login

Burp Suite, the leading toolkit for web application security testing

Payload Positions

This tab is used to configure the request template for the attack, together with payload markers, and the attack type (which determines the way in which payloads are assigned to payload positions).

Request Template

The main request editor is used to define the request template from which all attack requests will be derived. For each attack request, Burp takes the request template, and places one or more payloads into the positions defined by the payload markers.

The easiest way to set up the request template is to select the request you want to attack anywhere within Burp, and choose the "Send to Intruder" option on the context menu. This will send the selected request to a new tab in Intruder, and will automatically populate the Target and Positions tabs. 

Payload Markers

Payload markers are placed using the § character, and function as follows:

To make the configuration easier, Intruder automatically highlights each pair of payload markers and any enclosed text between them.

You can place payload markers manually or automatically. When you send a request to Intruder from elsewhere within Burp, Intruder makes a guess at where you are likely to want to place payloads, and sets payload markers accordingly. You can modify the default payload markers using the buttons next to the request template editor:

Note: You can also use Intruder's payload positions UI to configure custom insertion points for active scans by Burp Scanner. To do this, configure the request template and payload markers in the usual way within Intruder, and then select "Actively scan defined insertion points" from the Intruder menu.

Attack Type

Burp Intruder supports various attack types - these determine the way in which payloads are assigned to payload positions. The attack type can be selected using the drop-down above the request template editor. The following attack types are available:

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Tuesday, August 19, 2014

1.6.05

This release fixes a UI bug affecting a small number of users who are running Burp on Java 1.6.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.