1
00:00:00,000 --> 00:00:01,590
‫Instructor: Hi.

2
00:00:01,590 --> 00:00:02,610
‫Within this lecture,

3
00:00:02,610 --> 00:00:05,265
‫we're going to see how we can run a command

4
00:00:05,265 --> 00:00:09,084
‫in order to get the data from Firestore

5
00:00:09,084 --> 00:00:14,084
‫if the Firestore security rules are not properly configured.

6
00:00:14,250 --> 00:00:16,260
‫So make sure you copy this

7
00:00:16,260 --> 00:00:18,870
‫because you will need the Firebase ID

8
00:00:18,870 --> 00:00:21,210
‫and you will need the collection name.

9
00:00:21,210 --> 00:00:23,160
‫So I'm going to open my notes

10
00:00:23,160 --> 00:00:26,190
‫so you can just open any text file

11
00:00:26,190 --> 00:00:30,120
‫like in order to copy this and make notes for you, okay?

12
00:00:30,120 --> 00:00:33,330
‫And I'm going to paste this over here,

13
00:00:33,330 --> 00:00:36,900
‫so don't mind the key tool and jar signer thing.

14
00:00:36,900 --> 00:00:39,120
‫Just copy your own

15
00:00:39,120 --> 00:00:43,230
‫Firestore key and Firestore collection name.

16
00:00:43,230 --> 00:00:45,330
‫And then over here what we gonna do,

17
00:00:45,330 --> 00:00:47,948
‫we're going to change it to no proxy

18
00:00:47,948 --> 00:00:51,510
‫because we're done with the proxy right now

19
00:00:51,510 --> 00:00:54,704
‫so that it won't intervene with our things.

20
00:00:54,704 --> 00:00:59,243
‫And over here, actually I'm going to go over to settings

21
00:00:59,243 --> 00:01:01,860
‫and find the WiFi,

22
00:01:01,860 --> 00:01:04,529
‫modify WiFi thing one more time

23
00:01:04,529 --> 00:01:08,524
‫and just disable the proxy from here as well

24
00:01:08,524 --> 00:01:11,755
‫so that it can connect to the internet

25
00:01:11,755 --> 00:01:15,227
‫even though if I shut down the charge proxy.

26
00:01:15,227 --> 00:01:19,110
‫So let me open the tweet. Let me try this.

27
00:01:19,110 --> 00:01:20,991
‫Yep, here we go.

28
00:01:20,991 --> 00:01:25,020
‫Yeah, it doesn't seem to be working for some reason.

29
00:01:25,020 --> 00:01:26,610
‫Let me just close this down

30
00:01:26,610 --> 00:01:30,458
‫and just open it one more time to see if it works now.

31
00:01:30,458 --> 00:01:32,970
‫So let me open the Secure Tweet app.

32
00:01:32,970 --> 00:01:36,720
‫Yeah, we still have the files, actually the tweets

33
00:01:36,720 --> 00:01:39,570
‫and let me run this and here we go.

34
00:01:39,570 --> 00:01:42,930
‫Now it's working. So our app is working.

35
00:01:42,930 --> 00:01:46,680
‫Our Firestore information is over here

36
00:01:46,680 --> 00:01:49,583
‫and now I'm going to show you how to hack it.

37
00:01:49,583 --> 00:01:54,570
‫So as you might remember, there are some security rules

38
00:01:54,570 --> 00:01:57,240
‫regarding our database in here.

39
00:01:57,240 --> 00:01:59,490
‫And most of the time,

40
00:01:59,490 --> 00:02:03,420
‫developers start using the database like this,

41
00:02:03,420 --> 00:02:06,060
‫like allowing reading and writing

42
00:02:06,060 --> 00:02:08,310
‫if this requested time

43
00:02:08,310 --> 00:02:12,750
‫is below some date, okay?

44
00:02:12,750 --> 00:02:15,900
‫So there a couple of things to learn over here.

45
00:02:15,900 --> 00:02:20,010
‫You can actually manipulate the security rules

46
00:02:20,010 --> 00:02:21,900
‫in a way that you want.

47
00:02:21,900 --> 00:02:25,140
‫You can even disable reading and writing.

