Sequencer

This is a sophisticated tool for analyzing the quality of randomness in an application's session tokens or other important data items that are intended to be unpredictable.

  1. Go to Burp > "Proxy" tab > "HTTP history" sub-tab and right-click within the results table to open the context menu.

  2. Select "Show new history window" option from the context menu.

    New history window

  3. In the new "Burp Proxy HTTP History" window, click on "Filter" tab to view the various display filter options.

    Display Filter

  4. In the display filter window, select the checkbox labeled as "Show only parameterized requests".

    Show only parameterized requests

  5. Identify a parameterized request which you may wish to tamper with.

    Identify a request for further analysis

  6. Click on the "Cookies" column twice, to identify requests that issue a session token.

    Order by cookies

  7. Select the /login POST request.

  8. Right-click on the selected request, and select "Send to Sequencer" option from the context menu.

    Send to sequencer

  9. Go to "Sequencer" > "Live capture" tab, and in the "Select Live Capture Request" section, select the item that you have just sent.

    Select a request that sets a session token

  10. In the "Token Location Within Response" section, select the "Cookie" radio button.

  11. Select a token from the dropdown menu. For this example, let's select the token named as "token".

    Select a token that's being set

  12. Click on the "Start live capture" button.

    Start live capture

  13. When a few hundred tokens have been obtained, pause the live capture session and click the "Analyze now" button.

    Pause and analyze

  14. You should see the results of the randomness tests.

    Results of randomness tests

  15. Go to "Character-level analysis" > "Count" tab and read the details listed under "Anomalies" section.

    Character analysis

  16. Explore the data shown in different tabs and sub-tabs.

Last updated

Was this helpful?