# Payloads
Payloads are the test strings injected into insertion points during active scanning. Each profile can define multiple payloads, and each payload is tested independently against every matching insertion point.
## 📝 Payload Format
Payloads are stored as an array of strings. Each entry has the format:
```
enabled,payload_value
```
* ✅ `true,` prefix — Payload is enabled and will be used during scanning
* ❌ `false,` prefix — Payload is disabled (preserved for later use, not sent during scans)
### 📚 Examples
```json
"Payloads": [
"true,",
"true,\">",
"true,' OR '1'='1",
"true,http://{REDIRECT_DOMAIN}"
]
```
## 🔧 Variables in Payloads
Payloads support dynamic variables that are replaced at runtime:
### 🌐 Global Variables (User-Configurable)
| Variable | Default Value | Description |
| ------------------- | ------------------- | ------------------------------------------- |
| `{REDIRECT_DOMAIN}` | `bountysecurity.ai` | 🔄 Domain for redirect/SSRF testing |
| `{ATTACKER_DOMAIN}` | `yourdomain.com` | 🏴☠️ Attacker-controlled domain |
| `{XXE_FILE}` | `/etc/passwd` | 📁 File path for XXE testing (Linux) |
| `{XXE_GREP}` | `root:x` | 🔍 Expected content for XXE match (Linux) |
| `{XXE_WIN_FILE}` | `c:/boot.ini` | 📁 File path for XXE testing (Windows) |
| `{XXE_WIN_GREP}` | `boot loader` | 🔍 Expected content for XXE match (Windows) |
| `{RCE_FILE}` | `/etc/passwd` | 📁 File path for RCE testing |
| `{RCE_COMMAND}` | `id` | ⚡ Command for RCE testing |
### 📡 Context Variables (Auto-Populated)
| Variable | Description |
| --------------------------------- | --------------------------------------- |
| `{CURRENT_HOST}` | 🖥️ Target hostname |
| `{CURRENT_PROTOCOL}` | 🔒 `http` or `https` |
| `{CURRENT_PORT}` | 🔢 Target port number |
| `{CURRENT_URL}` | 🔗 Full request URL |
| `{CURRENT_PATH}` | 📂 URL path component |
| `{CURRENT_QUERY}` | ❓ Query string |
| `{CURRENT_FILE}` | 📄 File component of URL |
| `{CURRENT_METHOD}` | 📡 HTTP method (GET/POST) |
| `{CURRENT_SUBDOMAIN}` | 🌐 Extracted subdomain |
| `{CURRENT_INSERTION_POINT_VALUE}` | 📍 Current value of the insertion point |
| `{CURRENT_INSERTION_POINT_NAME}` | 🏷️ Name of the insertion point |
| `{CURRENT_USER_AGENT}` | 🖥️ User-Agent header value |
| `{CURRENT_COOKIES}` | 🍪 Cookie header value |
| `{CURRENT_REFERER}` | 🔗 Referer header value |
| `{CURRENT_ORIGIN}` | 🌐 Origin header value |
| `{CURRENT_CONTENT_TYPE}` | 📄 Content-Type header value |
| `{CURRENT_ACCEPT}` | ✅ Accept header value |
| `{CURRENT_ACCEPT_LANGUAGE}` | 🌍 Accept-Language header value |
| `{CURRENT_ACCEPT_ENCODING}` | 📦 Accept-Encoding header value |
| `{CURRENT_CONTENT_LENGTH}` | 📏 Content-Length header value |
### ⚡ Special Variables
| Variable | Description |
| ---------------------- | ---------------------------------------------------------- |
| `{BC}` | 🌐 Burp Collaborator domain (generates a unique subdomain) |
| `{RANDOM}` | 🎲 Unique random identifier (ULID) |
| `{RANDOM_ALPHANUM_8}` | 🔤 8-character random alphanumeric string |
| `{RANDOM_ALPHANUM_16}` | 🔤 16-character random alphanumeric string |
See [Global Variables](/variables/global-variables.md) for complete documentation.
## 📁 Loading Payloads from File
Instead of defining payloads inline, you can load them from an external text file:
1. Set the `payloadsFile` field to the file path
2. The file should contain one payload per line
3. ✅ File payloads are used **in addition to** any inline payloads
```json
{
"payloadsFile": "/path/to/payloads.txt",
"Payloads": []
}
```
## 📍 Payload Position
The `payloadPosition` field controls how the payload is placed relative to the original value:
| Value | Mode | Behavior |
| ----- | -------------- | --------------------------------------------- |
| 1 | 🔄 **Replace** | Replaces the original value entirely |
| 2 | ➕ **Append** | Appends the payload after the original value |
| 3 | ⬅️ **Insert** | Inserts the payload before the original value |
### 📝 Example
Original parameter: `name=John`
| Position | Result |
| ---------- | -------------------- |
| 🔄 Replace | `name=` |
| ➕ Append | `name=John` |
| ⬅️ Insert | `name=John` |
## 🔐 Payload Encoding
Payloads can be transformed with encoding before injection. See [Payload Encoding](/profiles/payload-encoding.md).
## ⚙️ Payload Processing
The full payload processing pipeline:
1. 📥 **Load payloads** from inline list and/or file
2. ✅ **Filter** enabled payloads (prefix `true,`)
3. 🔐 **Apply encoders** (URL-encode, HTML-encode, Base64, Unicode)
4. 🔧 **Replace variables** ({REDIRECT\_DOMAIN}, {BC}, {CURRENT\_HOST}, etc.)
5. 💉 **Inject** into insertion point at configured position (replace/append/insert)
## 💡 Tips
* 🔧 **Use variables** instead of hardcoded values — this makes profiles reusable across different targets
* ❌ **Disable unused payloads** with `false,` prefix instead of deleting them
* 📂 **Group related payloads** — Create separate profiles for different payload categories (e.g., XSS reflected vs stored)
* 📍 **Use `{CURRENT_INSERTION_POINT_VALUE}`** to preserve the original value when appending test strings (e.g., parameter pollution)
* 🌐 **Use `{BC}`** for out-of-band detection when the vulnerability can't be confirmed from the HTTP response alone
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.bountysecurity.ai/profiles/payloads.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.