48
00:02:25,140 --> 00:02:27,870
‫Of course, it won't do much for you

49
00:02:27,870 --> 00:02:31,020
‫because nobody will be able to read or write

50
00:02:31,020 --> 00:02:33,390
‫to your database if you do that.

51
00:02:33,390 --> 00:02:35,850
‫But maybe you may want to allow reading,

52
00:02:35,850 --> 00:02:38,280
‫but disable the writing

53
00:02:38,280 --> 00:02:41,580
‫so that everyone can see what's going on in the database,

54
00:02:41,580 --> 00:02:45,333
‫but nobody will be able to change the thing.

55
00:02:45,333 --> 00:02:49,260
‫And you can do something like this as well. Like yeah.

56
00:02:49,260 --> 00:02:51,450
‫I'm gonna allow reading and writing

57
00:02:51,450 --> 00:02:55,748
‫if the request time is less than this date,

58
00:02:55,748 --> 00:03:00,748
‫for example, like one month later or one month before, okay?

59
00:03:02,610 --> 00:03:06,330
‫So maybe you can't even delete this

60
00:03:06,330 --> 00:03:10,617
‫and just say that allow read and write in any condition.

61
00:03:10,617 --> 00:03:12,750
‫So it used to be like this, okay?

62
00:03:12,750 --> 00:03:15,900
‫So most of the time developers use this

63
00:03:15,900 --> 00:03:19,110
‫for test purposes, okay?

64
00:03:19,110 --> 00:03:22,050
‫And they tend to leave it as it is

65
00:03:22,050 --> 00:03:24,510
‫because it will cause them some problems

66
00:03:24,510 --> 00:03:26,610
‫if they don't do it very well,

67
00:03:26,610 --> 00:03:29,160
‫if you, if they don't do it properly

68
00:03:29,160 --> 00:03:32,184
‫Of course, it causes some security issues.

69
00:03:32,184 --> 00:03:36,030
‫So what we wanna do is to try and see

70
00:03:36,030 --> 00:03:41,030
‫if the developers left this Fire security rules,

71
00:03:41,099 --> 00:03:45,562
‫allowing reading and writing for some condition, okay?

72
00:03:45,562 --> 00:03:50,562
‫And the way to do that, we're going to use the REST API

73
00:03:50,837 --> 00:03:54,543
‫or REST calls of the Firestore.

74
00:03:55,620 --> 00:04:00,620
‫So actually Firestore has some REST calls

75
00:04:01,050 --> 00:04:04,530
‫and maybe you don't even know what a REST call is

76
00:04:04,530 --> 00:04:07,860
‫or maybe you don't have any experience

77
00:04:07,860 --> 00:04:11,100
‫with working with any kind of APIs.

78
00:04:11,100 --> 00:04:16,100
‫But it actually allows us or allows developers

79
00:04:16,380 --> 00:04:19,557
‫to send a request to do database

80
00:04:19,557 --> 00:04:24,557
‫and get responses from the database using HTTP requests.

81
00:04:26,100 --> 00:04:27,570
‫So I'm going to show you what I mean.

82
00:04:27,570 --> 00:04:29,400
‫It will be much more easier.

83
00:04:29,400 --> 00:04:33,360
‫So if you search for Firestore REST API, okay?

84
00:04:33,360 --> 00:04:36,120
‫And I suggest you do that with me.

85
00:04:36,120 --> 00:04:37,778
‫It's not only for information,

86
00:04:37,778 --> 00:04:40,440
‫actually you're gonna get some information

87
00:04:40,440 --> 00:04:43,800
‫that you will use right now

88
00:04:43,800 --> 00:04:48,800
‫and find the Firestore REST API documentation.

89
00:04:49,320 --> 00:04:52,320
‫So over here, as you can see it says

90
00:04:52,320 --> 00:04:56,490
‫that this is one of the easiest way to reach the Firestore.

91
00:04:56,490 --> 00:04:59,130
‫Yeah, it's actually the easiest way,

92
00:04:59,130 --> 00:05:02,760
‫but also it's one of the most dangerous way as well.

93
00:05:02,760 --> 00:05:07,239
‫And over here, it instructs us to

94
00:05:07,239 --> 00:05:10,620
‫how to make actually REST calls.

95
00:05:10,620 --> 00:05:14,880
‫And sometimes they change this URL.

