Burp Sequencer is a tool for analyzing the quality of randomness in an application's session tokens and other important data items that are intended to be unpredictable.
To perform a live capture, you need to locate a request within the target application that returns somewhere in its response the session token or other item that you want to analyze. You can do this by selecting a request anywhere within Burp and choosing the "Send to Sequencer" option from the context menu. The steps needed to configure the live capture on this request are described below.
Select Live Capture Request
The live capture request list shows the requests that you have sent to Sequencer from other Burp tools. Select the request that returns the token or other item that you want to analyze.
(Click image for large view)
Token Location Within Response
Select the location within the application's response where the token appears. The following options are available:
- Cookie - If the response sets any cookies, this option will let you select a cookie to analyze. This is the most common method of passing session tokens to clients.
- Form field - If the response contains any HTML form fields, this option will let you select a form field value to analyze. This method is often used for transmitting anti-CSRF tokens and other per-page tokens to clients.
- Custom location - You can use this option to specify a specific custom location within the response containing the data you want to analyze. This is done using the response extraction rule dialog.
Live Capture Options
These settings control the engine used for making HTTP requests and harvesting tokens when performing the live capture. The following options are available:
- Number of threads - This option controls the number of concurrent requests the live capture is able to make.
- Throttle between requests - Optionally, the live capture can wait a specified delay (in milliseconds) before every request. This option is useful to avoid overloading the application, or to be more stealthy.
- Ignore token whose length deviates by X characters - You can optionally configure the live capture to ignore tokens whose length deviates by a given threshold from the average token length. This can be useful if the application occasionally returns an anomalous response containing a different item in the location where the token normally appears.
When you have fully configured the live capture, click the "Start live capture" button to begin the live capture. Burp Sequencer will repeatedly issue your request and extract the relevant token from the application's responses.
During the live capture, a progress bar is shown, with counters of the numbers of tokens, requests, and network errors. The following options are available:
- Pause / resume - This temporarily pauses, and resumes, the capture.
- Stop - This permanently stops the capture.
- Copy tokens - This copies the currently captured tokens to the clipboard, for use in other Burp attacks (such as in Intruder payloads) or tools.
- Save tokens - This saves the currently captured tokens to file.
- Auto-analyze - If this option is enabled, Burp will automatically perform token analysis and update the results periodically during the live capture.
- Analyze now - This is available when a minimum of 100 tokens have been captured, and causes Burp to analyze the current sample and update the results.
This function allows you to load Sequencer with a sample of tokens that you have already obtained, and then perform the statistical analysis on the sample.
To perform a manual load, you first need to obtain your own sample of tokens from the target application through some means, such as your own script or the output from an earlier live capture, or an Intruder attack. The tokens need to be in a simple newline-delimited text format.
Use the Paste button to paste the tokens from the clipboard, or the Load button to load them from file. The loaded tokens, together with details of the shortest and longest lengths, are displayed for you to sense-check that the sample has loaded correctly.
To perform the analysis of the loaded tokens, click the "Analyze now" button.
The "Analysis options" tab lets you configure how tokens are handled, and which types of tests are performed during the analysis.
These settings control how tokens are handled during analysis. The following options are available:
- Pad short tokens at start / end - If the tokens produced by the application have variable length, these will need to be padded to enable the statistical tests to be performed. You can choose whether the padding should be applied at the start or the end of each token. In most cases, padding tokens at the start is most appropriate.
- Pad with - You can specify the character that will be used for padding. In most cases, for numeric or ASCII hex-encoded tokens, padding with the "0" character is most appropriate.
- Base64-decode before analyzing - If the tokens are Base64-encoded, you can configure Burp to decode these before analyzing, which will generally improve the accuracy of the analysis.
These options control the types of analyses that are performed. You can individually enable or disable each type of character-level and bit-level test. Sometimes, after performing an initial analysis with all tests enabled, you may want to disable certain tests to reflect your better understanding of the tokens' characteristics, or to isolate the effects of any unusual characteristics manifested by your sample.
In the results window, after modifying any of the analysis options you can click the "Redo analysis" button to re-perform the analysis with your new settings, and update the results.
(Click image for large view)
Source : Burp Suite Official Site
Like it ? Share it.