Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How exactly does the Burp Sequencer convert tokens to sets of bits for bit-level analysis?

Jeppe | Last updated: Dec 09, 2020 05:25PM UTC

Hi, The documentation for Burp Sequencer's randomness tests (https://portswigger.net/burp/documentation/desktop/tools/sequencer/tests) mentions that tokens are converted into sets of bits. I was wondering how exactly this is done? For the monobit test, the amount of ones and zeros is important. So, if for example "A" is converted to 41 (UTF-8), would the bit equivalent be 101001 or 00101001? It seems the former would lead to there being significantly more ones than zeros due to every character starting with a one, and the latter would lead to significantly more zeros than ones due to prepended zeros. Both would mean failing the test. I hope this question makes sense. Any help would be appreciated.

Liam, PortSwigger Agent | Last updated: Dec 10, 2020 02:23PM UTC

Thanks for your message. We don’t turn A into 0x41. Instead, we count the charset at each position and map these to bits. So if the first character position contains only A or B, these will map to 0 and 1. If they also contain C and D, the characters will map to 00, 01, 10, 11. And so on. To enable bit-level analysis, each token is converted into a set of bits, with the total number of bits determined by the size of the character set at each character position. If any positions employ a character set whose size is not a round power of two, the sample data at that position is translated into a character set whose size is the nearest smaller round power of two. The partial bit of data at the position is effectively merged into the whole bits derived from that position. This translation is done in a way that is designed to preserve the randomness characteristics of the original sample, without introducing or removing any bias. However, no process of this type can be perfect, and it is likely the process of analyzing samples with non-round character set sizes will introduce some inaccuracies into the analysis results. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.