96
00:05:14,880 --> 00:05:19,680
‫So for example, rather than V1, it used to be V2

97
00:05:19,680 --> 00:05:22,950
‫or something like BTA V2, okay?

98
00:05:22,950 --> 00:05:24,399
‫So right now it's V1.

99
00:05:24,399 --> 00:05:27,660
‫Maybe when you're watching it will be V2.

100
00:05:27,660 --> 00:05:31,290
‫And over here it asks for your own project ID.

101
00:05:31,290 --> 00:05:35,100
‫And over here, as you can see after default,

102
00:05:35,100 --> 00:05:38,250
‫it gives something like documents, cities, LA,

103
00:05:38,250 --> 00:05:43,020
‫and of course this is an example, okay, not a real thing,

104
00:05:43,020 --> 00:05:46,860
‫and we will replace it with our own collection name.

105
00:05:46,860 --> 00:05:51,860
‫But, you have to make sure that this link is valid.

106
00:05:52,110 --> 00:05:54,533
‫So I suggest you go to that website

107
00:05:54,533 --> 00:05:57,690
‫and just search for the API URL

108
00:05:57,690 --> 00:06:00,213
‫and find the API URL that is current

109
00:06:00,213 --> 00:06:04,416
‫and use it on your own REST calls.

110
00:06:04,416 --> 00:06:07,410
‫So this is made for business.

111
00:06:07,410 --> 00:06:09,300
‫This is made for convenience

112
00:06:09,300 --> 00:06:13,380
‫so that developers can actually use REST calls

113
00:06:13,380 --> 00:06:18,380
‫and try to get data or change data using this commands.

114
00:06:18,542 --> 00:06:23,310
‫But if they don't do it properly, it will enable us

115
00:06:23,310 --> 00:06:26,970
‫or enable hackers to download all the database

116
00:06:26,970 --> 00:06:29,793
‫and change the database in a way that they want.

117
00:06:30,780 --> 00:06:33,960
‫So rather than this project idea,

118
00:06:33,960 --> 00:06:37,320
‫I'm going to copy and paste mine, okay?

119
00:06:37,320 --> 00:06:39,360
‫So make sure you do that as well.

120
00:06:39,360 --> 00:06:42,870
‫So in my case, firestoregoogleapis.com

121
00:06:42,870 --> 00:06:47,327
‫we want project tweet app, okay, my own project ID.

122
00:06:47,327 --> 00:06:51,750
‫And after that, it should be databases and default.

123
00:06:51,750 --> 00:06:53,329
‫Of course, if they changed it,

124
00:06:53,329 --> 00:06:57,480
‫you can just follow along the new procedure, okay?

125
00:06:57,480 --> 00:07:02,069
‫And then make sure you include your collection name.

126
00:07:02,069 --> 00:07:05,190
‫So that is why we have been looking

127
00:07:05,190 --> 00:07:07,230
‫for this collection name.

128
00:07:07,230 --> 00:07:11,344
‫That is why we have been looking for this Firestore ID.

129
00:07:11,344 --> 00:07:13,980
‫And again, if you wonder

130
00:07:13,980 --> 00:07:17,430
‫what would be the optimal choice for Firestore rules,

131
00:07:17,430 --> 00:07:20,190
‫we're gonna go into that in a minute, okay,

132
00:07:20,190 --> 00:07:21,900
‫in the following lectures,

133
00:07:21,900 --> 00:07:25,110
‫how to make Firestore applications safe.

134
00:07:25,110 --> 00:07:28,620
‫So right now I'm just going to close this down

135
00:07:28,620 --> 00:07:31,230
‫because we don't need any emulators

136
00:07:31,230 --> 00:07:33,702
‫or any app in order to get this data.

137
00:07:33,702 --> 00:07:36,960
‫We're going to make this realistic as possible.

138
00:07:36,960 --> 00:07:39,346
‫And I'm going to come over here

139
00:07:39,346 --> 00:07:42,540
‫and rather than saying default documents

140
00:07:42,540 --> 00:07:47,130
‫and cities LA or something, I'm just going to add tweets.

141
00:07:47,130 --> 00:07:50,760
‫And remember we got this from the APK tool.

142
00:07:50,760 --> 00:07:54,000
‫We got this from the network significant stuff.

143
00:07:54,000 --> 00:07:57,870
‫So we definitely know how to do this right now.

