Burp Intruder payload types
Last updated: January 27, 2023
Read time: 15 Minutes
You can set the type of payload that you want to inject into the base request. Burp Intruder provides a range of options for auto-generating different types of payload, or you can use a simple wordlist.
You can select a payload type under the Payload Sets field, in the Intruder > Payloads tab.
You can use predefined payload lists with many of the payload options. For more information, see Predefined payload lists.
Payload type options
You can customize each payload type under the Payload Options field. Many types offer the following base configuration options:
- Paste - Insert a list from your clipboard.
- Load ... - Load a list from a file.
- Remove - Delete the highlighted item.
- Clear - Delete all items in the list.
- Deduplicate - Remove duplicate entries from your list. This increases the efficiency of your attacks by reducing the number of requests that are sent.
- Add - Enter a new item.
- Add from list ... - Add a predefined payload list.
Type specific payload options are outlined in detail under the payload type descriptions.
This enables you to configure a simple list of strings that are used as payloads.
This enables you to configure a file from which to read payload strings at runtime.
You can use this payload type when a very large list of payloads is needed, to avoid holding the entire list in memory. One payload is read from each line of the file, hence payloads may not contain newline characters.
This enables you to generate payloads using permutations of characters or other items according to a given template.
You can define up to eight different positions in the template, and set each position with a list of items. You can use a separator between any positions. For example, you could set up an attack to iterate through all possible permutations of the template AA/11, with the first two positions cycling through A - Z, and the second two positions cycling through 0 - 9. This could be useful if, for example, a payroll application identifies individuals using a number of the form AA/11.
There are various ways to edit the list items:
- To remove configuration from all positions of the custom iterator, click Clear all.
To select a preconfigured setup for the custom iterator, click on the Preset schemes drop-down menu and select a scheme. The scheme can then be modified. You can choose from:
- Directories / file . extensions - Generate URLs.
- Two-digit hex - Generate hexadecimal numbers.
- Passwords + digit - Generate an extended wordlist for password guessing attacks.
This enables you to apply character substitutions to each item in a list of strings.
You can use character substitution in password guessing attacks, for generating common variations on dictionary words.
The subsequent attack uses all permutations of substituted characters for each list item in turn. For example, for the substitutions e > 3 and t > 7, the item "peter" will generate the following payloads:
peter p3ter pe7er p37er pet3r p3t3r pe73r p373r
This enables you to apply case modifications to each item in a list of strings.
You can use case modification in password guessing attacks, for generating case variations on dictionary words.
The subsequent attack adjusts the case of characters within each item in turn. Duplicate payloads are discarded. You can select from a range of case modification options:
- No change - No modification.
- To lower case - All letters are converted to lower case.
- To upper case - All letters are converted to upper case.
- To Propername - The first letter is converted to upper case, and subsequent letters are converted to lower case.
- To ProperName - The first letter is converted to upper case, and subsequent letters are not changed.
For example, if all modification options are selected, the item "Peter Wiener" will generate the following payloads:
Peter Wiener peter wiener PETER WIENER Peter wiener
This enables you to extract text from the response to the previous request, and use it as the payload for the current request.
You can use this payload type when you need to work recursively to extract useful data or deliver an exploit. For example, to extract the contents of a database via SQL injection by recursively injecting queries of the form:
UNION SELECT name FROM sysobjects WHERE name > 'a'
The server's error message discloses the name of the first database object:
Syntax error converting the varchar value 'accounts' to a column of data type int.
The query is then repeated using "accounts" to identify the next object. This task can be easily automated using recursive grep payloads to quickly list all objects within the database.
The following options must be configured:
- Initial payload for first request - Enter an initial payload. This is used to generate the first request and response.
- Extract grep item - Select an extract grep item. This is used to extract an interesting part of the previous response, which is then used to derive further payloads. For instructions on how to define an extract grep item, see Burp Intruder options.
- Stop if duplicate payload found - Stop the attack when the same payload is derived twice in succession. This normally indicates that the exercise is complete.
