Advanced web testing workspace
Advanced web testing workflow with Firefox Multi-account containers and Burp suite
Last updated
Advanced web testing workflow with Firefox Multi-account containers and Burp suite
Last updated
A workspace proposal to help making web testing smooth while integrating it to your browsing workflow.
Seemlesly browse between projects and different testing accounts
Reduce MFA logins on test accounts and other accounts
Remain secure and integrate privacy into your workflow
Stay agile and organized while minimalizing mental clutter
Using burp professional (Possible on community also) to perform web testing
Familiarity with Firefox
Our Requirement: to fast and efficiently switch between different environments, users, and sessions while keeping track on ongoing projects.
Firefox - Install the latest version.
Simple Tab group - To divide and organize different projects and work environments.
Firefox Multi-Account containers - GUI wrapper around the Firefox Containers feature, installing this add-on would also allow us to easily define proxies for specific containers.
(Optional) Tab Session Manager - To save and backup the tab groups setup.
(Optional) Tree Style Tab - Gives great visibility to the tabs
Assuming We have different accounts with different privileges for an application.
By setting up different containers that corresponds to the different accounts we are able to keep track of testing accounts, personal, and work accounts. And most importantly we are able to separate the accounts into isolated environments.
Let's go further by using a Firefox Add-on and allow different tab groups to represent projects or working environment
We can one-up this by setting Burp Suite proxy to route specific account traffic to analyze and test.
Finally when we access a testing account tab/container, traffic is immediately proxied to Burp allowing for quick integration with normal browsing workflow
Here's an example using a High privileged account with burp
And an example of Low privileged account in the same workspace.
Burp HTTP history only shows selected accounts.
Further filtering can be obtained by adding specific domain to the scope
Target > Scope > Add and specifying domains, ports or even specific URL components with Regex
There are many more ideas to improve upon this proposal, like adding the container name to the request header, or even help burp color the requests according to the defined color scheme in Multi-Account Container
Enjoy your new workflow