To determine where payloads are placed by Burp Intruder during an attack, you can specify payload positions in the request.
You can set payload positions anywhere in the Payload positions field under Intruder > Positions. When you send a request to Intruder, this field is automatically populated with the request and target details:
Burp Intruder enables you to set payload positions in the target field. This specifies where Intruder attacks are sent, and includes:
By default, Update Host header to match target is selected. Any changes to the target are automatically mirrored in the host details in the base request. You can deselect this to amend the target only. This enables you to send an arbitrary Host header to a fixed target, for example to craft an HTTP host header attack.
Each payload position is enclosed by a pair of payload markers §, and highlighted for ease of identification.
You can automatically set a single payload position when you send a request to Burp Intruder. Highlight the position value in a message editor anywhere in Burp, then right-click the message and select Send to Intruder.
To set multiple payload positions and modify the payload positions, use the buttons beside the Payload positions field in the Intruder > Positions tab:
Remove all payload markers - click Clear §.
Apply automatic payload markers - click Auto §. Burp inserts automatic payload positions. You can configure whether these replace or append to the base parameter value in the Settings dialog.
During the attack, both the payload markers and any enclosed text are replaced with the payload. If the payload position does not have an assigned payload, the enclosed text is unchanged but the markers are removed.
You can also use Intruder's payload positions as insertion points for Burp Scanner. Configure your payload positions, then click on the top-level Intruder menu and select Scan defined insertion points.
For more information on Burp Scanner insertion points, see Auditing.