⚡ Fully Automated, Quick, Handy - Intruder Payload Positioner so you don't have to!
Image generated using AI tools.
A Burp Suite extension built on the Montoya API that automatically detects and marks “interesting” insertion points throughout an HTTP request. Rather than manually highlighting each location (headers, parameters, JSON/XML/form bodies, etc.), this extension sets payload positions for you—so you can focus on testing vulnerabilities, not on placement.
Watch the demo!
2025-04-29.00-12-08.mp4
-
Automatic detection of insertion points
-
HTTP method (GET, POST, etc.)
-
Last path segment of the URL
-
URL query parameters
-
Form data parameters
-
Header values (Cookie, Authorization, and all other headers)
-
JSON bodies (keys, values, nested objects/arrays)
-
XML bodies (tag content, attributes)
-
Embedded formats and key=value pairs in text/plain or mixed bodies
-
-
Context-menu integration
-
Right-click on any request in Proxy, Target, Intruder, or Repeater
-
Select Set positions to auto-mark insertion points
-
-
Intruder-ready
-
Builds an HttpRequestTemplate with all detected ranges
-
Sends the request directly to Intruder with your custom positions
-
-
Robust range validation
-
Filters out invalid, overlapping, or out-of-bounds ranges
-
Ensures stable behavior even on complex requests
-
1. Downlaod from Releases: https://github.com/netsquare/Auto-Payload-Positioner/releases
2025-04-28.23-59-42.mp4
-
Load into Burp
-
Open Burp Suite → Extensions.
-
Click Add.
-
Choose Java as the extension type.
-
Select your downloaded JAR.
-
Confirm & ensure Simple Payload Positioner appears in the list.
-
Verify, In the Extender output tab, look for:
Simple Payload Positioner loaded successfully!
2025-04-29.00-12-08.mp4
-
Send or capture a request in Proxy, Repeater, Intruder, or Target.
-
Right-click anywhere on the request.
-
Select
Set positionsfrom the context menu. -
The extension will:
-
Scan the request for all “interesting” parts
-
Automatically highlight each range with Intruder markers (§)
-
Send the templated request to Intruder
-
-
Switch to Intruder, review the auto-populated payload positions, and launch your attack.
# Clone the repo
git clone https://github.com/yourusername/simple-payload-positioner.git
cd simple-payload-positioner
# (Maven)
mvn clean package
The built JAR will be in target/
Load that JAR in Burp as described above.To report bugs, issues, feature suggestion, Performance issue, general question, Documentation issue.
- Kindly open an issue with respective template.
This project is an extension for Burpsuite and leverages Montoya API
Auto-Payload-Positioner and all related projects inherits the Apache 2.0, see License
Disclaimer
The burpsuite extension Auto-Payload-Positioner and all related tools under this project are intended strictly for educational, research, and ethical security assessment purposes. They are provided "as-is" without any warranties, expressed or implied. Users are solely responsible for ensuring that their use of these tools complies with all applicable laws, regulations, and ethical guidelines.
By using Auto-Payload-Positioner, you agree to use them only in environments you are authorized to test, such as applications you own or have explicit permission to analyze. Any misuse of these tools for unauthorized reverse engineering, infringement of intellectual property rights, or malicious activity is strictly prohibited.
The developers of Auto-Payload-Positioner shall not be held liable for any damage, data loss, legal consequences, or other consequences resulting from the use or misuse of these tools. Users assume full responsibility for their actions and any impact caused by their usage.
Use responsibly. Respect intellectual property. Follow ethical hacking practices.
- Found it useful? Give it a ⭐️
- Got ideas? Open an issue or submit a PR
- Built something on top? DM me or mention me — I’ll add it to the README!
Built with ❤️ for all hackers!