# Payloads Payloads are the test strings injected into insertion points during active scanning. Each profile can define multiple payloads, and each payload is tested independently against every matching insertion point. ## 📝 Payload Format Payloads are stored as an array of strings. Each entry has the format: ``` enabled,payload_value ``` * ✅ `true,` prefix — Payload is enabled and will be used during scanning * ❌ `false,` prefix — Payload is disabled (preserved for later use, not sent during scans) ### 📚 Examples ```json "Payloads": [ "true,", "true,\">", "false,", "true,' OR '1'='1", "true,http://{REDIRECT_DOMAIN}" ] ``` ## 🔧 Variables in Payloads Payloads support dynamic variables that are replaced at runtime: ### 🌐 Global Variables (User-Configurable) | Variable | Default Value | Description | | ------------------- | ------------------- | ------------------------------------------- | | `{REDIRECT_DOMAIN}` | `bountysecurity.ai` | 🔄 Domain for redirect/SSRF testing | | `{ATTACKER_DOMAIN}` | `yourdomain.com` | 🏴‍☠️ Attacker-controlled domain | | `{XXE_FILE}` | `/etc/passwd` | 📁 File path for XXE testing (Linux) | | `{XXE_GREP}` | `root:x` | 🔍 Expected content for XXE match (Linux) | | `{XXE_WIN_FILE}` | `c:/boot.ini` | 📁 File path for XXE testing (Windows) | | `{XXE_WIN_GREP}` | `boot loader` | 🔍 Expected content for XXE match (Windows) | | `{RCE_FILE}` | `/etc/passwd` | 📁 File path for RCE testing | | `{RCE_COMMAND}` | `id` | ⚡ Command for RCE testing | ### 📡 Context Variables (Auto-Populated) | Variable | Description | | --------------------------------- | --------------------------------------- | | `{CURRENT_HOST}` | 🖥️ Target hostname | | `{CURRENT_PROTOCOL}` | 🔒 `http` or `https` | | `{CURRENT_PORT}` | 🔢 Target port number | | `{CURRENT_URL}` | 🔗 Full request URL | | `{CURRENT_PATH}` | 📂 URL path component | | `{CURRENT_QUERY}` | ❓ Query string | | `{CURRENT_FILE}` | 📄 File component of URL | | `{CURRENT_METHOD}` | 📡 HTTP method (GET/POST) | | `{CURRENT_SUBDOMAIN}` | 🌐 Extracted subdomain | | `{CURRENT_INSERTION_POINT_VALUE}` | 📍 Current value of the insertion point | | `{CURRENT_INSERTION_POINT_NAME}` | 🏷️ Name of the insertion point | | `{CURRENT_USER_AGENT}` | 🖥️ User-Agent header value | | `{CURRENT_COOKIES}` | 🍪 Cookie header value | | `{CURRENT_REFERER}` | 🔗 Referer header value | | `{CURRENT_ORIGIN}` | 🌐 Origin header value | | `{CURRENT_CONTENT_TYPE}` | 📄 Content-Type header value | | `{CURRENT_ACCEPT}` | ✅ Accept header value | | `{CURRENT_ACCEPT_LANGUAGE}` | 🌍 Accept-Language header value | | `{CURRENT_ACCEPT_ENCODING}` | 📦 Accept-Encoding header value | | `{CURRENT_CONTENT_LENGTH}` | 📏 Content-Length header value | ### ⚡ Special Variables | Variable | Description | | ---------------------- | ---------------------------------------------------------- | | `{BC}` | 🌐 Burp Collaborator domain (generates a unique subdomain) | | `{RANDOM}` | 🎲 Unique random identifier (ULID) | | `{RANDOM_ALPHANUM_8}` | 🔤 8-character random alphanumeric string | | `{RANDOM_ALPHANUM_16}` | 🔤 16-character random alphanumeric string | See [Global Variables](https://docs.bountysecurity.ai/variables/global-variables) for complete documentation. ## 📁 Loading Payloads from File Instead of defining payloads inline, you can load them from an external text file: 1. Set the `payloadsFile` field to the file path 2. The file should contain one payload per line 3. ✅ File payloads are used **in addition to** any inline payloads ```json { "payloadsFile": "/path/to/payloads.txt", "Payloads": [] } ``` ## 📍 Payload Position The `payloadPosition` field controls how the payload is placed relative to the original value: | Value | Mode | Behavior | | ----- | -------------- | --------------------------------------------- | | 1 | 🔄 **Replace** | Replaces the original value entirely | | 2 | ➕ **Append** | Appends the payload after the original value | | 3 | ⬅️ **Insert** | Inserts the payload before the original value | ### 📝 Example Original parameter: `name=John` | Position | Result | | ---------- | -------------------- | | 🔄 Replace | `name=` | | ➕ Append | `name=John` | | ⬅️ Insert | `name=John` | ## 🔐 Payload Encoding Payloads can be transformed with encoding before injection. See [Payload Encoding](https://docs.bountysecurity.ai/profiles/payload-encoding). ## ⚙️ Payload Processing The full payload processing pipeline: 1. 📥 **Load payloads** from inline list and/or file 2. ✅ **Filter** enabled payloads (prefix `true,`) 3. 🔐 **Apply encoders** (URL-encode, HTML-encode, Base64, Unicode) 4. 🔧 **Replace variables** ({REDIRECT\_DOMAIN}, {BC}, {CURRENT\_HOST}, etc.) 5. 💉 **Inject** into insertion point at configured position (replace/append/insert) ## 💡 Tips * 🔧 **Use variables** instead of hardcoded values — this makes profiles reusable across different targets * ❌ **Disable unused payloads** with `false,` prefix instead of deleting them * 📂 **Group related payloads** — Create separate profiles for different payload categories (e.g., XSS reflected vs stored) * 📍 **Use `{CURRENT_INSERTION_POINT_VALUE}`** to preserve the original value when appending test strings (e.g., parameter pollution) * 🌐 **Use `{BC}`** for out-of-band detection when the vulnerability can't be confirmed from the HTTP response alone