PROFESSIONAL

Burp Intruder payload positions

  • Last updated: January 27, 2023

  • Read time: 2 Minutes

To determine where payloads are placed by Burp Intruder during an attack, you can specify payload positions in the request.

Payload positions field

You can set payload positions anywhere in the Payload positions field under Intruder > Positions. When you send a request to Intruder, this field is automatically populated with the request and target details. Intruder also inserts default payload positions to mark the values of request parameters, such as:

  • URL query string parameters.
  • Body parameters.
  • Cookies.
  • Multipart parameter attributes, such as the filename in file uploads.
  • XML data and element attributes.
  • JSON parameters.

Target field

Burp Intruder enables you to set payload positions in the target field. This specifies where Intruder attacks are sent, and includes:

  • Protocol - HTTP or HTTPS.
  • Host - IP address or hostname of the target server.
  • Port - port number of the HTTP/S service.

Automatic payload positions are not included in the target field.

By default, Update Host header to match target is selected. Any changes to the target are automatically mirrored in the host details in the base request. You can deselect this to amend the target only. This enables you to send an arbitrary Host header to a fixed target, for example to craft an HTTP host header attack.

Configuring payload positions

Each payload position is enclosed by a pair of payload markers §, and highlighted for ease of identification. To set and modify the payload positions, use the buttons beside the Payload positions field:

  • Insert a payload marker - click Add §.
  • Insert a pair of markers - select any text and click Add §. This inserts markers on either side of the selected text.
  • Remove all payload markers - click Clear §.

    • If you have selected some text, markers are removed from within the selected area only.
  • Apply default payload markers - click Auto § to insert the default payload positions.

    • To configure whether the default markers replace or append to any existing parameter values, go to the top-level Intruder menu and click Automatic payload positions.
    • If you have selected some text, default markers are placed within the selected area only. For example, if a multipart parameter value contains data in XML or JSON format, you can highlight the formatted data and click Auto § to position payloads within it.
  • Refresh syntax colorizing - click Refresh to return to the default colorizing.
  • Clear the request template - click Clear.

During the attack, both the payload markers and any enclosed text are replaced with the payload. If the payload position does not have an assigned payload, the enclosed text is unchanged but the markers are removed.

Note

You can also use Intruder's payload positions as insertion points for Burp Scanner. Configure your payload positions, then click on the top-level Intruder menu and select Scan defined insertion points.

For more information on Burp Scanner insertion points, see Auditing.

Was this article helpful?