I thought I’d share my workflow for web pentesting with Firefox containers. It has advantages by allowing you to be logged in to multiple accounts at the same time, which helps with authorization testing, and also makes it easy to separate traffic sent to the intercepting proxy and other traffic without configuring Foxyproxy patterns. I’ve been using it for years but I haven’t really seen it used much by other testers, so I thought I’d write about it as it can be useful for others.

When performing web pentests we usually use an intercepting proxy such as Burp Suite to investigate the traffic of the web application. One of the problems with using an intercepting proxy is choosing which traffic to intercept and which to ignore, as you may want to use the same browser for other things as well. The traditional solution for this is to use Foxyproxy, but I never really liked this solution as it depends on configuring URL regexes, which is manual, error-prone and might cause you to miss traffic especially background traffic and redirects. Of course it’s also possible to use a different browser (like the Burp Browser) for testing, but this means you can’t use Firefox specific functionality in your test, such as Firefox containers.

I’ve been using Firefox Containers for a while, it allows you to have separate site storage for the same websites, which is great for pentesting. For example I might get four or more accounts for a pentest, such as admin and regular user accounts for different organizations in the webapp. And I also want to test anonymous access. Using containers, I can make different containers for each account and be logged in with every account at the same time as I test. This really makes the test easier and allows you to find more stuff.

What really made me happy was when I found Container Proxy. This addon allows you to configure a proxy differently for each Firefox container. By making a bunch of Burp Suite containers, I can easily separate testing traffic from other traffic in the same browser! No more foxyproxy patterns needed!

Firefox container configuration with container proxy: this shows one admin container, three user containers, and an "anonymous" container, all configured to connect with a Burp Suite proxy

Containers also works well with another extension I use during pentesting, Cookie Quick Manager. With this it’s possible to copy cookies from one container to another and edit them. Copying cookies is sometimes useful for example when the login flow doesn’t work well with Burp, one possible bypass is to log in without Burp and copy the cookie (of course you can also temporarily disable proxying during the login).

That’s it! Just thought I’d finally document it as I think it’s a really effective way to test.

So apparently it’s been one and a half year since my last blog post. I’m still here, just don’t always have much to say. Wish every reader a happy christmas and a nice 2026!