Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more


Predefined payload lists

  • Last updated: May 23, 2024

  • Read time: 2 Minutes

Burp Intruder includes a range of built-in payload lists. You can use these to quickly and easily generate payloads for various attacks.

Using predefined payload lists

You can use a predefined payload list with any payload type that uses a list of strings:

  1. Go to Intruder > Payloads, and select an appropriate payload type.
  2. Click Add from list... in the Payload settings field.
  3. Select a list from the drop-down menu. The list loads in the Payload settings field.
  4. If the list includes placeholders, set up a rule to process them.


You can load your own directory of custom payload lists in the Settings dialog. Click on Settings to open the dialog. For more information, see Intruder settings.


Some of the predefined payload lists include placeholders that you can replace with your own values:

Predefined payload list

Placeholders used in the list

CGI Scripts


Fuzzing - full

{base}, {domain}, foo@{domain}

Fuzzing - JSON_XML injection


Fuzzing - out of band


Fuzzing - path traversal (single file)


Fuzzing - path traversal


Fuzzing - quick


Processing placeholders

Before you run an attack with one of the payload lists above, you need to replace placeholders with actual values. The table below details how each of the placeholders can be used:



Example placeholder replacement


Specify a filename.



Replaces {base} with value marked as payload.



Specify a web domain.



Specify a web domain as part of an email address.


Processing a placeholder in your attack

To add a placeholder to your attack, set up a processing rule:

  1. Go to Intruder > Payloads, and scroll down to the Payload processing field.
  2. Click Add. A window opens with a drop-down list of processing rules.
  3. Select Match/replace.
  4. In the Match regex field, type in the placeholder used in the payload. For example, \{file\} or \{domain\}.
  5. In the Replace with field, type the item you want to replace the placeholder with. For example, application.exe instead of \{file\}, or portswigger.net instead of \{domain\}.

Was this article helpful?