1. Support Center
  2. Documentation
  3. Desktop editions
  4. Tools
  5. Sequencer
  6. Getting started

Getting started with Burp Sequencer

Burp Sequencer is a tool for analyzing the quality of randomness in an application's session tokens and other important data items that are intended to be unpredictable.

Note

Using Burp Sequencer may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Sequencer against non-production systems.

To start getting to know Burp Sequencer, you should perform the following steps:

  1. If you want to use an external browser instead of Burp's browser, make sure that you have configured your browser to work with Burp, and that you have browsed to your target application in order to populate your Proxy history.
  2. Find a response in the Proxy history that issues a session token or other similar item, whether in a Set-Cookie header, in a form field, or anywhere else. (You can sort on the Cookies column in the history, to quickly find issued cookies.) Use the context menu to send the item to Burp Sequencer.
  3. Go to the Sequencer tab, and in the Select Live Capture Request section, select the item that you have just sent.
  4. In the Token Location Within Response section, select the location in the response where the token appears. If the token appears in a custom location (i.e. not in a Set-Cookie header or a form field), then select the Custom location option, and in the dialog, select the token in the response, then click OK.
  5. In the Select Live Capture Request section, click the Start live capture button. This will cause Burp to issue the original request repeatedly, and extract all of the tokens received in responses. The live capture session opens a new window showing the progress of the capture, and the number of tokens that have been obtained. When a few hundred tokens have been obtained, pause the live capture session and click the Analyze now button.
  6. When the analysis is complete, the tabs will show the results of the randomness tests. These show an overall summary of the estimated amount of entropy within the sample, together with detailed results for each type of test that was performed. There is brief documentation for each test within the results themselves.
  7. In some situations, you may have already obtained a suitable sample of tokens. You can load this sample manually into Sequencer and perform the same analysis. To do this, in the main Burp UI, go to the Sequencer tab, and the Manual load sub-tab. You can paste your tokens from the clipboard or load them from file, and use the Analyze now button to start the analysis of the loaded sample.

Read more