Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Burp Suite Professional and Community editions Burp Suite Enterprise Edition
Burp Scanner Burp Collaborator
Burp Infiltrator Full Documentation Contents

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
  1. Support Center
  2. Documentation
  3. Desktop editions
  4. Tools
  5. Sequencer
  6. Getting started

Getting started with Burp Sequencer

Burp Sequencer is a tool for analyzing the quality of randomness in an application's session tokens and other important data items that are intended to be unpredictable.

Note: Using Burp Sequencer may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Sequencer against non-production systems.

To start getting to know Burp Sequencer, carry out the following steps:

  1. First, ensure that Burp is installed and running, that you have configured your browser to work with Burp, and that you have browsed your target application to populate your Proxy history.
  2. Find a response in the Proxy history that issues a session token or other similar item, whether in a Set-Cookie header, in a form field, or anywhere else. (You can sort on the Cookies column in the history, to quickly find issued cookies.) Use the context menu to send the item to Burp Sequencer.
  3. Go to the Sequencer tab, and in the "Select Live Capture Request" section, select the item that you have just sent.
  4. In the "Token Location Within Response" section, select the location in the response where the token appears. If the token appears in a custom location (i.e. not in a Set-Cookie header or a form field), then select the "Custom location" option, and in the dialog, select the token in the response, then click "OK".
  5. In the "Select Live Capture Request" section, click the "Start live capture" button. This will cause Burp to issue the original request repeatedly, and extract all of the tokens received in responses. The live capture session opens a new window showing the progress of the capture, and the number of tokens that have been obtained. When a few hundred tokens have been obtained, pause the live capture session and click the "Analyze now" button.
  6. When the analysis is complete, the tabs will show the results of the randomness tests. These show an overall summary of the estimated amount of entropy within the sample, together with detailed results for each type of test that was performed. There is brief documentation for each test within the results themselves.
  7. In some situations, you may have already obtained a suitable sample of tokens. You can load this sample manually into Sequencer and perform the same analysis. To do this, in the main Burp UI, go to the Sequencer tab, and the Manual load sub-tab. You can paste your tokens from the clipboard or load them from file, and use the "Analyze now" button to start the analysis of the loaded sample.

Use the links below for further help on starting to use Burp Sequencer: