Burpsuite Sequencer for Pentesters (PART-6)

SEQUENCER:INTRODUCTION

The burpsuite sequencer is used to assess the quality of randomness in a sample of data objects. It primarily examines the randomness of an application’s session tokens and other key data. Cookies and anti-CSRF tokens are examples of session tokens that are commonly used for authentication in sensitive operations.

Token location with response

• Cookie – If the response sets any cookies, this option will let you select a cookie to analyze.
• Form field – If the response contains any HTML form fields, this option will let you select a form field value to analyze.
• Custom location – You can use this option to specify a specific custom location within the response containing the data you want to analyze.

Live Capture

• Number of threads – Select the number of concurrent requests that the live capture can send to the server here.
• Throttle between requests – The live capture can optionally wait for a set delay (in milliseconds) before each request. This option is important for not overwhelming the program or for being more stealthy.
• Ignore token whose length deviates by X characters – Client can set the live capture to ignore tokens with lengths that differ by a defined threshold from the average token length.

• Token handling – This allows clients to control how tokens are handled during analysis.
• Token analysis – This allows clients to control the types of analysis that are performed at the character level.

How to use a sequencer

• Locate a request that includes a token. This can be done on the proxy or site map tabs. Other endpoints will be required depending on the sort of token you are attempting to test.
• The CSRF token: The endpoint that responds with a CSRF token
• JWT token: Typically used as a login endpoint. Right-click that request and send it to the sequencer.

Here u can see that in a login attempt we get the session id and we will now send it to the sequencer to find the randomness.

After sending it to the sequencer here we can see the host and now we can now start capturing which will take a good amount of time to complete.

The window “Burp Sequencer [live capture]” will appear.

The Burp Sequencer will issue the request multiple times and collect the relevant token from the application’s answers. The window displays the progress of the capture as well as the quantity of tokens obtained. You may learn more about how the randomness test works, how to analyze the findings and the many analysis choices.

• Pause/resume – This suspends and resumes the capture.
• Stop – This stops the live capture for good.
• Copy tokens – This copies the tokens that are presently being recorded to the clipboard.
• Save tokens – This saves the tokens that are presently being captured to the specified file.
• Auto-analyze – If this option is enabled, Burp will do token analysis automatically and update the results frequently throughout live capture.
• Analyze now – This option is accessible after capturing a minimum of 100 tokens and prompts Burp to analyze the current sample and update the results.

Thanks For Visiting, Hope you enjoyed Burpsuite Sequencer for Pentesters blog.

In the Next part we are going to learn Further essential Topics of the Burp Suite.