login

Burp Suite, the leading toolkit for web application security testing

Getting Started With Burp Sequencer

Burp Sequencer is a tool for analyzing the quality of randomness in an application's session tokens and other important data items that are intended to be unpredictable.

Note: Using Burp Sequencer may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Sequencer against non-production systems.

To start getting to know Burp Sequencer, carry out the following steps:

  1. First, ensure that Burp is installed and running, that you have configured your browser to work with Burp, and that you have browsed your target application to populate your Proxy history.
  2. Find a response in the Proxy history that issues a session token or other similar item, whether in a Set-Cookie header, in a form field, or anywhere else. (You can sort on the Cookies column in the history, to quickly find issued cookies.) Use the context menu to send the item to Burp Sequencer.
  3. Go to the Sequencer tab, and in the "Select Live Capture Request" section, select the item that you have just sent.
  4. In the "Token Location Within Response" section, select the location in the response where the token appears. If the token appears in a custom location (i.e. not in a Set-Cookie header or a form field), then select the "Custom location" option, and in the dialog, select the token in the response, then click "OK".
  5. In the "Select Live Capture Request" section, click the "Start live capture" button. This will cause Burp to issue the original request repeatedly, and extract all of the tokens received in responses. The live capture session opens a new window showing the progress of the capture, and the number of tokens that have been obtained. When a few hundred tokens have been obtained, pause the live capture session and click the "Analyze now" button.
  6. When the analysis is complete, the tabs will show the results of the randomness tests. These show an overall summary of the estimated amount of entropy within the sample, together with detailed results for each type of test that was performed. There is brief documentation for each test within the results themselves.
  7. In some situations, you may have already obtained a suitable sample of tokens. You can load this sample manually into Sequencer and perform the same analysis. To do this, in the main Burp UI, go to the Sequencer tab, and the Manual load sub-tab. You can paste your tokens from the clipboard or load them from file, and use the "Analyze now" button to start the analysis of the loaded sample.

Use the links below for further help on starting to use Burp Sequencer:

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, October 20, 2014

v1.6.06

This release includes some major enhancements to the Scanner engine. Burp can now automatically report the following new types of issues: Perl code injection, PHP code injection, Ruby code injection, Server-side JavaScript code injection, File path manipulation, Serialized object in HTTP message, Client-side JSON injection, Client-side XPath injection, Document domain manipulation, Link manipulation, and DOM data manipulation.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.