Getting started with Burp Sequencer

  • Last updated: July 6, 2023

  • Read time: 1 Minute

In this tutorial, you'll use Burp Sequencer to analyze the quality of randomness in an application's session tokens.


Burp Sequencer may have unexpected results in some applications. Until you are fully familiar with its functionality and settings, only use Burp Sequencer against non-production systems.

  1. Open Burp's browser and access a deliberately vulnerable test website, such as
  2. Go to Proxy > HTTP history and find an entry with a response that issues a session token, for example in a Set-Cookie header. To quickly find issued cookies, you can sort the Cookies column in the history.
  3. Right-click the entry and click Send to Sequencer.
  4. Go to the Sequencer tab. The entry you just sent to Sequencer is automatically selected in the Select live capture request panel.
  5. Select a cookie in the Token location within response panel.
  6. Click Start live capture.
  7. When Burp has captured a few hundred tokens, click Pause.
  8. To run randomness tests on the tokens, click Analyze now.

The analysis results are displayed in the Live capture window. They show a summary of the quality of randomness in the sample.

Was this article helpful?