Recently I manage to exploit a read/write permission on firebase but unfortunately it was marked as not applicable honestly it was also kinda odd that it has the same name of the company but they do not own this.
First you will need some tools, git clone the following repos https://github.com/shivsahni/FireBaseScanner and https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
for this demo I created a same vulnerable scenario for the one I found. If you are interested you can create your own firebase and git clone this repo it has CRUD already https://github.com/FSojitra/FirebaseDB-CRUD-as-simple-todo-list-with-HTML-and-JQuery-Javascript
So how do we find some firebase configuration ?
well there are many tools you can use to find a firebase config file like burpbounty, nuclei, reconftw (an all in one recon and va tool), js link finder, js miner, bevigil, and etc … or you can do it manualy by checking view source you might be able to find something like this
now lets go to our created website you can add, delete ,update and read the data and lets check the source
for example we found the config file of the firebase so how do we check now for vulnerability ?
so far on what I read from bug bounty reports there are only 2 things mostly found on firebase misconfig either a read or write permission issues
first lets go with read permission there are 2 ways I know how to check for misconfig.
1st: you can navigate to https[:]//target.firebaseio.com/.json to check all of the existing data. As you can see it listed the 2 data we had from the web app.
2nd: lets use FirebaseScanner and put the firebase name mostly it was the (target).firebaseio.com
as you can see it shows a Misconfigured Firebase
if we check the code it was also checking the .json
next is write permission for this exploit we will use Insecure-Firebase-Exploit to check for write permission there are 2 scenario here on write permission, 1 with read permission and write permission, the other 1 is without read permission but with write permission
Remember ! if you are going to exploit a write permission this can results to overwrite files so be careful ! also dont leave the filename blank on the script.
if you run the script and get this response this means that you have a write permission and you can read it also
to further validate your exploit you can navigate to the file by entering target.firebaseio.com/<filename>.json
for this scenario you need to change the .read to auth.uid !== null
if we check our previous exploit you can see that its permission is denied now
next is we run our tool again as you can see it shows permission denied on read but on write it was success if you check it also on the web it doesnt show our file.
if you get this response it means that the file is created but you dont have the permission to read
if you dont have a permission to write probably you will get something like this if you try to add the filename you created
if we also go to our realtime database dashboard you can see that our file is in there and the data we entered
so how about the hacktricks script ? we could also use this to check for misconfig on firebase
for this scenario I will use the rootcon 2022 qualifier challenge if you are interested you can check this link https://ctf.laet4x.com/ctf-2022/rootcon-16-pre-qualifier/1-easy-300-illusive-mind-with-illusive-thoughts for you to try it also on bevigil
after we got the firebase config we just need to copy paste everything to the script and run it. I will obfuscate it to prevent some spoiler
after you run the script you will get lots of data and eventually you will find something odd which will help you to get the flag alternatively you can also get the data by going to /.json in short its the same with read permission misconfig
references
https://firebase.google.com/docs/rules/rules-and-auth#realtime-database_1
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/buckets/firebase-database
https://github.com/shivsahni/FireBaseScanner
https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
