HackTricks CloudGCP - Firebase Enum
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Firebase
The Firebase Realtime Database is a cloud-hosted NoSQL database that lets you store and sync data between your users in realtime. Learn more.
Unauthenticated Enum
Some Firebase endpoints could be found in mobile applications. It is possible that the Firebase endpoint used is configured badly grating everyone privileges to read (and write) on it.
This is the common methodology to search and exploit poorly configured Firebase databases:
- Get the APK of app you can use any of the tool to get the APK from the device for this POC.
You can use βAPK Extractorβ https://play.google.com/store/apps/details?id=com.ext.ui&hl=e - Decompile the APK using apktool, follow the below command to extract the source code from the APK.
- Go to the res/values/strings.xml and look for this and search for βfirebaseβ keyword
- You may find something like this URL βhttps://xyz.firebaseio.com/β
- Next, go to the browser and navigate to the found URL: https://xyz.firebaseio.com/.json
- 2 type of responses can appear:
- βPermission Deniedβ: This means that you cannot access it, so it's well configured
- βnullβ response or a bunch of JSON data: This means that the database is public and you at least have read access.
- In this case, you could check for writing privileges, an exploit to test writing privileges can be found here: https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
Interesting note: When analysing a mobile application with MobSF, if it finds a firebase database it will check if this is publicly available and will notify it.
Alternatively, you can use Firebase Scanner, a python script that automates the task above as shown below:
python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>
Authenticated Enum
If you have credentials to access the Firebase database you can use a tool such as Baserunner to access more easily the stored information. Or a script like the following:
#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/
#Install pyrebase: pip install pyrebase4
import pyrebase
config = {
"apiKey": "FIREBASE_API_KEY",
"authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
"databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
"storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}
firebase = pyrebase.initialize_app(config)
db = firebase.database()
print(db.get())
To test other actions on the database, such as writing to the database, refer to the Pyrebase4 documentation which can be found here.
Access info with APPID and API Key
If you decompile the iOS application and open the file GoogleService-Info.plist and you find the API Key and APP ID:
- API KEY AIzaSyAs1[...]
- APP ID 1:612345678909:ios:c212345678909876
You may be able to access some interesting information
Request
curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'
References
- βhttps://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/β
- βhttps://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1β
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.