Payloads are the test strings injected into insertion points during active scanning. Each profile can define multiple payloads, and each payload is tested independently against every matching insertion point.
π Payload Format
Payloads are stored as an array of strings. Each entry has the format:
enabled,payload_value
β true, prefix β Payload is enabled and will be used during scanning
β false, prefix β Payload is disabled (preserved for later use, not sent during scans)
π Examples
"Payloads": ["true,<script>alert(1)</script>","true,\"><img src=x onerror=alert(1)>","false,<svg onload=alert(1)>","true,' OR '1'='1","true,http://{REDIRECT_DOMAIN}"]
π§ Variables in Payloads
Payloads support dynamic variables that are replaced at runtime:
π Global Variables (User-Configurable)
Variable
Default Value
Description
{REDIRECT_DOMAIN}
bountysecurity.ai
π Domain for redirect/SSRF testing
{ATTACKER_DOMAIN}
yourdomain.com
π΄ββ οΈ Attacker-controlled domain
{XXE_FILE}
/etc/passwd
π File path for XXE testing (Linux)
{XXE_GREP}
root:x
π Expected content for XXE match (Linux)
{XXE_WIN_FILE}
c:/boot.ini
π File path for XXE testing (Windows)
{XXE_WIN_GREP}
boot loader
π Expected content for XXE match (Windows)
{RCE_FILE}
/etc/passwd
π File path for RCE testing
{RCE_COMMAND}
id
β‘ Command for RCE testing
π‘ Context Variables (Auto-Populated)
Variable
Description
{CURRENT_HOST}
π₯οΈ Target hostname
{CURRENT_PROTOCOL}
π http or https
{CURRENT_PORT}
π’ Target port number
{CURRENT_URL}
π Full request URL
{CURRENT_PATH}
π URL path component
{CURRENT_QUERY}
β Query string
{CURRENT_FILE}
π File component of URL
{CURRENT_METHOD}
π‘ HTTP method (GET/POST)
{CURRENT_SUBDOMAIN}
π Extracted subdomain
{CURRENT_INSERTION_POINT_VALUE}
π Current value of the insertion point
{CURRENT_INSERTION_POINT_NAME}
π·οΈ Name of the insertion point
{CURRENT_USER_AGENT}
π₯οΈ User-Agent header value
{CURRENT_COOKIES}
πͺ Cookie header value
{CURRENT_REFERER}
π Referer header value
{CURRENT_ORIGIN}
π Origin header value
{CURRENT_CONTENT_TYPE}
π Content-Type header value
{CURRENT_ACCEPT}
β Accept header value
{CURRENT_ACCEPT_LANGUAGE}
π Accept-Language header value
{CURRENT_ACCEPT_ENCODING}
π¦ Accept-Encoding header value
{CURRENT_CONTENT_LENGTH}
π Content-Length header value
β‘ Special Variables
Variable
Description
{BC}
π Burp Collaborator domain (generates a unique subdomain)