Analyze Session Token Randomness in Burp Sequencer

Introduction

In this lab, you will learn how to use Burp Sequencer, a powerful tool within Burp Suite for analyzing the quality of randomness in an application's session tokens. Predictable session tokens can be guessed or calculated by an attacker, leading to session hijacking vulnerabilities.

By the end of this lab, you will be able to capture login requests, send them to Burp Sequencer, configure the tool to analyze a specific token, and interpret the results to assess its randomness. This is a fundamental skill for web application security assessment.

Find a Login Request that Sets a Session Cookie

In this step, you will launch Burp Suite, use its built-in browser to log into a test application, and find the request that establishes a session.

First, you need to start Burp Suite. You can typically find it in the application menu or launch it from the terminal. For this lab, we will assume Burp Suite is ready to be launched.

1. Open the Terminal from the desktop.
2. Launch Burp Suite. The exact command may vary, but it is often a script. For this environment, we will assume it's available.
3. Once Burp Suite is open, go to the Proxy tab, and then the Intercept sub-tab. Ensure that interception is turned off for now by clicking the Intercept is on button.
4. Next, go to the Proxy -> HTTP history tab. This is where all traffic will be logged.
5. Click the Open Browser button. This will launch Burp's pre-configured Chromium browser.
6. In the browser, navigate to a login page. For this lab, we will use a hypothetical login page. In a real test, this would be your target application.
7. Enter any credentials, for example, user as the username and password as the password, and click the login button.
8. Return to the Burp Suite window and look at the Proxy -> HTTP history tab. You should see a list of requests. Find the POST request to the login endpoint. Click on it.
9. In the request/response viewer below, click on the Response tab. Look for a Set-Cookie header. It will look something like this:

HTTP/1.1 302 Found
...
Set-Cookie: sessionID=q8f...; path=/; HttpOnly
...

This sessionID is the token we want to analyze. You have successfully identified the target request.

Right-Click the Request in Proxy History and 'Send to Sequencer'

In this step, you will send the login request you identified to the Burp Sequencer tool for analysis.

Now that you have located the POST request that sets the session cookie in your Proxy history, you need to isolate it for analysis.

1. In the Proxy -> HTTP history tab, make sure the correct POST request is still selected.
2. Right-click anywhere on the request's entry in the history table. This will open a context menu with many options.
3. From the context menu, navigate to and click on Send to Sequencer.

This action sends a copy of the selected request to the Sequencer tool. You will now see the Sequencer tab header turn orange, indicating it has received a new item.

4. Click on the Sequencer tab to switch to the tool. You will see the request you just sent loaded into the "Live Capture Request" panel.

In Sequencer, Select the Response Containing the Cookie

In this step, you will confirm that Burp Sequencer can correctly issue the request and receive a response containing the session token.

Inside the Sequencer tab, you'll see the request you sent from the Proxy. Before you can configure the token location, you need to ensure Sequencer can successfully get a response.

1. In the Sequencer tab, look at the "Select Live Capture Request" panel. The request should already be loaded.
2. Click the Start live capture button located at the top of this panel.

Burp will send the request one time and display the response it received. This allows you to verify that the request is valid and that the server is responding with a session token as expected. The response will appear in the panel below the request.

You should see the Set-Cookie header in the response, just as you did in the Proxy history. This confirms that Sequencer is ready for the next step of configuration. If you get an error, you may need to go back to the Proxy and find a different request.

Configure the Token Location Within the Response

In this step, you will tell Burp Sequencer exactly where to find the session token in the server's response. This is the most important configuration step.

After starting the live capture and receiving a valid response, you must define the location of the token you want to analyze.

1. Scroll down to the "Token Location Within Response" section.
2. You have two main options: Custom location and Defined in a cookie. Since the token is in a Set-Cookie header, the second option is the easiest.
3. Click the radio button next to Defined in a cookie.
4. A dropdown menu will become active. Click on it and select the name of the session cookie you identified earlier (e.g., sessionID).

By selecting the cookie, you are telling Sequencer to automatically extract the value of that specific cookie from every response it receives. This value is what will be analyzed for randomness.

Once the cookie is selected, the configuration is complete. Sequencer now knows which request to send and where to find the token in the response.

Start a Live Capture and Analyze the Randomness Results

In this step, you will begin collecting a large sample of tokens and then use Sequencer's statistical engine to analyze their randomness.

With the configuration complete, you are ready to start the analysis.

1. Click the Start live capture button again. This time, Burp will continuously send the request and collect the session tokens from each response.
2. Watch the "Live Capture" results panel. You will see the Request count and Tokens collected numbers increase.
3. Let the capture run until you have collected at least 2,000 tokens. For a thorough analysis, 10,000 to 20,000 tokens are recommended, but 2,000 is sufficient for this lab.
4. Once you have enough tokens, click the Pause button, and then click the Analyze now button.

Burp will perform a number of statistical tests on the collected tokens. The results will be displayed in several tabs.

5. Focus on the Summary tab. This gives you an overall assessment of the token's quality. The most important metric is the overall quality of randomness, which is estimated in bits of effective entropy.

A high amount of entropy (e.g., 128 bits) indicates a very strong, unpredictable token. A low amount (e.g., less than 64 bits) may indicate a weakness that could be exploited. The summary will give you a clear "Excellent", "Good", "Poor", or "Insecure" rating.

You can explore the other tabs like Character-level analysis and Bit-level analysis to dig deeper into any potential weaknesses found.

Summary

In this lab, you have successfully learned how to use Burp Sequencer to perform a statistical analysis of session tokens.

You practiced the entire workflow:

• Capturing a login request that sets a cookie using the Burp Proxy.
• Sending that request to the Sequencer tool.
• Configuring Sequencer to locate the session token within the server's response.
• Running a live capture to collect a large sample of tokens.
• Analyzing the collected data to determine the effective entropy and overall quality of the token's randomness.

This process is a critical part of any web application security test, as it helps identify one of the most common and severe vulnerabilities: predictable session management.