Obtaining a sample
To perform the randomness tests on an application's tokens, it is first necessary to obtain a suitable sample of those tokens. This can be done in two ways: by performing an automatic live capture of tokens directly from the target, or by manually loading a sample of tokens that you have already acquired.
Note: Obviously, a larger sample size enables a more reliable analysis. Burp will let you perform an initial analysis with a sample of only 100 tokens, although this should not be considered reliable for any serious purpose. A sample of 5,000 tokens is sufficient to perform a reliable analysis for most purposes, although this may depend on the sample's characteristics. The maximum supported sample size is 20,000 tokens, which is sufficient to perform FIPS-compliant statistical tests.
To perform a live capture, you need to locate a request within the target application that returns somewhere in its response the session token or other item that you want to analyze. You can do this by selecting a request anywhere within Burp and choosing the "Send to Sequencer" option from the context menu. The steps needed to configure the live capture on this request are described below.
Select live capture request
The live capture request list shows the requests that you have sent to Sequencer from other Burp tools. Select the request that returns the token or other item that you want to analyze.
Token location within response
Select the location within the application's response where the token appears. The following options are available:
- Cookie - If the response sets any cookies, this option will let you select a cookie to analyze. This is the most common method of passing session tokens to clients.
- Form field - If the response contains any HTML form fields, this option will let you select a form field value to analyze. This method is often used for transmitting anti-CSRF tokens and other per-page tokens to clients.
- Custom location - You can use this option to specify a specific custom location within the response containing the data you want to analyze. This is done using the response extraction rule dialog.
Live capture options
These settings control the engine used for making HTTP requests and harvesting tokens when performing the live capture. The following options are available:
- Number of threads - This option controls the number of concurrent requests the live capture is able to make.
- Throttle between requests - Optionally, the live capture can wait a specified delay (in milliseconds) before every request. This option is useful to avoid overloading the application, or to be more stealthy.
- Ignore token whose length deviates by X characters - You can optionally configure the live capture to ignore tokens whose length deviates by a given threshold from the average token length. This can be useful if the application occasionally returns an anomalous response containing a different item in the location where the token normally appears.
Running the live capture
When you have fully configured the live capture, click the "Start live capture" button to begin the live capture. Burp Sequencer will repeatedly issue your request and extract the relevant token from the application's responses.
During the live capture, a progress bar is shown, with counters of the numbers of tokens, requests, and network errors. The following options are available:
- Pause / resume - This temporarily pauses, and resumes, the capture.
- Stop - This permanently stops the capture.
- Copy tokens - This copies the currently captured tokens to the clipboard, for use in other Burp attacks (such as in Intruder payloads) or tools.
- Save tokens - This saves the currently captured tokens to file.
- Auto-analyze - If this option is enabled, Burp will automatically perform token analysis and update the results periodically during the live capture.
- Analyze now - This is available when a minimum of 100 tokens have been captured, and causes Burp to analyze the current sample and update the results.
This function allows you to load Sequencer with a sample of tokens that you have already obtained, and then perform the statistical analysis on the sample.
To perform a manual load, you first need to obtain your own sample of tokens from the target application through some means, such as your own script or the output from an earlier live capture, or an Intruder attack. The tokens need to be in a simple newline-delimited text format.
Use the Paste button to paste the tokens from the clipboard, or the Load button to load them from file. The loaded tokens, together with details of the shortest and longest lengths, are displayed for you to sense-check that the sample has loaded correctly.
To perform the analysis of the loaded tokens, click the "Analyze now" button.