Advanced web testing workspace

Advanced web testing workflow with Firefox Multi-account containers and Burp suite

Advanced web testing using Firefox Multi-Account containers and Burp

A workspace proposal to help making web testing smooth while integrating it to your browsing workflow.

Advantages:

• Seemlesly browse between projects and different testing accounts

• Reduce MFA logins on test accounts and other accounts

• Remain secure and integrate privacy into your workflow

• Stay agile and organized while minimalizing mental clutter

Switching between projects, and user sessions with minimal cluttering

Assumptions

• Using burp professional (Possible on community also) to perform web testing

• Familiarity with Firefox

• Our Requirement: to fast and efficiently switch between different environments, users, and sessions while keeping track on ongoing projects.

Installation

• Firefox - Install the latest version.

  • https://www.mozilla.org/en-US/firefox/new/

• Simple Tab group - To divide and organize different projects and work environments.

  • https://addons.mozilla.org/en-US/firefox/addon/simple-tab-groups/

• Firefox Multi-Account containers - GUI wrapper around the Firefox Containers feature, installing this add-on would also allow us to easily define proxies for specific containers.

  • https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

• (Optional) Tab Session Manager - To save and backup the tab groups setup.

  • https://addons.mozilla.org/en-US/firefox/addon/tab-session-manager

• (Optional) Tree Style Tab - Gives great visibility to the tabs

  • https://addons.mozilla.org/en-US/firefox/addon/tree-style-tab/

Demonstration

Assuming We have different accounts with different privileges for an application.

By setting up different containers that corresponds to the different accounts we are able to keep track of testing accounts, personal, and work accounts. And most importantly we are able to separate the accounts into isolated environments.

We can set up multiple accounts that would contain the session information(Cookies, Local storage, cache, history, etc..) within specific tabs

Let's go further by using a Firefox Add-on and allow different tab groups to represent projects or working environment

We can use simple tab group to create a mental separation between different projects and working environments

We can one-up this by setting Burp Suite proxy to route specific account traffic to analyze and test.

In the Multi-Account container we can setup the proxy settings that would allow us to siphon some of our traffic to burp suite

Finally when we access a testing account tab/container, traffic is immediately proxied to Burp allowing for quick integration with normal browsing workflow

Here's an example using a High privileged account with burp

Notice the clear visual indicator of the specific account in use

And an example of Low privileged account in the same workspace.

Notice the color of the tabs

Burp HTTP history only shows selected accounts.

Further filtering can be obtained by adding specific domain to the scope

Target > Scope > Add and specifying domains, ports or even specific URL components with Regex

Make sure to tick the "Use advanced scope control option"

Enjoy your new workflow 😄

There are many more ideas to improve upon this proposal, like adding the container name to the request header, or even help burp color the requests according to the defined color scheme in Multi-Account Container