Burp Sequencer is a tool for analyzing the degree of
randomness in security-critical tokens issued by an application. It is
typically used to test the quality of an application's session tokens or
other items, such as CSRF nonces, on whose unpredictability the application
depends for its security.
Burp Sequencer lets you:
- Send requests that return a security token from other Burp Suite tools to
test in Burp Sequencer.
- Reissue the same request repeatedly, to generate a large sample of
tokens for statistical analysis.
- Perform a rigorous set of tests, including the standard FIPS tests
and others, to estimate the degree of randomness within the sample, at
both the character and bit level.
- Start performing the analysis with as few as 100 tokens, and
re-perform this as a larger sample is collected, up to the
FIPS-recommended sample size of 20,000 tokens.
- View an intuitive, at-a-glance summary of all the tests performed,
letting you quickly understand the overall quality of randomness.
- Review detailed, graphical test output, letting you drill down into
the detailed reasons why individual parts of the token passed or failed
- Load an existing sample of tokens for analysis, if these have
already been captured elsewhere.
Burp Sequencer is often highly useful in providing rigorous analysis of
an application's session tokens, in cases where these can appear random to
both the naked eye and to simpler, scatter-graph based, analyses. It also
enables consultants to provide their clients with output to demonstrate that
some meaningful work has been done in this often overlooked area of
Screenshots - click to enlarge