{"id":22341752,"url":"https://github.com/weaponsforge/hacker-friendly-app","last_synced_at":"2025-03-26T09:27:57.281Z","repository":{"id":253543815,"uuid":"843156742","full_name":"weaponsforge/hacker-friendly-app","owner":"weaponsforge","description":"Web app demonstrating insecure Firebase security","archived":false,"fork":false,"pushed_at":"2024-08-17T18:05:58.000Z","size":411,"stargazers_count":1,"open_issues_count":11,"forks_count":0,"subscribers_count":1,"default_branch":"dev","last_synced_at":"2025-01-31T10:44:36.094Z","etag":null,"topics":["firebase","firebase-auth","firebase-authentication","firebase-security","firestore-rules","security"],"latest_commit_sha":null,"homepage":"https://weaponsforge.github.io/hacker-friendly-app","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/weaponsforge.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-15T22:49:34.000Z","updated_at":"2024-08-18T18:05:27.000Z","dependencies_parsed_at":"2024-08-17T15:46:07.044Z","dependency_job_id":"40b360b4-ef6a-41f3-824e-75685e997818","html_url":"https://github.com/weaponsforge/hacker-friendly-app","commit_stats":null,"previous_names":["weaponsforge/hacker-friendly-app"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weaponsforge%2Fhacker-friendly-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weaponsforge%2Fhacker-friendly-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weaponsforge%2Fhacker-friendly-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weaponsforge%2Fhacker-friendly-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/weaponsforge","download_url":"https://codeload.github.com/weaponsforge/hacker-friendly-app/tar.gz/refs/heads/dev","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245625193,"owners_count":20646106,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firebase","firebase-auth","firebase-authentication","firebase-security","firestore-rules","security"],"created_at":"2024-12-04T08:08:09.125Z","updated_at":"2025-03-26T09:27:57.263Z","avatar_url":"https://github.com/weaponsforge.png","language":"JavaScript","readme":"## hacker-friendly-app\n\nThis web app, using Firebase, aims to demonstrate common Firebase security flaws by creating a hack-prone app. It has goals for noting and increasing awareness of often overlooked Firebase security risks and teaching some methods of spotting and countering them.\n\nAdvanced sections and demos will indicate using Firebase Custom Claims and the Firebase Admin for increased Firebase security.\n\n### Usage\n\n- Read the **\"app/README.md\"** file For more information about app installation and setup.\n\n### Table of Contents\n\n- [Intoduction](#hacker-friendly-app)\n- [The Hack-Prone Quotes of the Day App](#the-hack--prone-quotes-of-the-day-app)\n- [Deployment With GitHub Actions](#deployment-with-github-actions)\n\n## The Hack-Prone Quotes of the Day App\n\n- A simple Firebase web app that displays and manages \"quotes of the day.\"\n- It uses \"only\" Firebase with insecure, hacker-friendly security rules, providing an inviting and welcoming atmosphere for hackers to wreak havoc.\n- Demonstrates using Cross-Site-Scripting (XSS) attacks\n\n### Requirements\n\n- Login Authentication using Google Sign-in\n- Multiple signed-in users can edit the quote's content.\n- Private UIs (requires sign-in):\n   - View the quotes of the day.\n      \u003e Display the quotes as \"HTML\".\n   - Add/Edit the quotes of the day.\n      \u003e Use a What-You-See-Is-What-You-Get (WYSIWYG) editor for encoding the quotes in a bullet list.\n- Public \"quotes of the day\" board displaying three (3) inspirational quotes in a bullet list\n   \u003e Display the quotes as \"HTML\".\n- Only use Firebase for the backend and nothing else.\n- The app runs as a static website hosted on GitHub Pages (or other static-hosting).\n\n### Schemas\n\n#### Quote\n\nThere is only one **Quote** object which signed-in users can edit to update the \"quotes of the day\".\n\n| field | Type | Description |\n| --- | --- | --- |\n| content | String | Three (3) quotes for the day in a bullet list, wrapped in semantic `\u003cul\u003e` / `\u003col\u003e`, `\u003cli\u003e` HTML (bullet list) tags |\n| theme | String | Quotes theme i.e., \"technology\", \"nature\", \"ai\", etc. |\n| date_updated | Timestamp| Date the content was created/updated |\n| updated_by | String | User ID |\n\n#### User\n\nFor simplicity, signing in with Google using the Firebase Authentication Google Sign-In provider will create the hacker-friendly app's **Users** (content editors). They will have no Firestore document for managing and tracking users.\n\n## Deployment With GitHub Actions\n\nThe app uses GitHub Actions to deploy to a **development** environment (Firebase Hosting + Firestore) on push or updates to the `dev` branch. It deploys to a **production** environment (GitHub Pages + Firestore) on creation of a new Release/Tag from the `master` branch.\n\nAdd the following GitHub Secrets to facilitate deployment to the **development** and **production** environments:\n\n### Firebase Project\n\n| Development / Production | Description |\n| --- | --- |\n| DEV_FIREBASE_WEB_API_KEY\u003cbr\u003ePROD_FIREBASE_WEB_API_KEY | Firebase web API key from the Firebase Project Settings configuration file. |\n| DEV_FIREBASE_WEB_AUTHDOMAIN\u003cbr\u003ePROD_FIREBASE_WEB_AUTHDOMAIN | Firebase web auth domain key from the Firebase Project Settings configuration file. |\n| DEV_FIREBASE_WEB_PROJECT_ID\u003cbr\u003ePROD_FIREBASE_WEB_PROJECT_ID | Firebase web project ID from the Firebase Project Settings configuration file. |\n| DEV_FIREBASE_WEB_STORAGE_BUCKET\u003cbr\u003ePROD_FIREBASE_WEB_STORAGE_BUCKET | Firebase web storage bucket key from the Firebase Project Settings configuration file. |\n| DEV_FIREBASE_WEB_MESSAGING_SENDER_ID\u003cbr\u003ePROD_FIREBASE_WEB_MESSAGING_SENDER_ID | Firebase web messaging sender ID from the Firebase Project Settings configuration file. |\n| DEV_FIREBASE_WEB_APP_ID\u003cbr\u003ePROD_FIREBASE_WEB_APP_ID | Firebase web web app key from the Firebase Project Settings configuration file. |\n| DEV_FIREBASE_WEB_MEASUREMENT_ID\u003cbr\u003ePROD_FIREBASE_WEB_MEASUREMENT_ID | Firebase web measurement ID from the Firebase Project Settings configuration file. |\n\n### Others\n\n| GitHub Secret | Description |\n| --- | --- |\n| FIREBASE_PROJECT_DEV | Firebase project name used by the **development** environment. |\n| FIREBASE_PROJECT_DEV_HOSTING | Firebase Hosting domain name under the `FIREBASE_PROJECT_DEV` project. |\n| FIREBASE_TOKEN | Firebase deployment token. |\n\n@weaponsforge\u003cbr\u003e\n20240816\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fweaponsforge%2Fhacker-friendly-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fweaponsforge%2Fhacker-friendly-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fweaponsforge%2Fhacker-friendly-app/lists"}