Burp Suite, the leading toolkit for web application security testing

Getting Started With Burp Sequencer

Burp Sequencer is a tool for analyzing the quality of randomness in an application's session tokens and other important data items that are intended to be unpredictable.

Note: Using Burp Sequencer may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Sequencer against non-production systems.

To start getting to know Burp Sequencer, carry out the following steps:

  1. First, ensure that Burp is installed and running, that you have configured your browser to work with Burp, and that you have browsed your target application to populate your Proxy history.
  2. Find a response in the Proxy history that issues a session token or other similar item, whether in a Set-Cookie header, in a form field, or anywhere else. (You can sort on the Cookies column in the history, to quickly find issued cookies.) Use the context menu to send the item to Burp Sequencer.
  3. Go to the Sequencer tab, and in the "Select Live Capture Request" section, select the item that you have just sent.
  4. In the "Token Location Within Response" section, select the location in the response where the token appears. If the token appears in a custom location (i.e. not in a Set-Cookie header or a form field), then select the "Custom location" option, and in the dialog, select the token in the response, then click "OK".
  5. In the "Select Live Capture Request" section, click the "Start live capture" button. This will cause Burp to issue the original request repeatedly, and extract all of the tokens received in responses. The live capture session opens a new window showing the progress of the capture, and the number of tokens that have been obtained. When a few hundred tokens have been obtained, pause the live capture session and click the "Analyze now" button.
  6. When the analysis is complete, the tabs will show the results of the randomness tests. These show an overall summary of the estimated amount of entropy within the sample, together with detailed results for each type of test that was performed. There is brief documentation for each test within the results themselves.
  7. In some situations, you may have already obtained a suitable sample of tokens. You can load this sample manually into Sequencer and perform the same analysis. To do this, in the main Burp UI, go to the Sequencer tab, and the Manual load sub-tab. You can paste your tokens from the clipboard or load them from file, and use the "Analyze now" button to start the analysis of the loaded sample.

Use the links below for further help on starting to use Burp Sequencer:

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Monday, October 19, 2015


This release updates Burp to include a security fix in the BlazeDS library that Burp uses for parsing AMF messages, and disables AMF support by default.

Burp's cookie jar has been updated to support the cookie path attribute.

The functions to save and restore state now include options for handling the unique identifier that Burp uses to track interactions with Burp Collaborator.

See all release notes ›

Copyright © 2015 PortSwigger Ltd. All rights reserved.