For most of the websites we use, we do so under the impression that we have some sort of amount of safety. We hope that a password protected login screen will keep the bad guys out. Unfortunately, this isn’t entirely the case. One of the many ways hackers can access your account is called “Session ID Hijacking”. Essentially, when you log into your Facebook or Ebay account, the server spits out a random combination of characters which is called your “Session ID”, the point of which is to differentiate you between other users, and the page you’re currently on from other pages. It’s the computer version of “Welcome Mr Smith, enjoy your stay.” If a hacker can get their hands on the right session ID, they would be able to bypass the entire verification process and hop straight into “Welcome Mr Smith”, and have access to all of your data with relative ease. Each session ID is supposed to be randomised so that no one could guess one. This is where Burp’s Sequencer tool comes in.
The Sequencer is used to test the overall “randomness” of a variable that an application’s server provides. Not only that, but it also runs a bunch of different tests to check how easily a variable can be guessed. This is used most commonly for session IDs because these are usually the most important things to keep random on a website, however, things like cookies may also be susceptible.
So, the first step to using the sequencer is to find the page you want to test, either through the Spider or by clicking around manually. Send a request to the page and get a response back. On a login screen, this would mean entering any username-password combo just to get an answer from the site. Right-click the response and press “Send to Sequencer”
Go to the ‘Sequencer’ tab. Don’t bother fiddling with all of the different options and menus, what you want to direct your attention to is the “Token Location within Response” section in the “Live Capture” subtab. Here is where you’ll want to select what it is that you want to test for randomness. If Burp hasn’t already found it for you in the “Cookies” or “For Field” drop-down boxes, you can manually select in by clicking “Configure”, selecting it like so and clicking “OK”.
Now click “Start Live Capture”. Burp will send request tokens to the server and document its responses. It may be a little slow, but if you aren’t in a rush wait it out until it makes twenty thousand requests so you can make a good analysis. The sequencer gives you lots of different analyses, you can look at the individual tests by clicking through the tabs, but Burp does give you an overall summary on the first page. Take note that the Sequencer only gives you the information, but it doesn’t actually tell you what to do with it.