144
00:07:57,870 --> 00:08:00,322
‫So we constructed our URL.

145
00:08:00,322 --> 00:08:03,660
‫So this is how we do the REST calls.

146
00:08:03,660 --> 00:08:07,500
‫This is the URL that we're going to use in REST calls.

147
00:08:07,500 --> 00:08:09,809
‫Now in order to do a REST call,

148
00:08:09,809 --> 00:08:13,590
‫we're going to use something called cURL.

149
00:08:13,590 --> 00:08:16,680
‫So like C U R L, okay?

150
00:08:16,680 --> 00:08:18,240
‫And

151
00:08:18,240 --> 00:08:20,190
‫maybe you don't have cURL

152
00:08:20,190 --> 00:08:24,000
‫in your own command line or in your own Windows.

153
00:08:24,000 --> 00:08:25,830
‫Maybe you do have.

154
00:08:25,830 --> 00:08:29,220
‫I suggest that you try and do it with me,

155
00:08:29,220 --> 00:08:34,220
‫but if you don't have it, you can call cURL from anywhere

156
00:08:34,249 --> 00:08:36,810
‫like from online for example.

157
00:08:36,810 --> 00:08:38,512
‫I'm going to show you how.

158
00:08:38,512 --> 00:08:41,250
‫So I'm going to do this in my terminal.

159
00:08:41,250 --> 00:08:44,910
‫And actually cURL Linux has cURL built in.

160
00:08:44,910 --> 00:08:48,660
‫So you can run the same command inside of cURL Linux as well

161
00:08:48,660 --> 00:08:53,660
‫if you fail to find a working cURL service.

162
00:08:53,760 --> 00:08:56,190
‫And I can't even open Google.

163
00:08:56,190 --> 00:09:00,747
‫So let me just run cURL online or run cURL online, okay?

164
00:09:00,747 --> 00:09:03,540
‫And as you can see, there are a couple of options over here

165
00:09:03,540 --> 00:09:07,710
‫like onlinecurl.com, curl builder.com.

166
00:09:07,710 --> 00:09:11,730
‫So there a lot of options that you may try

167
00:09:11,730 --> 00:09:14,943
‫if you don't have cURL on your computer.

168
00:09:15,870 --> 00:09:19,680
‫Most of the times Windows actually has it,

169
00:09:19,680 --> 00:09:22,710
‫but maybe in your case you don't have it.

170
00:09:22,710 --> 00:09:23,761
‫So don't try to,

171
00:09:23,761 --> 00:09:27,720
‫well actually don't bother trying to installing it.

172
00:09:27,720 --> 00:09:31,650
‫Just open cURL Linux or just open any online source

173
00:09:31,650 --> 00:09:35,555
‫and run the same command that I will run in a minute.

174
00:09:35,555 --> 00:09:38,910
‫So I'm going to make this a little bit bigger

175
00:09:38,910 --> 00:09:42,630
‫so that you can see it in a better way, okay?

176
00:09:42,630 --> 00:09:44,250
‫And here you go.

177
00:09:44,250 --> 00:09:48,810
‫Now we know the stuff, we know the constructed URL,

178
00:09:48,810 --> 00:09:50,280
‫so make sure you copy that

179
00:09:50,280 --> 00:09:52,706
‫because we're going to use it, okay?

180
00:09:52,706 --> 00:09:56,916
‫And we're going to run the cURL command like this.

181
00:09:56,916 --> 00:10:01,916
‫And if you want to run a get command, which is getting data,

182
00:10:03,300 --> 00:10:05,768
‫which is for getting data, actually,

183
00:10:05,768 --> 00:10:09,510
‫you can use this command that I'm going to show you.

184
00:10:09,510 --> 00:10:12,990
‫And I'm going to show you other procedures as well.

185
00:10:12,990 --> 00:10:16,200
‫You generally have get for getting data,

186
00:10:16,200 --> 00:10:19,770
‫post for posting or uploading data,

187
00:10:19,770 --> 00:10:21,600
‫and delete for deleting data

188
00:10:21,600 --> 00:10:24,360
‫and update for updating data, okay?

189
00:10:24,360 --> 00:10:25,870
‫So we're gonna use get.

