2

I use OWASP ZAP to diagnose vulnerabilities in my own web service. However, the web service function does not work properly via the ZAP proxy. When I checked the ZAP log, an error occurred in the communication of the following URL, and the status code of 504 (Gateway Timeout) was returned.

https://firestore.googleapis.com/google.firestore.v1.Firestore/Listen/channel?database=xxxxxx

Firebase uses not only Firestore, but also Firebase Authentication. However, Firebase Authentication seems to be working. Does anyone know why Firestore communication causes a 504 error?

The environment of the Web service is as follows.

Next.js (Vercel)

Using Firebase functions:
Firebase Authentication
Firebase Storage
Firebase Firestore

※ Firestore and storage can only be accessed by accounts authenticated by Firebase Authentication.

If anyone is familiar with it, please teach me.

Lycopene
  • 21
  • 1

1 Answers1

1

I've seen this issue, and after some research found that ZAP does not support streaming connections yet and that Firestore keeps network requests open after the server sends data (just in case it wants to send more back the client).

Enabling experimentalAutoDetectLongPolling, which forces Firestore to close a connection ASAP, allowed ZAP to work properly.

To do this:

firebase.initializeApp({
  ...
});
firebase.firestore().settings({experimentalForceLongPolling: true});
Matt Votsikas McLean
  • 874
  • 13
  • 28