Let's test randomness on the generated values using the Burp Suite Sequencer:

1. To use Burp Suite Sequencer, a response containing the Set-Cookie header value or other pseudorandom number value to be tested needs to be sent to it. This can be sent either from the HTTP history tab under the Proxy tab or from a response intercepted prior to being received by the browser, as shown in the following screenshot:

2. Burp will automatically populate the Cookie drop-down menu with all the cookie values set in the response. Alternatively, you can use the Custom location field and then the Configure button to designate any location in the response for testing, as shown in the following screenshot:

3. After defining the value to be tested, click on the Start live capture button. This will start submitting a large number of requests to acquire additional values for the defined parameter. In the example provided, Burp will issue a large number of requests with the PHPSESSID value stripped from the request.
4. This will cause the server to generate a new session token for each request. By doing this, we can acquire a sample of values that can be subjected to FIPS testing. This will consist of a series of tests that will evaluate the entropy associated with the generated pseudorandom numbers. All of these tests can be represented in a graphical format that is easy to understand, as shown in the following screenshot:

5. For a highly accurate and thorough FIPS test, a total of 20,000 values are needed, but an analysis can be performed with as few as 100 values. In addition to performing a live capture, the Manual load tab can be used to upload or paste a list of values for testing.