hacktricks/pentesting/pentesting-web/buckets/firebase-database.md

# Firebase Database

## What is Firebase

Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.

### Pentest Methodology

Therefore, some **Firebase endpoints **could be found in **mobile applications**. It is possible that the Firebase endpoint used is** configured badly grating everyone privileges to read (and write)** on it.

This is the common methodology to search and exploit poorly configured Firebase databases:

1. **Get the APK** of app you can use any of the tool to get the APK from the device for this POC.\
   You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
2. **Decompile **the APK using **apktool**, follow the below command to extract the source code from the APK.
3. Go to the _**res/values/strings.xml**_ and look for this and **search** for “**firebase**” keyword
4. You may find something like this URL “_**https://xyz.firebaseio.com/**_”
5. Next, go to the browser and **navigate to the found URL**:_ https://xyz.firebaseio.com/.json_
6. 2 type of responses can appear:
   1. “**Permission Denied**”: This means that you cannot access it, so it's well configured
   2. “**null**” response or a bunch of **JSON data**: This means that the database is public and you at least have read access.
      1. In this case, you could **check for writing privileges**, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)

**Interesting note**: When analysing a mobile application with **MobSF**, if it finds a firebase database it will check if this is** publicly available** and will notify it.

Alternatively, you can use [Firebase Scanner](https://github.com/shivsahni/FireBaseScanner), a python script that automates the task above as shown below:

```bash
python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>
```

### Authenticated

If you have credentials to access the Firebase database you can use a tool such as [**Baserunner**](https://github.com/iosiro/baserunner) to access more easily the stored information. Or a script like the following:

```python
#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/
import pyrebase

config = {
  "apiKey": "FIREBASE_API_KEY",
  "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
  "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
  "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}

firebase = pyrebase.initialize_app(config)

db = firebase.database()

print(db.get())
```

To test other actions on the database, such as writing to the database, refer to the Pyrebase documentation which can be found [here](https://github.com/thisbejim/Pyrebase).

### Access info with APPID and API Key

If you decompile the iOS application and open the file `GoogleService-Info.plist` and you find the API Key and APP ID:

* API KEY **AIzaSyAs1\[...]**
* APP ID **1:612345678909:ios:c212345678909876**

You may be able to access some interesting information

**Request**

`curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'`

## References

* [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)
*  [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# Firebase Database`

			`## What is Firebase`

			`Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.`

			`### Pentest Methodology`

GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`Therefore, some Firebase endpoints could be found in mobile applications. It is possible that the Firebase endpoint used is configured badly grating everyone privileges to read (and write) on it.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`This is the common methodology to search and exploit poorly configured Firebase databases:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`1. Get the APK of app you can use any of the tool to get the APK from the device for this POC.\`
			`You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)`
GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`2. Decompile the APK using apktool, follow the below command to extract the source code from the APK.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`3. Go to the _res/values/strings.xml_ and look for this and search for “firebase” keyword`
			`4. You may find something like this URL “_https://xyz.firebaseio.com/_”`
GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`5. Next, go to the browser and navigate to the found URL:_ https://xyz.firebaseio.com/.json_`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`6. 2 type of responses can appear:`
			`1. “Permission Denied”: This means that you cannot access it, so it's well configured`
			`2. “null” response or a bunch of JSON data: This means that the database is public and you at least have read access.`
			`1. In this case, you could check for writing privileges, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)`

GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`Interesting note: When analysing a mobile application with MobSF, if it finds a firebase database it will check if this is publicly available and will notify it.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 461 pages modified 2021-05-15 12:48:28 +00:00			`Alternatively, you can use [Firebase Scanner](https://github.com/shivsahni/FireBaseScanner), a python script that automates the task above as shown below:`

			```bash
			`python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>`
			```

GitBook: [master] one page modified 2021-05-26 09:08:21 +00:00			`### Authenticated`

GitBook: [master] 2 pages modified 2021-08-09 12:26:47 +00:00			`If you have credentials to access the Firebase database you can use a tool such as [Baserunner](https://github.com/iosiro/baserunner) to access more easily the stored information. Or a script like the following:`

			```python
			`#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/`
			`import pyrebase`

			`config = {`
			`"apiKey": "FIREBASE_API_KEY",`
			`"authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",`
			`"databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",`
			`"storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",`
			`}`

			`firebase = pyrebase.initialize_app(config)`

			`db = firebase.database()`

			`print(db.get())`
			```

			`To test other actions on the database, such as writing to the database, refer to the Pyrebase documentation which can be found [here](https://github.com/thisbejim/Pyrebase).`
GitBook: [master] one page modified 2021-05-26 09:08:21 +00:00
GitBook: [master] one page modified 2021-06-17 12:50:08 +00:00			`### Access info with APPID and API Key`

			If you decompile the iOS application and open the file `GoogleService-Info.plist` and you find the API Key and APP ID:

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`* API KEY AIzaSyAs1\[...]`
GitBook: [master] one page modified 2021-06-17 12:50:08 +00:00			`* APP ID 1:612345678909:ios:c212345678909876`

			`You may be able to access some interesting information`

			`Request`

			`curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`## References`

			`* [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)`
GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`* [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)`