To perform the randomness tests on an application's tokens, it is first necessary to obtain a suitable sample of those tokens. This can be done in two ways: by performing an automatic live capture of tokens directly from the target, or by manually loading a sample of tokens that you have already acquired.
Note: Obviously, a larger sample size enables a more reliable analysis. Burp will let you perform an initial analysis with a sample of only 100 tokens, although this should not be considered reliable for any serious purpose. A sample of 5,000 tokens is sufficient to perform a reliable analysis for most purposes, although this may depend on the sample's characteristics. The maximum supported sample size is 20,000 tokens, which is sufficient to perform FIPS-compliant statistical tests.
To perform a live capture, you need to locate a request within the target application that returns somewhere in its response the session token or other item that you want to analyze. You can do this by selecting a request anywhere within Burp and choosing the "Send to Sequencer" option from the context menu. The steps needed to configure the live capture on this request are described below.
The live capture request list shows the requests that you have sent to Sequencer from other Burp tools. Select the request that returns the token or other item that you want to analyze.
Select the location within the application's response where the token appears. The following options are available:
These settings control the engine used for making HTTP requests and harvesting tokens when performing the live capture. The following options are available:
When you have fully configured the live capture, click the "Start live capture" button to begin the live capture. Burp Sequencer will repeatedly issue your request and extract the relevant token from the application's responses.
During the live capture, a progress bar is shown, with counters of the numbers of tokens, requests, and network errors. The following options are available:
This function allows you to load Sequencer with a sample of tokens that you have already obtained, and then perform the statistical analysis on the sample.
To perform a manual load, you first need to obtain your own sample of tokens from the target application through some means, such as your own script or the output from an earlier live capture, or an Intruder attack. The tokens need to be in a simple newline-delimited text format.
Use the Paste button to paste the tokens from the clipboard, or the Load button to load them from file. The loaded tokens, together with details of the shortest and longest lengths, are displayed for you to sense-check that the sample has loaded correctly.
To perform the analysis of the loaded tokens, click the "Analyze now" button.
Get help and join the community discussions at the Burp Suite Support Center.
This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags containing entity parameters.
Burp Scanner now modifies XML in requests to inject a doctype tag that defines an XML entity parameter that references a Burp Collaborator URL, and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.