hacktricks/network-services-pentesting/pentesting-web/buckets/firebase-database.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


# What is Firebase

Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.

## Pentest Methodology

Therefore, some **Firebase endpoints** could be found in **mobile applications**. It is possible that the Firebase endpoint used is **configured badly grating everyone privileges to read (and write)** on it.

This is the common methodology to search and exploit poorly configured Firebase databases:

1. **Get the APK** of app you can use any of the tool to get the APK from the device for this POC.\
   You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
2. **Decompile** the APK using **apktool**, follow the below command to extract the source code from the APK.
3. Go to the _**res/values/strings.xml**_ and look for this and **search** for “**firebase**” keyword
4. You may find something like this URL “_**https://xyz.firebaseio.com/**_”
5. Next, go to the browser and **navigate to the found URL**: _https://xyz.firebaseio.com/.json_
6. 2 type of responses can appear:
   1. “**Permission Denied**”: This means that you cannot access it, so it's well configured
   2. “**null**” response or a bunch of **JSON data**: This means that the database is public and you at least have read access.
      1. In this case, you could **check for writing privileges**, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)

**Interesting note**: When analysing a mobile application with **MobSF**, if it finds a firebase database it will check if this is **publicly available** and will notify it.

Alternatively, you can use [Firebase Scanner](https://github.com/shivsahni/FireBaseScanner), a python script that automates the task above as shown below:

```bash
python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>
```

## Authenticated

If you have credentials to access the Firebase database you can use a tool such as [**Baserunner**](https://github.com/iosiro/baserunner) to access more easily the stored information. Or a script like the following:

```python
#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/
import pyrebase

config = {
  "apiKey": "FIREBASE_API_KEY",
  "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
  "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
  "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}

firebase = pyrebase.initialize_app(config)

db = firebase.database()

print(db.get())
```

To test other actions on the database, such as writing to the database, refer to the Pyrebase documentation which can be found [here](https://github.com/thisbejim/Pyrebase).

## Access info with APPID and API Key

If you decompile the iOS application and open the file `GoogleService-Info.plist` and you find the API Key and APP ID:

* API KEY **AIzaSyAs1\[...]**
* APP ID **1:612345678909:ios:c212345678909876**

You may be able to access some interesting information

**Request**

`curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'`

# References

* [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)
* [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`


fix mess 2 2022-05-01 12:49:36 +00:00			`# What is Firebase`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.`

fix mess 2 2022-05-01 12:49:36 +00:00			`## Pentest Methodology`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`Therefore, some Firebase endpoints could be found in mobile applications. It is possible that the Firebase endpoint used is configured badly grating everyone privileges to read (and write) on it.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`This is the common methodology to search and exploit poorly configured Firebase databases:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`1. Get the APK of app you can use any of the tool to get the APK from the device for this POC.\`
			`You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)`
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`2. Decompile the APK using apktool, follow the below command to extract the source code from the APK.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`3. Go to the _res/values/strings.xml_ and look for this and search for “firebase” keyword`
			`4. You may find something like this URL “_https://xyz.firebaseio.com/_”`
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`5. Next, go to the browser and navigate to the found URL: _https://xyz.firebaseio.com/.json_`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`6. 2 type of responses can appear:`
			`1. “Permission Denied”: This means that you cannot access it, so it's well configured`
			`2. “null” response or a bunch of JSON data: This means that the database is public and you at least have read access.`
			`1. In this case, you could check for writing privileges, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`Interesting note: When analysing a mobile application with MobSF, if it finds a firebase database it will check if this is publicly available and will notify it.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 461 pages modified 2021-05-15 12:48:28 +00:00			`Alternatively, you can use [Firebase Scanner](https://github.com/shivsahni/FireBaseScanner), a python script that automates the task above as shown below:`

			```bash
			`python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>`
			```

fix mess 2 2022-05-01 12:49:36 +00:00			`## Authenticated`
GitBook: [master] one page modified 2021-05-26 09:08:21 +00:00
GitBook: [master] 2 pages modified 2021-08-09 12:26:47 +00:00			`If you have credentials to access the Firebase database you can use a tool such as [Baserunner](https://github.com/iosiro/baserunner) to access more easily the stored information. Or a script like the following:`

			```python
			`#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/`
			`import pyrebase`

			`config = {`
			`"apiKey": "FIREBASE_API_KEY",`
			`"authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",`
			`"databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",`
			`"storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",`
			`}`

			`firebase = pyrebase.initialize_app(config)`

			`db = firebase.database()`

			`print(db.get())`
			```

			`To test other actions on the database, such as writing to the database, refer to the Pyrebase documentation which can be found [here](https://github.com/thisbejim/Pyrebase).`
GitBook: [master] one page modified 2021-05-26 09:08:21 +00:00
fix mess 2 2022-05-01 12:49:36 +00:00			`## Access info with APPID and API Key`
GitBook: [master] one page modified 2021-06-17 12:50:08 +00:00
			If you decompile the iOS application and open the file `GoogleService-Info.plist` and you find the API Key and APP ID:

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`* API KEY AIzaSyAs1\[...]`
GitBook: [master] one page modified 2021-06-17 12:50:08 +00:00			`* APP ID 1:612345678909:ios:c212345678909876`

			`You may be able to access some interesting information`

			`Request`

			`curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'`

fix mess 2 2022-05-01 12:49:36 +00:00			`# References`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`* [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)`
fix bad chars 2022-04-05 22:24:52 +00:00			`* [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`