In this article we will learn about Session randomness analysis with Burp Suite sequencer.
Introduction with Session randomness analysis:
Web application users are identified by a session ID. An attacker can impersonate a user if the generated sessions are predictable. This article introduces the Burp Suite Sequencer and shows how it can be used to analyze session randomness.
Burp suite sequencer
The sequencer is part of the Burp Suite, which is an integrated website security testing platform . Burp Suite Sequencer is useful in analyzing session randomness.
Let’s describe how to perform this analysis. The penetration tester intercepts a request (using the Burp Suite Proxy) whose response contains the session ID. Then the request is sent to the Burp Suite Sequencer. Then the penetration tester must select a field in the response for which the randomness will be analyzed (in this example, the session ID). The Burp Suite Sequencer is running. At least 100 requests must be sent for Burp Suite Sequencer to perform analysis.
A DVWA (Damn Vulnerable Web Application) is a web application that is intentionally vulnerable . It’s useful for those who want to play around with web application security. DVWA is part of Metasploitable.
Metasploitable is a Linux-based virtual machine that is intentionally vulnerable . It can be used, for example, to practice penetration testing skills. Note that this machine is vulnerable and should not work in bridge mode.
This article shows how to analyze the randomness of session IDs generated by DVWA.
Request a wiretap
When a penetration tester first visits DVWA, the following request is sent (captured by Burp Suite Proxy).
Let’s analyze the response to this request.
As we can see, the cookie with PHPSESSID is set. Now the penetration tester sends the request many times and parses the PHPSESSID values in the responses. No need to do it manually. This can be done automatically with the Burp Suite Sequencer.
Sending a request to the Burp suite sequencer
Right-click on the captured request with Burp Suite Proxy and choose “Send to Sequencer”.
Running the Burp suite sequencer
A penetration tester wants to check the randomness of the PHPSESSID in the response. That’s why they have to select it in “Token Location Within Response”. Then click “Start live capture” to launch the Burp Suite Sequencer.
Burp suite sequencer — PHPSESSID randomness analysis
When this tool is run, requests are sent and the PHPSESSID values are parsed in the responses. Analysis can start after 100 requests (“Analyze now” button).
As we can see, the “Overall Result” section shows information about the PHPSESSID randomness in a sample of 189 requests. PHPSESSID values can be saved to a file (“Save Tokens” button; the result is shown below).
Also Read:WH ApkCrypter V2 2023
An attacker can impersonate a user if the generated sessions are predictable. This article introduced the Burp Suite Sequencer and showed how to use the tool to analyze session randomness. Another application of the Burp Suite Sequencer can be, for example, CSRF token randomness analysis.
- Burp Suite (access date: 8 January 2014)
- DVWA (Damn Vulnerable Web Application) access date: 8 January 2014)
- Metasploitable (access date: 8 January 2014)