PROFESSIONAL
Predefined payload lists
-
Last updated: January 27, 2023
-
Read time: 1 Minute
Burp Intruder includes a range of built-in payload lists. You can use these to quickly and easily generate payloads for various attacks.
Using predefined payload lists
You can use a predefined payload list with any payload type that uses a list of strings:
- Click Add from list... in the Payload Options field.
- Select a list from the drop-down menu. The list loads in the Payload Options field.
- If the list includes placeholders, set up a rule to process them.
Placeholders
Some of the predefined payload lists include placeholders, for example {KNOWNFILE}
or {domain}
.

To process a placeholder correctly in your attack, set up a processing rule:
- Go to Intruder > Payloads, and scroll down to the Payload Processing field.
- Click Add. A window opens with a drop-down list of processing rules.
- Select Match / replace.
- In the Match regex box, type in the placeholder used in the list, for example
{KNOWNFILE}
or{domain}
. - In the Replace with box, type in the placeholder replacement. For example, application.exe instead of
{KNOWNFILE}
, or portswigger.net instead of{domain}
.
Customizing predefined payload lists
You can load your own directory of custom payload lists:
- Go to the top-level Intruder menu and click Configure predefined payload lists.
- Select Load custom lists from directory.
- Choose your own directory and click Open.
To copy all of Burp's preconfigured payload lists into your directory, load a custom directory and select Copy.