login

Burp Suite, the leading toolkit for web application security testing

Payload Positions

This tab is used to configure the request template for the attack, together with payload markers, and the attack type (which determines the way in which payloads are assigned to payload positions).

Request Template

The main request editor is used to define the request template from which all attack requests will be derived. For each attack request, Burp takes the request template, and places one or more payloads into the positions defined by the payload markers.

The easiest way to set up the request template is to select the request you want to attack anywhere within Burp, and choose the "Send to Intruder" option on the context menu. This will send the selected request to a new tab in Intruder, and will automatically populate the Target and Positions tabs. 

Payload Markers

Payload markers are placed using the § character, and function as follows:

To make the configuration easier, Intruder automatically highlights each pair of payload markers and any enclosed text between them.

You can place payload markers manually or automatically. When you send a request to Intruder from elsewhere within Burp, Intruder makes a guess at where you are likely to want to place payloads, and sets payload markers accordingly. You can modify the default payload markers using the buttons next to the request template editor:

Note: You can also use Intruder's payload positions UI to configure custom insertion points for active scans by Burp Scanner. To do this, configure the request template and payload markers in the usual way within Intruder, and then select "Actively scan defined insertion points" from the Intruder menu.

Attack Type

Burp Intruder supports various attack types - these determine the way in which payloads are assigned to payload positions. The attack type can be selected using the drop-down above the request template editor. The following attack types are available:

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Friday, February 12, 2016

1.6.37

This release gives the Scanner the capability to report all instances where user input is returned in application responses, both reflected and stored. The information gathered is primarily of use to manual security testers. Some applications contain numerous instances of input retrieval, since it is very common for the entire URL to be reflected within responses. For these reasons, the new Scanner checks are off by default, but can be turned on in the Scanner options.

See all release notes ›

Copyright © 2016 PortSwigger Ltd. All rights reserved.