login

Burp Suite, the leading toolkit for web application security testing

Analysis Results

The results window contains full details of all of the tests performed.

Summary

The Summary tab is the first place to look to get an overall conclusion about the degree of randomness in the sample. It includes a chart showing the number of bits of effective entropy at or above each significance level. This provides an intuitive verdict on the number of bits that pass the randomness tests for different possible significance levels.

The tab also reports an estimate of the reliability of the results, based on the number of samples.

Character-level Analysis

The Character-level analysis tab shows the summary results from all character-level tests, and lets you drill down into the detail of each character-level test. It also contains charts showing the size of the character set at each position, and the maximum number of bits of entropy that can be contributed from each character position.

Note that the character-level tests are not reliable if the size of character sets employed is too large relative to the number of samples. For example, if a token employs 64 different characters at each position, and you only capture 100 samples, there is nowhere near enough sample data to draw any reliable conclusions about the distribution of characters. For this reason, when there is a risk of unreliable results, Burp Sequencer will automatically disable the character-level tests, to prevent the character-level results from undermining the overall combined results from the analysis.

Bit-level Analysis

The Bit-level analysis tab shows the summary results from all bit-level tests, and lets you drill down into the detail of each bit-level test. This can let you gain a deeper understanding of the properties of the sample, to identify the causes of any anomalies, and to assess the possibilities for token prediction.

There is also a chart showing the number of bits contributed by each character position in the token. This will enable you cross-reference individual bits within the token back to the original character positions, if you need to.

Analysis Options

The Analysis options tab shows the options that were configured for the analysis. You can modify these and redo the analysis if required. See the following help for more details:

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, July 28, 2014

v1.6.03

This release includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including DOM-based XSS, JavaScript injection, Client-side SQL injection and several other vulnerability types.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.