190
00:10:25,870 --> 00:10:30,060
‫So in order to do that just say -X GET

191
00:10:30,060 --> 00:10:32,070
‫with the spaces like this

192
00:10:32,070 --> 00:10:37,070
‫and then you can specify the URL that you have constructed.

193
00:10:37,590 --> 00:10:39,510
‫And you have to specify the URL

194
00:10:39,510 --> 00:10:42,270
‫inside of this quotation mark.

195
00:10:42,270 --> 00:10:44,430
‫So make sure you open the quotation mark

196
00:10:44,430 --> 00:10:48,960
‫and close it and make sure you add the semicolon at the end.

197
00:10:48,960 --> 00:10:53,190
‫That's it, curl -X get and your URL

198
00:10:53,190 --> 00:10:57,633
‫with this quotation marks and semicolon at the end.

199
00:10:57,633 --> 00:11:00,390
‫So this is what we have been looking for.

200
00:11:00,390 --> 00:11:01,741
‫This is a get request.

201
00:11:01,741 --> 00:11:06,741
‫If this works, it will get us all the content inside

202
00:11:07,230 --> 00:11:12,230
‫of our Firestore database and it will display them to us.

203
00:11:12,780 --> 00:11:15,360
‫You won't even believe

204
00:11:15,360 --> 00:11:18,484
‫how many apps have this vulnerability.

205
00:11:18,484 --> 00:11:22,770
‫As you can see, we managed to get all the data

206
00:11:22,770 --> 00:11:26,700
‫within one single command over here, okay?

207
00:11:26,700 --> 00:11:31,331
‫So we now know what is inside of this database.

208
00:11:31,331 --> 00:11:35,670
‫Like we see the name, we see the project,

209
00:11:35,670 --> 00:11:38,640
‫tweet app, databases, documents, tweets

210
00:11:38,640 --> 00:11:41,400
‫and the document IDs later on.

211
00:11:41,400 --> 00:11:44,010
‫And we're going to use this document IDs.

212
00:11:44,010 --> 00:11:47,520
‫They refer to each unique document

213
00:11:47,520 --> 00:11:50,268
‫in the Firestore to its collection.

214
00:11:50,268 --> 00:11:55,268
‫And we can use update or delete cURL requests

215
00:11:55,741 --> 00:11:59,550
‫in order to change the specific values.

216
00:11:59,550 --> 00:12:02,670
‫Like we see the user email. We see the create time.

217
00:12:02,670 --> 00:12:06,479
‫We see the update time and everything over here, okay?

218
00:12:06,479 --> 00:12:10,590
‫Now actually we hacked into the Firestore, right?

219
00:12:10,590 --> 00:12:15,000
‫We got all the data and it doesn't even end here.

220
00:12:15,000 --> 00:12:18,738
‫We can delete them. We can change them if we want.

221
00:12:18,738 --> 00:12:21,705
‫So let me try this, okay?

222
00:12:21,705 --> 00:12:24,424
‫In order to delete any document,

223
00:12:24,424 --> 00:12:28,590
‫all you have to do is just run the same command, okay?

224
00:12:28,590 --> 00:12:30,360
‫But not exactly the same.

225
00:12:30,360 --> 00:12:33,055
‫Rather than get, I'm gonna run delete.

226
00:12:33,055 --> 00:12:37,470
‫And of course I'm not going to try and delete

227
00:12:37,470 --> 00:12:40,590
‫all the collection over here, okay?

228
00:12:40,590 --> 00:12:43,050
‫But rather, I will add a slash

229
00:12:43,050 --> 00:12:46,470
‫and add the document ID that I want to delete.

230
00:12:46,470 --> 00:12:50,610
‫So I'm going to add the slash at the end of the tweets

231
00:12:50,610 --> 00:12:54,270
‫and I'm going to choose any document ID from here

232
00:12:54,270 --> 00:12:56,250
‫and paste it over here.

233
00:12:56,250 --> 00:12:57,462
‫Like that.

234
00:12:57,462 --> 00:13:02,462
‫And let me try one more time. Yeah, here you go. Like this.

235
00:13:03,570 --> 00:13:07,650
‫So this document start with Nxb6.

236
00:13:07,650 --> 00:13:11,820
‫Let me find that document from our Firestore

237
00:13:11,820 --> 00:13:16,310
‫so that we can actually track if it's been deleted or not.

