Screenshots - click to enlarge
Burp Sequencer is a tool for analyzing the degree of randomness in security-critical tokens issued by an application. It is typically used to test the quality of an application's session tokens or other items, such as CSRF nonces, on whose unpredictability the application depends for its security.
Burp Sequencer lets you:
- Send requests that return a security token from other Burp Suite tools to test in Burp Sequencer.
- Reissue the same request repeatedly, to generate a large sample of tokens for statistical analysis.
- Perform a rigorous set of tests, including the standard FIPS tests and others, to estimate the degree of randomness within the sample, at both the character and bit level.
- Start performing the analysis with as few as 100 tokens, and re-perform this as a larger sample is collected, up to the FIPS-recommended sample size of 20,000 tokens.
- View an intuitive, at-a-glance summary of all the tests performed, letting you quickly understand the overall quality of randomness.
- Review detailed, graphical test output, letting you drill down into the detailed reasons why individual parts of the token passed or failed each test.
- Load an existing sample of tokens for analysis, if these have already been captured elsewhere.
Burp Sequencer is often highly useful in providing rigorous analysis of an application's session tokens, in cases where these can appear random to both the naked eye and to simpler, scatter-graph based, analyses. It also enables consultants to provide their clients with output to demonstrate that some meaningful work has been done in this often overlooked area of security.