Sequencer

This is a sophisticated tool for analyzing the quality of randomness in an application's session tokens or other important data items that are intended to be unpredictable.

1. Go to Burp > "Proxy" tab > "HTTP history" sub-tab and right-click within the results table to open the context menu.

2. Select "Show new history window" option from the context menu.

   

3. In the new "Burp Proxy HTTP History" window, click on "Filter" tab to view the various display filter options.

   

4. In the display filter window, select the checkbox labeled as "Show only parameterized requests".

   

5. Identify a parameterized request which you may wish to tamper with.

   

6. Click on the "Cookies" column twice, to identify requests that issue a session token.

   

7. Select the /login POST request.

8. Right-click on the selected request, and select "Send to Sequencer" option from the context menu.

   

9. Go to "Sequencer" > "Live capture" tab, and in the "Select Live Capture Request" section, select the item that you have just sent.

   

10. In the "Token Location Within Response" section, select the "Cookie" radio button.

11. Select a token from the dropdown menu. For this example, let's select the token named as "token".

    

12. Click on the "Start live capture" button.

    

13. When a few hundred tokens have been obtained, pause the live capture session and click the "Analyze now" button.

    

14. You should see the results of the randomness tests.

    

15. Go to "Character-level analysis" > "Count" tab and read the details listed under "Anomalies" section.

    

16. Explore the data shown in different tabs and sub-tabs.