The payloads generated by the configured
payload type can be further
manipulated using various payload processing rules and
Payload Processing Rules
You can define rules to perform various processing tasks on each payload
before it is used. The defined rules are executed in sequence, and can be toggled on and off
to help debug any problems with the configuration. Payload processing rules are
useful in many kinds of situation where you need to generate unusual payloads,
or need to wrap payloads up within a wider structure or encoding scheme prior to
The following types of rule
- Add prefix - This adds a literal prefix before the payload.
- Add suffix - This adds a literal suffix after the payload.
- Match / replace - This replaces any parts of the payload
that match a specific regular expression, with a literal string.
- Substring - This extracts a sub-portion of the payloads,
starting from a specified offset (0-indexed) and up to a specified length.
- Reverse substring - This functions as for the substring
rule, but the end offset is specified counting backwards from the end of the
payload, and the length is counted backwards from the end offset.
- Modify case - This modifies the case of the payload, if
applicable. The same options are available as for the
modification payload type.
- Encode - This encodes the payload using various schemes:
URL, HTML, Base64, ASCII hex or constructed strings for various platforms.
- Decode - This decodes the payload using various schemes:
URL, HTML, Base64 or ASCII hex.
- Hash - This carries out a hashing operation on the payload.
- Add raw payload - This adds the raw payload value before or
after the current processed value. It can be useful, for example, if you need to
submit the same payload in both raw and hashed form.
- Skip if matches regex - This checks whether the current
processed value matches a specified regular expression, and if so, skips the
payload and moves onto the next one. This can be useful, for example, if you
know that a parameter value must have a minimum length and want to skip any
values in a list that are shorter than this length.
- Invoke Burp extension - This invokes a
Burp extension to process the payloads. The
extension must have registered an Intruder payload processor. You can select
the required processor from the list of available processors that have been
registered by currently loaded extensions.
You can configure which characters within the payload should be
URL-encoded for safe transmission within HTTP requests. Any configured
URL-encoding is applied last, after any payload processing
rules have executed.
It is recommended to use this setting for final URL-encoding, rather than
a payload processing rule, because the payload grep option
can be used to check responses for echoed payloads before the final URL-encoding
Thursday, July 16, 2015
This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags.
Burp Scanner now modifies XML in requests to inject a doctype tag that references a Burp Collaborator URL, and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.
See all release notes ›