Burp Suite, the leading toolkit for web application security testing

Analysis Results

The results window contains full details of all of the tests performed.


The Summary tab is the first place to look to get an overall conclusion about the degree of randomness in the sample. It includes a chart showing the number of bits of effective entropy at or above each significance level. This provides an intuitive verdict on the number of bits that pass the randomness tests for different possible significance levels.

The tab also reports an estimate of the reliability of the results, based on the number of samples.

Character-level Analysis

The Character-level analysis tab shows the summary results from all character-level tests, and lets you drill down into the detail of each character-level test. It also contains charts showing the size of the character set at each position, and the maximum number of bits of entropy that can be contributed from each character position.

Note that the character-level tests are not reliable if the size of character sets employed is too large relative to the number of samples. For example, if a token employs 64 different characters at each position, and you only capture 100 samples, there is nowhere near enough sample data to draw any reliable conclusions about the distribution of characters. For this reason, when there is a risk of unreliable results, Burp Sequencer will automatically disable the character-level tests, to prevent the character-level results from undermining the overall combined results from the analysis.

Bit-level Analysis

The Bit-level analysis tab shows the summary results from all bit-level tests, and lets you drill down into the detail of each bit-level test. This can let you gain a deeper understanding of the properties of the sample, to identify the causes of any anomalies, and to assess the possibilities for token prediction.

There is also a chart showing the number of bits contributed by each character position in the token. This will enable you cross-reference individual bits within the token back to the original character positions, if you need to.

Analysis Options

The Analysis options tab shows the options that were configured for the analysis. You can modify these and redo the analysis if required. See the following help for more details:

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Thursday, September 8, 2016


This release introduces a new scan check for second-order SQL injection vulnerabilities. In situations where Burp observes stored user input being returned in a response, Burp Scanner now performs its usual logic for detecting SQL injection, with payloads supplied at the input submission point, and evidence for a vulnerability detected at the input retrieval point.

See all release notes ›

Copyright © 2016 PortSwigger Ltd. All rights reserved.