Using Sequencer to check Randomness of Token

Sequencer is an interesting tool in Burp Suite. It allows us to see how much data is random. Application require different random token for multitude of things like "session ID, anti-csrf tokens, password reset tokens, user account activation tokens"

For instance we will use mutillidae CSRF-2013 exercise where we will login and see the randomness of the token generated in the request.

  • First of all register an account and click on create account keeping intercept on in Burp csrftoken

  • Now you will see request in Burp, just look for CSRF token with its value. csrfhighlight

  • Send this request to Sequencer via the context menu.

  • Now (1) choose the CSRF token as shown in below image from the "Token location within Response" and click on "Start live capture" button. csrftokenseq

  • After few tokens are being captured, click on "Analyze Now" button to see the result of randomness.

finalseq

  • For now we can focus on the "Overall Result", once you become more productive with this, you can see other result tabs also.
  • Here we find our analyzed "Overall Result" to be excellent which means randomness of token is excellent.

results matching ""

    No results matching ""