Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more

ProfessionalCommunity Edition

Burp Intruder payload positions

  • Last updated: August 30, 2024

  • Read time: 2 Minutes

To determine where payloads are placed by Burp Intruder during an attack, you can specify payload positions in the request.

Payload positions field

You can set payload positions anywhere in the Payload positions field under Intruder > Positions. When you send a request to Intruder, this field is automatically populated with the request and target details:

  • URL query string parameters.
  • Body parameters.
  • Cookies.
  • Multipart parameter attributes, such as the filename in file uploads.
  • XML data and element attributes.
  • JSON parameters.

Target field

Burp Intruder enables you to set payload positions in the target field. This specifies where Intruder attacks are sent, and includes:

  • Protocol - HTTP or HTTPS.
  • Host - IP address or hostname of the target server.
  • Port - port number of the HTTP/S service.

By default, Update Host header to match target is selected. Any changes to the target are automatically mirrored in the host details in the base request. You can deselect this to amend the target only. This enables you to send an arbitrary Host header to a fixed target, for example to craft an HTTP host header attack.

Configuring payload positions

Each payload position is enclosed by a pair of payload markers §, and highlighted for ease of identification.

You can automatically set a single payload position when you send a request to Burp Intruder. Highlight the position value in a message editor anywhere in Burp, then right-click the message and select Send to Intruder.

To set multiple payload positions and modify the payload positions, use the buttons beside the Payload positions field in the Intruder > Positions tab:

  • Insert a single payload marker - click Add §.
  • Insert a pair of markers - select any text and click Add §. This inserts markers on either side of the selected text.
  • Remove all payload markers - click Clear §.

    • If you have selected some text, markers are removed from within the selected area only.
  • Apply automatic payload markers - click Auto §. Burp inserts automatic payload positions. You can configure whether these replace or append to the base parameter value in the Settings dialog.

    • If you have selected some text, automatic markers are placed within the selected area only. For example, if a multipart parameter value contains data in XML or JSON format, you can highlight the formatted data and click Auto § to position payloads within it.
  • Refresh syntax colorizing - click Refresh to return to the default colorizing.
  • Clear the request template - click Clear.

During the attack, both the payload markers and any enclosed text are replaced with the payload. If the payload position does not have an assigned payload, the enclosed text is unchanged but the markers are removed.

Note

You can also use Intruder's payload positions as insertion points for Burp Scanner. Configure your payload positions, then click on the top-level Intruder menu and select Scan defined insertion points.

For more information on Burp Scanner insertion points, see Auditing.

Was this article helpful?