firefox for browsing, firefox for auditing

Wednesday, 25 February 2009

When using a web application proxy, such as those found in WebScarab, Paros Proxy or Burp Suite, it's useful to have a second firefox window open which uses a different user profile set-up to connect through the local web proxy server.  Having a separate instance of firefox running a different user profile means that one instance can be used for general browsing and the other can be used for web application testing or auditing so that the information collected via the proxy isn't diluted with normal browsing requests.

Running a separate instance of firefox is easy to achieve and here's the steps involved:

First, create a new firefox profile:

  • Start firefox from the command line using the options -no-remote -P (e.g. "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -P).
  • When the Choose User Profile dialog box opens, click Create Profile to start the Create Profile wizard.
  • Click Next, give the profile a name and optionally change the directory where the profile will be stored.
  • Click Finish, select the newly created profile in the Choose User Profile dialog and click Start Profile.

Configure the new profile to use the web application proxy:

  • Install the switchproxy add-on for firefox and, of course, don't forget the Noscript add-on without which no firefox profile is complete.  Restart firefox to complete installation.
  • Create a new proxy profile for use with your favourite web application proxy.  For example, the proxy in burp suite v1.2 is available via loopback port:8080 by default so:
    • In firefox: Tools > SwitchProxy > Manage Proxies
    • In the Manage Proxies dialog: click Add, select Standard and click Next.
    • In the Proxy Info dialog, add a name for these proxy settings in the Proxy Label field, add into the HTTP Proxy field and 8080 in the corresponding Port field and click OK twice.

If firefox was open before doing the above, the new profile will be open in a separate window.  The key to open multiple instances of firefox is to use the -no-remote -P options of the firefox executable. The -P option takes the name of the profile as an argument and supplying a valid profile name will launch firefox straight into that profile instead of the Choose User Profile dialog.  Therefore a handy shortcut can be created by modifying an existing shortcut to firefox to add to the command: -no-remote -P "New Firefox Profile Name"

Voila, open a separate instance of firefox ready to work with a web application proxy.