Sept 5, 2023
[Firefox Multi-Account Containers](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/) is an extension that allows Web App Testers to containerize the things you want to keep separate, such as session and network traffic, while sharing the thing you want to share like browser configurations, extensions, and imported certificates. This tool has the potential to greatly simplify your workflow.
The first tool Containers can replace is the use of Firefox profiles. When testing for access control violations, it is important to have separate active sessions as different users. That way you can tell if Bob can see Alice's shopping cart or if Alice can see the Administrator panel. The way I was taught to do this was with Firefox profiles.
Firefox profiles is a built-in feature that is designed for separate people to have a customized experience while using the same browser. Firefox profiles separate the user sessions, which is exactly what we're looking, but it also separates everything else. Extensions, history, downloads, and the Burp certificate will need to configured in each profile which can be tedious.
That's where Containers comes in. With a simple color-coded tab, you can have all the separate sessions you'll need for your testing! The colored tabs don't share cookies between different colors which allows you to do the access control testing you need without having to juggle separate windows as with Firefox profiles.
![[Pasted image 20230905012903.png]]
The other tool Containers allows you to replace is FoxyProxy. FoxyProxy is a wonderfully useful extension that allows you to send your web traffic to your web proxy. However, a major con arises. FoxyProxy doesn't allow you to specify which browser traffic you want to separate, turning it on will send everything to Burp. So to avoid polluting all your HTTP history, you'll need to use a profile without FoxyProxy, a separate browser, set a scope in your web proxy, or constantly remember to shut FoxyProxy on and off.
Containers has the same functionality as FoxyProxy, but on a per tab basis. If you want to avoid polluting your history, you can just use the default tab and keep all your testing traffic in a configured container.
To get started with Containers, add the extension from the [Firefox Add-On store](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/).
Provide the Add-On the requested permissions and click the new Container icon. Click through all the prompts.
![[Peek 2023-09-05 00-52.gif]]
Now let's configure the proxy to Burp default listening port: `http://127.0.0.1:8080`
![[Peek 2023-09-05 00-56.gif]]
Finally, let's test it out by first going to Wikipedia outside of a container and then within one. Notice that no traffic is captured outside of the Container.
![[Peek 2023-09-05 01-08.gif]]
Here's how I like to configure my containers using the listening ports as the names.
![[Pasted image 20230905011311.png]]