Burp Sequencer
The Burp Sequencer tool is used to check for the extent of randomness in the session tokens generated by the Web application. Brute force attacks enumerate every possible combination for gaining authentication from the Web application. Thus it is important to have a high degree of randomness in the session token IDs. For this Burp Suite training tutorial, let us start with sending a request that contains a session token.
Token request using sequencer
Figure 1 shows a token request to the website google.com. The right
side of the screenshot has the token start and token end expressions.
You can either specify an expression such as “Google” or even set the
offset from where the token has to start. This also applies to the token
end panel, where you can set the delimiter, or specify a fixed length
for the capture to start. After fixing these parameters, click START
CAPTURE.
Start capture action panel
The start capture action panel is depicted in Figure 2. It
sends requests to the target and gives detailed analysis of the
randomness in the cookie tokens. You can pause or stop the analysis at
any point. For this Burp Suite training tutorial, stop the scan midway
and check out the results. The screenshot in Figure 3 explains the
results better.
Token randomness analysis results
The scan components are as follows:- Overall result
- Effective entropy
- Reliability
- Sample size
For this Burp Suite training tutorial, let us look at the following options provided by Burp sequencer. None of these is compulsory for analysis and they can be chosen or dropped as desired.
1. Character count analysis
This test analyzes the distribution of characters used within each token.
2. Character transition analysis
This test analyzes the transition of characters between successive tokens. Depending on the randomness of the characters, the transitional analytics vary.
FIPS monobit test
This test does an analysis of the positions of 0s and 1s at each bit position. If the generation is random, then the distribution is likely to be approximately equal.
a. FIPS poker test
This divides the bit sequence into consecutive and unique groups of four. The distribution is evaluated by a chi-square calculation method.
b. FIPS runs test
As the name suggests, the bit sequence is divided into runs of consecutive bits with the same value.
c. FIPS long runs test
Similar to FIPS runs test, this test analyzes the longest bit sequence with consecutive bits of the same value.
d. Spectral tests
This is an advanced method with complex statistical analytics. It treats a bit sequence as a point in multidimensional space and performs the analytics.
e. Correlation test
The tests described thus far analyze each bit in an isolated manner. The correlation test puts together these isolated results and presents the analytics by considering bits as a whole.
f. Compression test
This test works on the principle of the standard ZLIB compression technique. The bit sequences are compressed and the degree of compression is calculated. A higher degree of compression translates to a lower degree of randomness.
Burp Decoder
The Burp Decoder Tool is used to send a request to the decoder. Within the decoder, there are multiple options to encode the request in various formats such as base64, URL, and so on. There are also options to convert it to hashes such as MD5 or SHA-1.
Burp Decoder
Figure 4 depicts a Burp Decoder request. For our Burp Suite training
tutorial, consider an encoded request such as the one shown in Figure 5.
The upper portion shows a request encoded in the base64 format while
the lower one depicts the request decoded into plain text. While the
entire request has been encoded here, you could also selectively choose a
portion of the request to decode/encode.
Encoded Request
This tool is useful when there is client-side encryption of username
and password into commonly used hashes or encoders. The username or
password field can be selectively decoded and the content then viewed in
plaintext.Burp Comparer
Burp Comparer is used for comparisons between two sets of data. For instance, the two sets could display responses to two different requests. The comparison can be performed either on a word scale (word by word) or bit by bit. Burp automates this process for the user and compares the two requests or responses accordingly. For this Burp Suite training tutorial, the comparison shown in Figure 6 is of two different requests to a website.
Comparison of requests to a website
This ends the Burp Suite training tutorial series. The extent to
which Burp Suite can be used is limited only by the imagination of the
user
No comments:
Post a Comment