| CARVIEW |
Select Language
HTTP/2 200
content-type: text/html; charset=utf-8
access-control-allow-origin: null
cache-control: public, must-revalidate, max-age=60
x-xss-protection: 1; mode=block
content-security-policy: default-src 'none';form-action 'self';base-uri 'none';child-src 'self' https://www.youtube.com/embed/ https://cheat-sheets.portswigger.net https://*.portswigger.com;connect-src 'self' https://ps.containers.piwik.pro https://ps.piwik.pro https://go.portswigger.net https://tags.srv.stackadapt.com https://www.google.com/recaptcha/ https://formsubmission.portswigger.net https://*.portswigger.com;font-src 'self' https://fonts.gstatic.com data:;frame-src 'self' https://*.portswigger.com/ https://portswigger.net/ https://cheat-sheets.portswigger.net https://www.youtube.com/embed/ https://www.google.com/recaptcha/;img-src 'self' https://*.portswigger.com/ https://portswigger.net/ https://i.ytimg.com/ https://tags.srv.stackadapt.com/sa.jpeg;script-src https://*.portswigger.com/ https://portswigger.net/ https://ps.containers.piwik.pro/ppms.js https://ps.piwik.pro/ppms.js https://www.youtube.com/iframe_api https://www.youtube.com/s/player/ https://tags.srv.stackadapt.com/events.js https://go.portswigger.net/pd.js 'nonce-eoEFYSaUFCrCjG7IfXJMIyw7DaG0T2Lf' 'strict-dynamic';style-src 'self' https://tags.srv.stackadapt.com/sa.css 'nonce-eoEFYSaUFCrCjG7IfXJMIyw7DaG0T2Lf' https://fonts.googleapis.com/css2* https://unpkg.com/animate.css@4.1.1/animate.css https://unpkg.com/@teleporthq/teleport-custom-scripts/dist/style.css;
date: Sat, 11 Oct 2025 12:22:34 GMT
server: '; DELETE carlos FROM users --
strict-transport-security: max-age=31536000; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-hiring-now: We're on a mission to secure the web: https://portswigger.net/careers
x-robots-tag: all
content-encoding: gzip
vary: accept-encoding
x-cache: Miss from cloudfront
via: 1.1 40488a658ab1cb9abab37a4144b9a8d6.cloudfront.net (CloudFront)
x-amz-cf-pop: TLV55-P1
x-amz-cf-id: uKpgrtJi29Erh3j3_Cg1L7EPjNARcKfruUnN_1o9gou_ZtZ6q98dtA==
Getting started with Burp Sequencer - PortSwigger
Research
Academy
My account
Customers
About
Blog
Careers
Legal
Contact
Resellers
Attack surface visibility
Improve security posture, prioritize manual testing, free up time.
CI-driven scanning
More proactive security - find and fix vulnerabilities earlier.
Application security testing
See how our software enables the world to secure the web.
DevSecOps
Catch critical bugs; ship more secure software, more quickly.
Penetration testing
Accelerate penetration testing - find more bugs, more quickly.
Automated scanning
Scale dynamic scanning. Reduce risk. Save time/money.
Bug bounty hunting
Level up your hacking and earn more bug bounties.
Compliance
Enhance security monitoring to comply with confidence.
View all solutions
Support Center
Get help and advice from our experts on all things Burp.
Documentation
Tutorials and guides for Burp Suite.
Get Started - Professional
Get started with Burp Suite Professional.
Get Started - Enterprise
Get started with Burp Suite Enterprise Edition.
User Forum
Get your questions answered in the User Forum.
Downloads
Download the latest version of Burp Suite.
Visit the Support Center
ProfessionalCommunity Edition
Getting started with Burp Sequencer
-
Last updated: October 1, 2025
-
Read time: 1 Minute
In this tutorial, you'll use Burp Sequencer to analyze the quality of randomness in an application's session tokens.
Note
Burp Sequencer may have unexpected results in some applications. Until you are fully familiar with its functionality and settings, only use Burp Sequencer against non-production systems.
-
Open Burp's browser and access a deliberately vulnerable test website, such as
https://ginandjuice.shop/. -
Go to Proxy > HTTP history and find an entry with a response that issues a session token, for example in a
Set-Cookieheader. To quickly find issued cookies, you can sort the Cookies column in the history. - Right-click the entry and click Send to Sequencer.
- Go to the Sequencer tab. The entry you just sent to Sequencer is automatically selected in the Select live capture request panel.
- Select a cookie in the Token location within response panel.
- Click Start live capture.
- When Burp has captured a few hundred tokens, click Pause.
- To run randomness tests on the tokens, click Analyze now.
The analysis results are displayed in the Live capture window. They show a summary of the quality of randomness in the sample.