The results window contains full details of all of the tests performed.
The Summary tab is the first place to look to get an overall conclusion about the degree of randomness in the sample. It includes a chart showing the number of bits of effective entropy at or above each significance level. This provides an intuitive verdict on the number of bits that pass the randomness tests for different possible significance levels.
The tab also reports an estimate of the reliability of the results, based on the number of samples.
The Character-level analysis tab shows the summary results from all character-level tests, and lets you drill down into the detail of each character-level test. It also contains charts showing the size of the character set at each position, and the maximum number of bits of entropy that can be contributed from each character position.
Note that the character-level tests are not reliable if the size of character sets employed is too large relative to the number of samples. For example, if a token employs 64 different characters at each position, and you only capture 100 samples, there is nowhere near enough sample data to draw any reliable conclusions about the distribution of characters. For this reason, when there is a risk of unreliable results, Burp Sequencer will automatically disable the character-level tests, to prevent the character-level results from undermining the overall combined results from the analysis.
The Bit-level analysis tab shows the summary results from all bit-level tests, and lets you drill down into the detail of each bit-level test. This can let you gain a deeper understanding of the properties of the sample, to identify the causes of any anomalies, and to assess the possibilities for token prediction.
There is also a chart showing the number of bits contributed by each character position in the token. This will enable you cross-reference individual bits within the token back to the original character positions, if you need to.
The Analysis options tab shows the options that were configured for the analysis. You can modify these and redo the analysis if required. See the following help for more details:
Get help and join the community discussions at the Burp Suite Support Center.
This release gives the Scanner the capability to report all instances where user input is returned in application responses, both reflected and stored. The information gathered is primarily of use to manual security testers. Some applications contain numerous instances of input retrieval, since it is very common for the entire URL to be reflected within responses. For these reasons, the new Scanner checks are off by default, but can be turned on in the Scanner options.