This divides the bit sequence into consecutive and unique groups of four. If the generation is random, then the distribution is likely to be approximately equal. This test does an analysis of the positions of 0s and 1s at each bit position.
The screenshot in Figure 3 explains the results better.įigure 3. For this Burp Suite training tutorial, stop the scan midway and check out the results. You can pause or stop the analysis at any point. It sends requests to the target and gives detailed analysis of the randomness in the cookie tokens.
The start capture action panel is depicted in Figure 2. Start capture action panel ( click to enlarge ) After fixing these parameters, click START CAPTURE.įigure 2. This also applies to the token end panel, where you can set the delimiter, or specify a fixed length for the capture to start. You can either specify an expression such as “Google” or even set the offset from where the token has to start. The right side of the screenshot has the token start and token end expressions. Token request using sequencer ( click to enlarge )įigure 1 shows a token request to the website. For this Burp Suite training tutorial, let us start with sending a request that contains a session token.įigure 1.
Thus it is important to have a high degree of randomness in the session token IDs. Brute force attacks enumerate every possible combination for gaining authentication from the Web application. The Burp sequencer tool is used to check for the extent of randomness in the session tokens generated by the Web application.