character Substitution

This payload type lets you configure a list of strings and apply various character substitutions to each item. It may be useful in password guessing attacks, for generating common variations on dictionary words.

The UI lets you configure a number of character substitutions. When the attack is executed, the payload type works through each of the configured list items in turn. For each item, it generates a number of payloads, to include all permutations of substituted characters according to the defined substitutions. For example, with the default substitution rules (which include e > 3 and t > 7), the item "peter" will generate the following payloads:

peter

p3ter

pe7er

p37er

pet3r

p3t3r

pe73r

p373r

The list items can be edited in the same way as described for the simple list payload type.

Case Modification

This payload type lets you configure a list of strings and apply various case modifications to each item. This may be useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

The payload type works through each of the configured list items in turn, adjusting the case of characters within each item. Duplicate payloads are discarded. For example, if all modification options are selected, the item "Peter Wiener" will generate the following payloads:

Peter Wiener

peter wiener

PETER WIENER

Peter wiener

The list items can be edited in the same way as described for the simple list payload type.

Recursive Grep

This payload type lets you extract each payload from the response to the previous request in the attack. It is useful in some situations where you need to work recursively to extract useful data or deliver an exploit.

The payload type works together with the extract grep function, which is used to extract part of a response containing interesting information. The text that was extracted from the previous response in the attack is used as the payload for the current request.

This can be used for various tasks. For example, it may be possible to extract the contents of a database via SQL injection by recursively injecting queries of the form:

union select name from sysobjects where name > 'a'

The server's error message discloses the name of the first database object:

Syntax error converting the varchar value 'accounts' to a column of data type int.

The query is then repeated using 'accounts' to identify the next object. This task can be easily automated using recursive grep payloads to quickly list all of the objects within the database.

The following options must be selected:

Note that because of the nature of this payload type, attacks using it must employ only a single request thread.

Illegal Unicode

This payload type can be used to generate illegal Unicode representations of characters. It is sometimes effective in bypassing filters designed to block certain characters, for example defenses against file path traversal attacks which match on expected encodings of the ../ and ..\ sequences.

The payload type operates on a list of items, and generates a number of payloads from each item by replacing a specified character within each item with illegal Unicode-encodings of another character. The following options are available:

The list items can be edited in the same way as described for the simple list payload type.

Character Blocks

This payload type generates payloads based on blocks of a specified character or string. It can be useful in detecting buffer overflow and other boundary condition vulnerabilities in software running in a native (unmanaged) context. It can also be used to exploit some logic flaws where input of a particular length bypasses input filters or triggers an unexpected code path.

The following options are available:

Numbers

This payload type generates numeric payloads within a given range and in a specified format.

The following options are available:

Each of the digits options may be left blank, indicating that no minimum or maximum size should be enforced. Examples of numbers generated by the current number format configuration are also shown.

Note: Burp uses double-precision floating point numbers for both the number range configuration and the internal state of the payload generator at runtime. Some loss of precision is to be expected when dealing with very large numbers or very precise fractional numbers. If you need to cycle through a range of numbers containing many total digits (more than approximately 12), then it is more reliable to use your payload positioning markers to highlight a sub-portion of the larger number within the attack template, and generate numeric payloads containing correspondingly fewer digits.  

Dates

This payload type generates date payloads within a given range and in a specified format. This payload type may be useful during data mining (e.g. trawling an order book for entries placed on different days) or brute forcing (e.g. guessing the date of birth component of a user's credentials).

The following options are available:

Brute Forcer

This payload type generates payloads of specified lengths that contain all permutations of a specified character set.

The following options are available:

Null Payloads

This payload type generates payloads whose value is an empty string.

This payload type is useful when an attack requires the same request to be made repeatedly, without any modification to the basic template. This can be used for a variety of attacks, for example harvesting cookies for sequencing analysis, application-layer denial-of-service attacks where requests are repeatedly sent which initiate high-workload tasks on the server, or keeping alive a session token that is being used in other intermittent tests.

With this payload type, it is not even necessary to use payload position markers in your request template.

You can configure Burp to generate a specified number of null payloads, or to continue indefinitely.

Character Frobber

This payload type operates on a string input and modifies the value of each character position in turn. It can operate on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, incrementing the ASCII code of that character by one.

This payload type is useful when testing which parameter values, or parts of values, have an effect on the application's response. In particular, it can be useful when testing which parts of a complex session token are actually being used to track session state. If modifying the value of an individual character within the session token still causes your request to be processed within your session, then it is likely that this character in the token is not actually being used to track your session.

Bit Flipper

This payload type operates on an input and modifies the value of each bit position in turn. It can operate on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, flipping each (specified) bit in turn.

The following options are available:

You can configure the bit flipper either to operate on the literal base value, or to treat the base value as an ASCII hex string. For example, if the base value is "ab" then operating on the literal string and flipping all bits will result in the following payloads:

`b

cb

eb

ib

qb

Ab

!b

áb

ac

a`

af

aj

ar

aB

a"

Whereas treating "ab" as an ASCII hex string and flipping all bits will result in the following payloads:

aa

a9

af

a3

bb

8b

eb

2b

This payload type can be useful in similar situations to the character frobber but where you need finer-grained control. For example, if session tokens or other parameter values contain meaningful data encrypted with a block cipher in CBC mode, it may be possible to change parts of the decrypted data systematically by modifying bits within the preceding cipher block. In this situation, you can use the bit flipper payload type to determine the effects of modifying individual bits within the encrypted value, and understand whether the application may be vulnerable.

Username Generator

This payload type lets you configure a list of names or email addresses, and derives potential usernames from these using various common schemes.

For example, supplying the name "peter weiner" results in up to 115 possible usernames, as follows:

peterweiner

peter.weiner

weinerpeter

weiner.peter

peter

weiner

peterw

peter.w

wpeter

w.peter

pweiner

p.weiner

weinerp

weiner.p

etc...

This payload type can be useful if you are targeting a particular human user, and you do not know the username or email address scheme in use within an application.

The list items can be edited in the same way as described for the simple list payload type. You can also configure a maximum number of payloads to generate per item in the list.

ECB Block Shuffler

This payload type can be used to shuffle blocks of ciphertext in ECB-encrypted data, so as to meaningfully modify the decrypted cleartext and potentially interfere with application logic.

Because ECB ciphers encrypt each block of plaintext independently of others, identical blocks of plaintext encrypt into identical blocks of ciphertext (provided the same key is used), and vice versa. Hence, it is possible to shuffle blocks within a large piece of ciphertext with the effect of shuffling the corresponding blocks of decrypted plaintext. In some data (such as a structured session token with fields for username, user ID, role, and a timestamp) it may be possible to meaningfully alter the content of the decrypted data so as to interfere with application processing, and carry out unauthorized actions.

The following options are available:

Extension-Generated

This payload type invokes a Burp extension to generate payloads. The extension must have registered an Intruder payload generator. You can select the required generator from the list of available generators that have been registered by currently loaded extensions.

Copy Other Payload

This payload type copies the value of the current payload at another payload position. It can be used with attack types that have multiple payload sets (cluster bomb and battering ram). You can also define payload processing rules so that you can systematically derive the current payload from the value of a payload at another position, rather than just copying its literal value.

This payload type can be useful in various situations, for example:

 

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, October 20, 2014

v1.6.06

This release includes some major enhancements to the Scanner engine. Burp can now automatically report the following new types of issues: Perl code injection, PHP code injection, Ruby code injection, Server-side JavaScript code injection, File path manipulation, Serialized object in HTTP message, Client-side JSON injection, Client-side XPath injection, Document domain manipulation, Link manipulation, and DOM data manipulation.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.