238
00:13:16,310 --> 00:13:20,400
‫So let me see. Where is our Firestore? Yeah, here you go.

239
00:13:20,400 --> 00:13:25,400
‫Let me go to data and let me find that document over here.

240
00:13:26,160 --> 00:13:30,567
‫Like as you can see, this is Nxb68. Yeah, here you go.

241
00:13:32,820 --> 00:13:36,810
‫So I'm going to hit enter and I'm going to go back and see

242
00:13:36,810 --> 00:13:38,700
‫if we managed to delete or not.

243
00:13:38,700 --> 00:13:40,620
‫Actually, we can make it like this

244
00:13:40,620 --> 00:13:42,900
‫and just see it in real time.

245
00:13:42,900 --> 00:13:44,727
‫Here you go. It's now deleted.

246
00:13:44,727 --> 00:13:48,570
‫As you can see, we managed to gather the data,

247
00:13:48,570 --> 00:13:50,460
‫we managed to get the data,

248
00:13:50,460 --> 00:13:53,100
‫and we even managed to delete the data.

249
00:13:53,100 --> 00:13:57,600
‫So it's very dangerous if you leave stuff like this.

250
00:13:57,600 --> 00:14:02,600
‫So now you can try this with other document names like that.

251
00:14:03,840 --> 00:14:06,660
‫So let me try this, okay?

252
00:14:06,660 --> 00:14:10,920
‫Let me delete the existing one over here

253
00:14:10,920 --> 00:14:14,224
‫and let me paste the new one.

254
00:14:14,224 --> 00:14:17,250
‫For some reason, it doesn't work.

255
00:14:17,250 --> 00:14:19,620
‫Let me just do it from here.

256
00:14:19,620 --> 00:14:22,650
‫And there are some gibberish characters.

257
00:14:22,650 --> 00:14:24,900
‫So let me just do it from scratch.

258
00:14:24,900 --> 00:14:27,091
‫I'm going to delete this, okay?

259
00:14:27,091 --> 00:14:30,803
‫And I'm going to hit slash

260
00:14:30,803 --> 00:14:33,960
‫and then I'm going to try and paste this one more time.

261
00:14:33,960 --> 00:14:36,231
‫Here you go. Now let's find this.

262
00:14:36,231 --> 00:14:39,090
‫And here you go. Now it's deleted.

263
00:14:39,090 --> 00:14:41,940
‫So we're pretty certain that we can delete the data.

264
00:14:41,940 --> 00:14:44,700
‫We can actually manipulate the database

265
00:14:44,700 --> 00:14:46,740
‫in a way that we want.

266
00:14:46,740 --> 00:14:49,461
‫So this is very good.

267
00:14:49,461 --> 00:14:52,770
‫So you have learned a lot in the section, right?

268
00:14:52,770 --> 00:14:55,380
‫You have learned what is Firebase.

269
00:14:55,380 --> 00:14:59,130
‫You have learned how to create a Firestore project.

270
00:14:59,130 --> 00:15:03,840
‫You have learned how to find Firestore A A IDs

271
00:15:03,840 --> 00:15:07,381
‫and some other information using APK tool.

272
00:15:07,381 --> 00:15:11,263
‫And even you have learned network sniffing, right?

273
00:15:11,263 --> 00:15:16,263
‫But what we gonna do is to learn how to make our app secure,

274
00:15:16,320 --> 00:15:20,250
‫changing the security rules over here

275
00:15:20,250 --> 00:15:24,930
‫in our Firestore database because that is one of the reasons

276
00:15:24,930 --> 00:15:26,746
‫that I have created this course

277
00:15:26,746 --> 00:15:31,746
‫in order to learn how hackers hack the things that they do

278
00:15:32,058 --> 00:15:36,043
‫and in order to learn how to protect ourselves

279
00:15:36,043 --> 00:15:38,750
‫against these attacks as well.

280
00:15:38,750 --> 00:15:42,120
‫So rather than allowing everyone

281
00:15:42,120 --> 00:15:45,046
‫to run this kind of cURL commands,

282
00:15:45,046 --> 00:15:47,100
‫we're going to limit it

283
00:15:47,100 --> 00:15:50,820
‫and we're going to see how to do this in various ways.

284
00:15:50,820 --> 00:15:53,223
‫Let's do that within the next lecture.