How it works...
Burp Suite's Sequencer performs different statistical analyses on large amounts of session identifiers (or whatever piece of information from a response we provide to it) to determine whether such data is being randomly generated or whether there may be a predictable pattern that may allow an attacker to generate a valid ID and hijack a session with it.
First, we analyzed a complex session cookie composed by a data structure encoded using the base64 algorithm and what seems to be an SHA-1 hash. We can tell that the first part is base64-encoded because it contains lowercase and uppercase letters, numbers, may also contain a plus symbol (+) or a slash (/), and it also ends in %3D, which is the URL escape sequence for =, a string ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access