Attacks using the recursive grep payload type must use a resource pool with a max concurrent request of 1. For more information on resource pools, see Intruder resource pools.
This enables you to generate payloads from a list of items by replacing a specified character with illegal Unicode-encodings of another character.
You can use this payload type to attempt to bypass filters designed to block certain characters. For example, defenses against file path traversal attacks which match on expected encodings of the ../ and ..\ sequences.
The available options are described below:
Overlong UTF-8 encodings
You can specify whether overlong encoding is used, and set a maximum length of up to 6 bytes.
This allows you to represent basic ASCII characters (0x00 - 0x7F) in the Unicode scheme. They are usually correctly represented using a single byte.
Illegal UTF-8 continuation bytes
Do illegal UTF-8 - Generate three additional encodings for each continuation byte in turn, when the maximum overlong UTF-8 length is set to two bytes or more.
- Three illegal variants of each continuation byte are possible, with the binary forms 00xxxxxx, 01xxxxxx and 11xxxxxx. This is because, when a character is encoded with more than one byte, the bytes following the first take the binary form 10xxxxxx, to designate that they are continuation bytes. However, the most significant bits of the first byte also identify how many continuation bytes will follow, so Unicode decoding routines may ignore the first two bits of continuation bytes.
- Maximize permutations in multi-byte encodings - Modify more than one continuation byte simultaneously, when you have selected Do illegal UTF-8 and a maximum overlong UTF length of three bytes or more. This generates all permutations of illegal variants for continuation bytes. You can use this to attempt to circumvent advanced pattern-matching controls, by generating a much larger number of different illegal encodings.
Illegal hex characters
These options control how the generated byte sequences are represented using hexadecimal notation:
Do illegal hex - When the list of illegally-encoded items has been generated using overlong encodings and illegal variants of continuation bytes (if selected), it is possible to modify the hexadecimal encoding of the resulting byte sequences to confuse certain pattern-matching controls. Hex encoding uses the characters A - F to represent the decimal values 10 - 15. However, some hex decoders interpret, for example, G as decimal 16 and H as decimal 17. So
0x1Gmay be interpreted as decimal 32. Further, if illegal hex characters are used in the first position of a two digit hex code, then the resulting decoding overflows the maximum value of a single byte, and in this situation some hex decoders only use the 8 least significant bits of the resulting number. So
0xG1may be decoded as decimal 257, which is then interpreted as decimal 1. Each legal two-digit hex code has between 4 and 6 corresponding illegal hex representations which are interpreted as that same hex code if decoded as described above. If the Do illegal hex option is selected, then Burp will generate all possible illegal hex encodings of each byte in the list of illegally-encoded items.
- Maximize permutations in multi-byte encodings - Modify more than one byte simultaneously, when you have selected Do illegal hex, and a maximum overlong UTF-8 length of two bytes or more. This generates all permutations of illegal hex for all bytes. You can use this to attempt to circumvent advanced pattern-matching controls, by generating a much larger number of different illegal encodings.
These options control the appearance of hex-encoded payloads:
- Use lower case alpha characters - Specify whether lower or upper case alphabet characters are used in hex codes.
- Add % prefix before each byte - Insert the % character before each two-digit hex code, to effectively URL-encode the generated payloads.
This option enables you to:
- View a best estimate for the number of encodings, based on the rest of the configuration.
- Specify a ceiling on the number of illegal encodings that will be generated.
This can be useful if large overlong encodings are being used or maximum permutations have been selected, as these options may generate huge numbers of illegal encodings.
Match / replace in list items
These options control the replacement of characters within list items:
- Match character - Specify the character that will be replaced within each list item. Use a dummy character such as * in your list items, to indicate where replacements should occur.
- Replace with encodings of - Specify the character for which illegal encodings will be derived, to replace the original match character within each list item. This option can be specified using the ASCII character itself, or the two-digit hex code for the character. This is useful for specifying non-printable ASCII characters, such as null.
This enables you to generate payloads based on blocks of a specified character or string.
