Sequencer Tab - Guide for Burp Suite - Techpanther

This article is a part of the Guide for Burp Suite series. Within the previous article, we see how to work with the Burp Intruder tab. Now we'll move forward and learn about some of the features of the Intruder tab. So Let's Get Started.

The sequencer is an entropy checker that checks for the randomness of tokens generated by the webserver. These tokens are generally used for authentication in sensitive operations: cookies and anti-CSRF tokens are examples of such tokens. It is a tool within Burp designed to determine the strength or the quality of the randomness created within a session token.

Looking more closely at the Sequencer tab, you will notice there are three subtabs available: Live capture, Manual load, and Analysis options.

The simplest way to use Burp Sequencer is to select the request anywhere within Burp (HTTP History, Repeater, Site map,etc.) and choose the "Send to Sequencer" option on the menu. This will send the selected request parameters to Burp Sequencer.

1. Live Capture 

To perform a live capture, you need to locate a request within the target application that returns somewhere in its response to the session token or other item that you want to analyze.

Select Live Capture Request 

The live capture request list shows the requests that you have sent to Sequencer from other Burp tools.  

Token location within response

Select the location within the application's response where the token appears.
  • Cookie - If the response sets any cookies, this option will let you select a cookie to analyze. 
  • Form field - If the response contains any HTML form fields, this option will let you select a form field value to analyze. 
  • Custom location - You can use this option to specify a specific custom location within the response containing the data you want to analyze.

Live capture options

These settings let you control the engine used for making HTTP requests and harvesting tokens when performing the live capture.
  • Number of threads - Here you need to select the number of concurrent requests the live capture can send to the server.
  • Throttle between requests -  Optionally, the live capture can wait for a specified delay (in milliseconds) before every request. This option is useful to avoid overloading the application or to be more stealthy.
  • Ignore token whose length deviates by X characters - You can optionally configure the live capture to ignore tokens whose length deviates by a given threshold from the average token length. 

Running the live capture

When you have fully configured the live capture, click the "Start live capture" button to begin the live capture. During the live capture, a progress bar is shown, with counters of the numbers of tokens, requests, and network errors. The following options are available:
  • Pause/resume - This temporarily pauses, and resumes, the capture.
  • Stop - This permanently stops the live capture.
  • Copy tokens - This copies the currently captured tokens to the clipboard.
  • Save tokens - This saves the currently captured tokens to the given file.
  • Auto-analyze - If this option is enabled, Burp will automatically perform token analysis and update the results periodically during the live capture.
  • Analyze now - This is available when a minimum of 100 tokens have been captured, and causes Burp to analyze the current sample and update the results.

2. Manual Load

This Tab allows you to load Sequencer with some sample of tokens that you have already obtained, and then perform the statistical analysis on the sample data.

3. Analysis options

This functionality allows you to configure how tokens are handled, and which types of tests are performed during the analysis.
  • Token handling - This allows you to control how tokens are handled during analysis.
  • Token analysis - This allows you to control the types of analysis that are performed at the character level.

Congratulation! finally, you know about the Sequencer tab which is present in the Burp Suite. In the next Part, we will discuss the Repeater Tab.

#burpsuite #burpsuitetutorial #burp #webapplicaitonpentesting

Comments