Using Burp-Suite Sequencer to Compare CSRF-token strengths

Author: Jeremy Druin
Twitter: @webpwnized
Description: Using burp sequencer we compare the predictability (strength) of the cross site request forgery tokens used in Mutillidae on the add-to-your-blog.php page. The page uses very strong tokens in security level 5, but security level 1 uses non-random tokens. Burp-Sequencer shows the randomness as the number of bits of entropy.

Mutillidae is a free, open source web application design with vulnerabilities to allow pen testers, students, and security enthusiast to practice. Mutillidae is available at Sourceforge. Updates about Mutillidae are tweeted @webpwnized. The Mutillidae YouTube channel is located at Thank you for watching. Please support this channel. Up vote, subscribe or even donate by clicking “Support” at!

The webpwnized YouTube channel is dedicated to information security, security testing and ethical hacking. There is an emphasis on web application security but many other topics are covers. Some of these include forensics, network security, security testing tools and security testing processes. The channel provides videos to encourage software developers and system administrators to perform security testing. Also, the channel educates the next generation of security testers and bug bounty hunters who want to respectfully, legally and ethically help system owners that allow security testing.

Post Author: hatefull