You can use this payload type to:
- Detect buffer overflow and other boundary condition vulnerabilities in software running in a native (unmanaged) context.
- Exploit some logic flaws where input of a particular length bypasses input filters or triggers an unexpected code path.
The following options are available:
- Base string - The input string, from which the character blocks will be generated..
- Min length - The base string is multiplied by this number to generate the smallest block.
- Max length - The base string is multiplied by this number to generate the largest block.
- Step - The increment in the length of each character block.
This enables you to generate numeric payloads within a given range and in a specified format.
You can configure various aspects of the number range:
- Type - Specify whether numbers are generated sequentially, or at random.
- From - Specify the first number that is generated sequentially. Otherwise, the smallest number that may be randomly generated.
- To - Specify the last number that is generated sequentially, or nearest lower increment of the step value. Otherwise, the largest number that may be randomly generated.
- Step - Specify the increment between sequentially generated successive numbers. The value may be negative, in which case the numbers generated will step downwards.
- How many - The number of payloads that will be randomly generated. Note that duplicate payloads may be generated.
If you need to cycle through a range of numbers containing many total digits (more than approximately 12), then it is more reliable to use your payload markers to highlight a sub-portion of the larger number within the attack template, and generate numeric payloads containing correspondingly fewer digits.
This is because Burp uses double-precision floating point numbers for both the number range configuration and the internal state of the payload generator at runtime. Some loss of precision is to be expected when dealing with very large numbers or very precise fractional numbers.
You can also configure various aspects of the number format:
- Base - Specify whether numbers are generated in decimal or hexadecimal form.
- Min integer digits - Set the minimum number of integer digits each number will have. Numbers with fewer integer digits are padded with zeros on the left hand side.
- Max integer digits - Set the maximum number of integer digits each number will have. Numbers with more integer digits are truncated, losing their most significant integer digits.
- Min fraction digits - Set the minimum number of fraction digits (after the decimal point) each number will have. Numbers with fewer fraction digits are padded with zeros on the right hand side. Only available when generating decimal numbers.
- Max fraction digits - Set the maximum number of fraction digits (after the decimal point) each number will have. Numbers with more fraction digits are truncated, losing their least significant fraction digits. Only available when generating decimal numbers.
To indicate that no minimum or maximum size should be enforced, leave any of the digit options blank.
As you edit the number format, example numbers with the minimum and maximum number of digits are shown.
This enables you to generate date payloads within a given range and in a specified format.
You can use this payload type for:
- Data mining, for example, trawling an order book for entries placed on different days.
- Brute forcing, for example, guessing the date of birth component of a user's credentials.
The following options are available:
- From - Set the first (and earliest) date that will be generated.
- To - Set the value of the last (and latest) date that will be generated (or the nearest lower increment of the step value).
- Step - Set the increment between successive dates, in days, weeks, months or years. It must be a positive value.
- Format - Set the format in which the dates should be represented. Several predefined date formats can be selected, or a custom format can be entered. The examples below illustrate the syntax that can be used to specify custom date formats.
This enables you to generate payloads of specified lengths that contain all permutations of a specified character set.
The following options are available:
- Character set - Specify the set of characters to be used in the payloads. Note that the total number of payloads increases exponentially with the size of this set.
- Min length - Set the length of the shortest payload.
- Max length - Set the length of the longest payload.
This enables you to generate payloads whose value is an empty string. You can use this to repeatedly issue the base request unmodified - you don't need to configure payload positions.
You can use this payload type for a variety of attacks, for example:
- Harvesting cookies for sequencing analysis.
- Application-layer denial-of-service attacks where requests are repeatedly sent which initiate high-workload tasks on the server.
- Keeping alive a session token that is being used in other intermittent tests.
You have the option to generate a specified number of null payloads, or continue indefinitely.
This enables you to modify the value of each character position of an input. The input could be the base value of each payload position, or a specified string. The attack cycles through each item in turn, one character at a time, incrementing the ASCII code of that character by one.
