login

Burp Suite, the leading toolkit for web application security testing

Payload Positions

This tab is used to configure the request template for the attack, together with payload markers, and the attack type (which determines the way in which payloads are assigned to payload positions).

Request Template

The main request editor is used to define the request template from which all attack requests will be derived. For each attack request, Burp takes the request template, and places one or more payloads into the positions defined by the payload markers.

The easiest way to set up the request template is to select the request you want to attack anywhere within Burp, and choose the "Send to Intruder" option on the context menu. This will send the selected request to a new tab in Intruder, and will automatically populate the Target and Positions tabs. 

Payload Markers

Payload markers are placed using the § character, and function as follows:

To make the configuration easier, Intruder automatically highlights each pair of payload markers and any enclosed text between them.

You can place payload markers manually or automatically. When you send a request to Intruder from elsewhere within Burp, Intruder makes a guess at where you are likely to want to place payloads, and sets payload markers accordingly. You can modify the default payload markers using the buttons next to the request template editor:

Note: You can also use Intruder's payload positions UI to configure custom insertion points for active scans by Burp Scanner. To do this, configure the request template and payload markers in the usual way within Intruder, and then select "Actively scan defined insertion points" from the Intruder menu.

Attack Type

Burp Intruder supports various attack types - these determine the way in which payloads are assigned to payload positions. The attack type can be selected using the drop-down above the request template editor. The following attack types are available:

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Wednesday, June 11, 2014

v1.6.01

This release contains various enhancements to existing functionality, including improvements to the Spider's link-discovery engine, which now achieves a WIVET score of 50%. There is more work to do in this area, and improved crawling of JavaScript-driven navigation is in the pipeline.

Various bugs have also been fixed.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.