Burp Suite: Other Modules TryHackMe

Overview

This room covers the Burp modules that support analysis rather than direct attack execution: Decoder for transforming data, Comparer for spotting differences, Sequencer for token randomness testing, and Organizer for saving interesting requests. These modules make manual testing faster and cleaner.

Core idea: Burp is not just Proxy/Repeater/Intruder. These supporting modules help you understand data, compare behavior, assess randomness, and keep your workflow organized.

1) Decoder

Decoder is Burp’s data transformation workspace. You can paste values directly into it or send content from other modules with Send to Decoder.

Encode/Decode: URL, HTML, Base64, ASCII Hex, binary, octal, hex, and gzip.
Hashing: generate hashes like MD5 and many others.
Hex view: inspect and edit raw bytes when text view is not enough.
Smart Decode: recursively tries to decode unknown encoded text automatically.

Useful link: Decoder overlaps with what CyberChef is often used for, but keeping the work inside Burp speeds up testing.

2) Decoder in Practice

Common uses during web testing:

URL encoding: prepare payloads for safe transmission in paths, parameters, and form fields.
HTML entity decoding: inspect reflected or escaped input and understand output encoding.
Base64 handling: decode tokens, cookies, or structured app data.
ASCII Hex: view and convert raw text to hex and back.
Gzip: inspect compressed data when needed.

/  →  %2F
ASCII  →  4153434949

Smart Decode example: strings like Burp can be auto-decoded back into plaintext when Burp recognizes the pattern.

3) Hashing in Decoder

Decoder can generate hashsums directly from input values. This is useful for integrity checks, understanding how applications transform data, or quickly testing whether a visible value may be hashed.

Hashes are one-way and should not be reversible.
Even small input changes produce very different output.
Hash output is typically shown in hexadecimal form.

Important: MD5 exists in the list but is deprecated for modern security use. It still matters because older applications may still rely on it.

4) Comparer

Comparer lets you compare two datasets by words or bytes. This is extremely useful when two responses look similar but one subtle difference determines whether an attack worked.

Load data: paste manually, load from file, or send directly from other Burp tools.
Word compare: useful for text responses and HTML differences.
Byte compare: useful for binary or low-level response analysis.
Sync views: keeps both panes aligned when switching formats.

Typical use case: compare an invalid login response with a suspected successful one to locate the exact part of the page or headers that changed.

5) Comparer Example

The room demonstrates this with the support login flow:

Send an invalid login response to Comparer.
Send a valid login response to Comparer.
Compare the two responses by words or bytes.

This is a practical way to spot authentication success when page structure is similar and differences are easy to miss manually.

6) Sequencer

Sequencer tests the randomness of tokens such as session cookies and CSRF values. If tokens are predictable, attackers may be able to guess future values, which can be catastrophic for session management or password reset flows.

Live Capture: Burp repeatedly sends a request and collects token samples from the response.
Manual Load: analyze a pre-collected list of tokens without generating live traffic.
Token locations: cookies, form fields, or custom response locations.

Main purpose: assess entropy. High entropy generally means the tokens are hard to predict.

7) Sequencer Workflow

The room uses the admin login form’s loginToken for live capture analysis.

Capture a request to /admin/login/.
Send it to Sequencer.
Select the token location, such as the Form field named loginToken.
Start live capture and collect a large sample set.
Pause and click Analyze now.

Room guidance: around 10,000 samples gives a much more reliable result than a tiny sample size.

8) Reading Sequencer Results

Burp’s report summarizes the effective entropy and the reliability of its estimate.

Overall result: Burp’s broad assessment of the token generator.
Effective entropy: estimated randomness in bits.
Reliability: confidence in the estimate.
Sample details: how many tokens were analyzed and their characteristics.

Interpretation: a report like 117 bits of effective entropy with high confidence strongly suggests the token generation is robust, though statistics are never absolute proof by themselves.

9) Organizer

Organizer is Burp’s note-and-storage module for keeping important requests in one place. It is useful during longer assessments when you want a shortlist of findings, proof requests, or follow-up items.

Send to Organizer: available from tools like Proxy or Repeater.
Stored items: read-only snapshots of the request and response at the moment you saved them.
Metadata: method, host, path, status, length, parameters, notes, and workflow state.

Practical use: save the requests that show vulnerabilities or interesting behavior so you do not lose them in Burp history later.

Exam Notes (PT1)

Use Decoder for URL/Base64/HTML transformations, quick hashing, and inspecting weird encoded values.
Use Comparer when two responses differ only slightly and you need to identify the exact change.
Use Sequencer to assess whether session or CSRF tokens are random enough to be trusted.
Use Organizer to preserve evidence requests and keep your workflow manageable during larger labs.
These modules do not replace Proxy/Repeater/Intruder, but they make manual testing much faster and more precise.