Getting Started With Burp Sequencer
Burp Sequencer is a tool for analyzing the quality of randomness in an
application's session tokens and other important data items that are
intended to be unpredictable.
Note: Using Burp Sequencer may result in unexpected
effects in some applications. Until you are fully familiar with its
functionality and settings, you should only use Burp Sequencer against
To start getting to know Burp Sequencer, carry out the following steps:
- First, ensure that Burp is
installed and running,
that you have configured
your browser to work with Burp, and that you have browsed your
target application to populate your
- Find a response in the Proxy history that issues a session token or
other similar item, whether in a Set-Cookie header, in a form field, or
anywhere else. (You can sort on the Cookies column in the history, to
quickly find issued cookies.) Use the context menu to send the item to Burp Sequencer.
- Go to the Sequencer tab, and in the "Select Live Capture Request"
section, select the item that you have just sent.
- In the "Token Location Within Response" section, select the location
in the response where the token appears. If the token appears in a
custom location (i.e. not in a Set-Cookie header or a form field), then
select the "Custom location" option, and in the dialog, select the token
in the response, then click "OK".
- In the "Select Live Capture Request" section, click the "Start live
capture" button. This will cause Burp to issue the original request
repeatedly, and extract all of the tokens received in responses. The
live capture session opens a new window showing the progress of the
capture, and the number of tokens that have been obtained. When a few
hundred tokens have been obtained, pause the live capture session and
click the "Analyze now" button.
- When the analysis is complete, the tabs will show the results of the
randomness tests. These show an overall summary of the estimated amount
of entropy within the sample, together with detailed results for each
type of test that was performed. There is brief documentation for each
test within the results themselves.
- In some situations, you may have already obtained a suitable sample
of tokens. You can load this sample manually into Sequencer and perform
the same analysis. To do this, in the main Burp UI, go to the Sequencer
tab, and the Manual load sub-tab. You can paste your tokens from the
clipboard or load them from file, and use the "Analyze now" button to
start the analysis of the loaded sample.
Use the links below for further help on starting to use Burp Sequencer:
Wednesday, April 22, 2015
This release contains a number of minor enhancements and bugfixes, including:
- The Proxy now uses SHA256 to generate its CA and per-host certificates
- There is a new button at Proxy / Options / Proxy Listeners to force Burp to regenerate its CA certificate.
- A bug in the "Paste from file" function which caused Burp to sometimes retain a lock on the selected file has been fixed.
- A bug in the Intruder "extract grep" function, which sometimes caused extracted HTML content to be rendered as HTML in the results table, has been fixed.
See all release notes ›