You can use this payload type to test which parameter values, or parts of values, have an effect on the application's response. For example, you can use it to test which parts of a session token track session state. If you modify the value of an individual character within the token, and your request is still processed within your session, then it is likely that this character is not used to track your session.
This enables you to modify the value of each bit position of an input. The input could be the base value of each payload position, or a specified string. It cycles through each item, one character at a time, flipping each specified bit in turn.
The following options are available:
- Operate on - Specify whether to operate on the base value of the payload position, or on another string.
- Format of original data -Specify whether the generator should operate on the literal value of the original data, or treat it as ASCII hex (explained further below).
- Select bits to flip - Specify which bits in each byte should be flipped, through from the least significant bit (0000000X) through to the most significant bit (X0000000).
For example, if the base value is "ab" then operating on the literal string and flipping all bits will result in the following payloads:
Whereas treating "ab" as an ASCII hex string and flipping all bits will result in the following payloads:
You can use the Bit flipper in similar situations to the Character frobber, but where you need finer-grained control. For example, if session tokens or other parameter values contain meaningful data encrypted with a block cipher in CBC mode, it may be possible to change parts of the decrypted data systematically by modifying bits within the preceding cipher block. You can use this payload type to determine the effects of modifying individual bits within the encrypted value.
This enables you to derive potential usernames from a list of names or email addresses, using various common schemes.
This payload type is useful if you are targeting a particular human user, and you do not know the username or email address scheme in use within an application.
For example, supplying the name "peter wiener" results in up to 115 possible usernames:
peterweiner peter.wiener wienerpeter wiener.peter peter wiener peterw peter.w wpeter w.peter pwiener p.wiener wienerp wiener.p ...
You can configure a maximum number of payloads to generate per item in the list.
ECB block shuffler
This enables you to shuffle blocks of ciphertext in ECB-encrypted data, to modify the decrypted cleartext and potentially interfere with application logic.
Because ECB ciphers encrypt each block of plaintext independently of others, identical blocks of plaintext encrypt into identical blocks of ciphertext (provided the same key is used), and vice versa. Hence, it is possible to shuffle blocks within a large piece of ciphertext with the effect of shuffling the corresponding blocks of decrypted plaintext. In some data (such as a structured session token with fields for username, user ID, role, and a timestamp) it may be possible to meaningfully alter the content of the decrypted data so as to interfere with application processing, and carry out unauthorized actions.
The following options are available:
- Encrypted data to shuffle - Select whether to operate on the base value of the payload position, or on another string.
- Format of original data - Select whether the generator should operate on the literal value of the original data, or should treat it as ASCII hex (see the Bit flipper payload type for more details).
- Block size - Set the size of the encrypted blocks in bytes. In most cases, the blocks are 8 or 16 bytes in size. If you are unsure, run the attack multiple times using each block size that might be in use.
- Additional encrypted strings - Supply a list of encrypted strings that use the same cipher and key, to provide additional blocks for shuffling into the encrypted data. Because successful attacks of this type often require a considerable degree of luck, in terms of finding a block with a suitable plaintext value that can be shuffled into the correct point in the structure, the odds of success are frequently improved by obtaining a large sample of strings that have been encrypted by the same application function. For example, if you are attacking a session token using this payload type, it would be beneficial to harvest a large number of other session tokens from the application, to provide additional blocks of ciphertext.
This enables you to invoke a Burp extension to generate payloads.
Click Select generator ... to select an extension-provided payload generator from the list. The extension must be registered as an Intruder payload generator.
Copy other payload
This enables you to copy the value of the current payload to another payload position.
This payload type can be useful in various situations, for example:
- When two different parameters must always have the same value in order to hit a target code path (for example, fields for new and confirm passwords), and you want to use the cluster bomb attack type to manipulate other parameters at the same time.
- When one parameter value in the request contains a checksum of another parameter value, which is normally computed by a client-side script based on user input.
This payload type enables you to copy the literal value of the payload, but you can also systematically derive the current payload from the value of a payload at another position. To do this, define an appropriate payload processing rule.
Was this article helpful?
An error occurred, please try again.