Burp Suite shortcuts, Repeater techniques, Intruder attack types, scanner tips, Match & Replace rules, and essential BApp extensions. (32 payloads)
Ctrl+RCtrl+ICtrl+Shift+RCtrl+FCtrl+Shift+FCtrl+ZRight-click → Do intercept → Response to this requestCtrl+EnterCtrl+← / Ctrl+→Right-click → Change request methodRight-click → Paste URL as requestInspector panel → Request attributesSniperBattering RamPitchforkCluster BombRight-click request → ScanTarget → Site map → Right-click domain → ScanDashboard → New scan → Crawl and auditScan configuration → Audit checks → SQLi/XSS/Path traversalProxy → Match and replace → Add rule: Request header / User-Agent / Mozilla/5.0 → Googlebot/2.1Request header match: ^Authorization.*$ — replace with empty — bypass token validationResponse header match: X-Frame-Options → replace with emptyRequest body match: admin=false → replace: admin=trueTurbo IntruderAuthMatrixAutorizeParam MinerJWT EditorHackvertorLogger++HTTP Request SmugglerLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 32 Burp Suite payloads for testing Burp Suite Cheatsheet vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or open the XSS Payload generator to build customized Burp Suite variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all Burp Suite payloads are completely free, with no account required. Everything runs in your browser.