PROFESSIONAL

Predefined payload lists

• Last updated: January 27, 2023

• Read time: 1 Minute

Burp Intruder includes a range of built-in payload lists. You can use these to quickly and easily generate payloads for various attacks.

Using predefined payload lists

You can use a predefined payload list with any payload type that uses a list of strings:

1. Click Add from list... in the Payload Options field.
2. Select a list from the drop-down menu. The list loads in the Payload Options field.
3. If the list includes placeholders, set up a rule to process them.

Placeholders

Some of the predefined payload lists include placeholders, for example {KNOWNFILE} or {domain}.

To process a placeholder correctly in your attack, set up a processing rule:

1. Go to Intruder > Payloads, and scroll down to the Payload Processing field.
2. Click Add. A window opens with a drop-down list of processing rules.
3. Select Match / replace.
4. In the Match regex box, type in the placeholder used in the list, for example {KNOWNFILE} or {domain}.
5. In the Replace with box, type in the placeholder replacement. For example, application.exe instead of {KNOWNFILE}, or portswigger.net instead of {domain}.

Customizing predefined payload lists

You can load your own directory of custom payload lists:

1. Go to the top-level Intruder menu and click Configure predefined payload lists.
2. Select Load custom lists from directory.
3. Choose your own directory and click Open.

To copy all of Burp's preconfigured payload lists into your directory, load a custom directory and select Copy.