💉Payloads

Payloads are the test strings injected into insertion points during active scanning. Each profile can define multiple payloads, and each payload is tested independently against every matching insertion point.

📝 Payload Format

Payloads are stored as an array of strings. Each entry has the format:

enabled,payload_value

✅ true, prefix — Payload is enabled and will be used during scanning
❌ false, prefix — Payload is disabled (preserved for later use, not sent during scans)

📚 Examples

"Payloads": [
  "true,<script>alert(1)</script>",
  "true,\"><img src=x onerror=alert(1)>",
  "false,<svg onload=alert(1)>",
  "true,' OR '1'='1",
  "true,http://{REDIRECT_DOMAIN}"
]

🔧 Variables in Payloads

Payloads support dynamic variables that are replaced at runtime:

🌐 Global Variables (User-Configurable)

Variable

Default Value

Description

{REDIRECT_DOMAIN}

bountysecurity.ai

🔄 Domain for redirect/SSRF testing

{ATTACKER_DOMAIN}

yourdomain.com

🏴‍☠️ Attacker-controlled domain

{XXE_FILE}

/etc/passwd

📁 File path for XXE testing (Linux)

{XXE_GREP}

root:x

🔍 Expected content for XXE match (Linux)

{XXE_WIN_FILE}

c:/boot.ini

📁 File path for XXE testing (Windows)

{XXE_WIN_GREP}

boot loader

🔍 Expected content for XXE match (Windows)

{RCE_FILE}

/etc/passwd

📁 File path for RCE testing

{RCE_COMMAND}

id

⚡ Command for RCE testing

📡 Context Variables (Auto-Populated)

Variable

Description

{CURRENT_HOST}

🖥️ Target hostname

{CURRENT_PROTOCOL}

🔒 http or https

{CURRENT_PORT}

🔢 Target port number

{CURRENT_URL}

🔗 Full request URL

{CURRENT_PATH}

📂 URL path component

{CURRENT_QUERY}

❓ Query string

{CURRENT_FILE}

📄 File component of URL

{CURRENT_METHOD}

📡 HTTP method (GET/POST)

{CURRENT_SUBDOMAIN}

🌐 Extracted subdomain

{CURRENT_INSERTION_POINT_VALUE}

📍 Current value of the insertion point

{CURRENT_INSERTION_POINT_NAME}

🏷️ Name of the insertion point

{CURRENT_USER_AGENT}

🖥️ User-Agent header value

{CURRENT_COOKIES}

🍪 Cookie header value

{CURRENT_REFERER}

🔗 Referer header value

{CURRENT_ORIGIN}

🌐 Origin header value

{CURRENT_CONTENT_TYPE}

📄 Content-Type header value

{CURRENT_ACCEPT}

✅ Accept header value

{CURRENT_ACCEPT_LANGUAGE}

🌍 Accept-Language header value

{CURRENT_ACCEPT_ENCODING}

📦 Accept-Encoding header value

{CURRENT_CONTENT_LENGTH}

📏 Content-Length header value

⚡ Special Variables

Variable

Description

{BC}

🌐 Burp Collaborator domain (generates a unique subdomain)

{RANDOM}

🎲 Unique random identifier (ULID)

{RANDOM_ALPHANUM_8}

🔤 8-character random alphanumeric string

{RANDOM_ALPHANUM_16}

🔤 16-character random alphanumeric string

See Global Variables for complete documentation.

📁 Loading Payloads from File

Instead of defining payloads inline, you can load them from an external text file:

Set the payloadsFile field to the file path
The file should contain one payload per line
✅ File payloads are used in addition to any inline payloads

{
  "payloadsFile": "/path/to/payloads.txt",
  "Payloads": []
}

📍 Payload Position

The payloadPosition field controls how the payload is placed relative to the original value:

Value

Mode

Behavior

🔄 Replace

Replaces the original value entirely

➕ Append

Appends the payload after the original value

⬅️ Insert

Inserts the payload before the original value

📝 Example

Original parameter: name=John

Position

Result

🔄 Replace

name=<payload>

➕ Append

name=John<payload>

⬅️ Insert

name=<payload>John

🔐 Payload Encoding

Payloads can be transformed with encoding before injection. See Payload Encoding.

⚙️ Payload Processing

The full payload processing pipeline:

📥 Load payloads from inline list and/or file
✅ Filter enabled payloads (prefix true,)
🔐 Apply encoders (URL-encode, HTML-encode, Base64, Unicode)
🔧 Replace variables ({REDIRECT_DOMAIN}, {BC}, {CURRENT_HOST}, etc.)
💉 Inject into insertion point at configured position (replace/append/insert)

💡 Tips

🔧 Use variables instead of hardcoded values — this makes profiles reusable across different targets
❌ Disable unused payloads with false, prefix instead of deleting them
📂 Group related payloads — Create separate profiles for different payload categories (e.g., XSS reflected vs stored)
📍 Use {CURRENT_INSERTION_POINT_VALUE} to preserve the original value when appending test strings (e.g., parameter pollution)
🌐 Use {BC} for out-of-band detection when the vulnerability can't be confirmed from the HTTP response alone

PreviousMulti-Step Profiles NextInsertion Points

Last updated 2 days ago

hashtag📝 Payload Format

hashtag📚 Examples

hashtag🔧 Variables in Payloads

hashtag🌐 Global Variables (User-Configurable)

hashtag📡 Context Variables (Auto-Populated)

hashtag⚡ Special Variables

hashtag📁 Loading Payloads from File

hashtag📍 Payload Position

hashtag📝 Example

hashtag🔐 Payload Encoding

hashtag⚙️ Payload Processing

hashtag💡 Tips

📝 Payload Format

📚 Examples

🔧 Variables in Payloads

🌐 Global Variables (User-Configurable)

📡 Context Variables (Auto-Populated)

⚡ Special Variables

📁 Loading Payloads from File

📍 Payload Position

📝 Example

🔐 Payload Encoding

⚙️ Payload Processing

💡 Tips