Burp Suite User Forum

Create new post

Why do my built in lists in Burp have {Base} in the payload and how do I use them?

Alex | Last updated: Nov 24, 2021 03:16PM UTC

So, in Intruder if I load certain built in payload lists (like the SQLi one), many of the requests have an entry like "{Base}' or 1=1--", however then the request is sent to the server like: GET /example.php?id=123{Base}' or 1=1--" which obviously fails. Is there a reason for why every payload has {Base} in it? If I recall Burp from a year ago or so it didn't have this {Base} text in every payload so this is a fairly recent addition.

Ben, PortSwigger Agent | Last updated: Nov 25, 2021 09:00AM UTC

Hi Alex, These are placeholders and you would need to set up a payload processing rule in Intruder to be able to process these. There are some specific details on how to do this in our documentation below (under the 'Predefined payload lists' section): https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/types

Jean-Sebastien | Last updated: Jun 16, 2023 01:06PM UTC

I think this would be a much better response to readers... https://portswigger.net/burp/documentation/desktop/tools/intruder/configure-attack/payload-lists

Dominyque, PortSwigger Agent | Last updated: Jun 16, 2023 01:17PM UTC

Hi Jean-Sebastien Thank you for adding that link!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.