PROFESSIONAL

Payload positions

  • Last updated: May 17, 2022

  • Read time: 3 Minutes

This tab is used to configure the target and request template for the attack, together with payload markers, and the attack type (which determines the way in which payloads are assigned to payload positions).

Target field

The Target field controls the protocol (HTTP or HTTPS), host (IP address or hostname of the target server), and port (port number of the HTTP/S service) that Intruder attacks will be sent to. You can set payload markers in the Target field, but note that Burp will not set payload markers here automatically.

The checkbox Update host header to match target controls whether Burp automatically updates the Host header in the request template if you make changes to the Target field. Disabling this option enables you to send an arbitrary Host header to a fixed target. This is useful in a number of contexts - including when crafting HTTP Host header attacks.

Request template

The main request editor is used to define the request template from which all attack requests will be derived. For each attack request, Burp takes the request template, and places one or more payloads into the positions defined by the payload markers.

Setting up the Target field and request template

The easiest way to set up the Target field and request template is to select the request you want to attack anywhere within Burp, and choose the Send to Intruder option on the context menu. This will send the selected request to a new tab in Intruder, and will automatically populate the request template and Target field.

Payload markers

Payload markers are placed using the § character, and function as follows:

  • Each pair of markers designates a single payload position.
  • A pair of markers may optionally enclose some text from the template request between them.
  • When a payload position is assigned a payload, both the markers and any enclosed text are replaced with the payload.
  • When a payload position does not have an assigned payload, the markers are removed but the enclosed text remains unchanged.

To make the configuration easier, Intruder automatically highlights each pair of payload markers and any enclosed text between them.

When you send a request to Intruder from elsewhere within Burp, Intruder makes a guess at where you are likely to want to place payloads, and sets payload markers accordingly. Note that payload markers will not be automatically set within the Target field. You can modify the default payload markers using the buttons next to the request template editor:

  • Add § - If no text is selected, this inserts a single payload marker at the cursor position. If you have selected some text, a pair of markers are inserted enclosing the selected text.
  • Clear § - This removes all position markers, either from the entire template or from the selected portion of the template.
  • Auto ยง - This makes a guess as to where it might be useful to position payloads and places payload markers accordingly. This is useful to quickly mark positions suitable for fuzzing, but manual positioning is required for more customized attacks. If you have selected some text, markers are placed within the selected text only; otherwise, they are placed throughout the whole request template. The automatic placement of markers places payloads into the value of various types of request parameter, including URL query string parameters, body parameters, cookies, multipart parameter attributes (e.g. the filename in file uploads), XML data and element attributes, and JSON parameters. Markers will not be added to the Target field. You can configure whether the automatic payload positions will replace or append to the existing parameter values, via an option on the Intruder menu. Note that if a sub-portion of the request, but not the whole message body, contains data formatted using XML or JSON, you can automatically position payloads within this structure by manually selecting the exact block of formatted data, and using the Auto button to position payloads within it. This is useful, for example, when a multipart parameter value contains data in XML or JSON format.
  • Refresh - This refreshes the syntax colorizing of the request template editor, if necessary.
  • Clear - This deletes the entire request template.

Note

You can also use Intruder's payload positions UI to configure custom insertion points for scans by Burp Scanner. To do this, configure the request template and payload markers in the usual way within Intruder, and then select Audit defined insertion points from the Intruder menu.