A Python tool for testing Firebase configurations for potential security misconfigurations. The reason I decided to create separate tool is because other tools performs only specific checks and I want just to feed a single line with found config to make all checks. Main goal of this tool is to cover all checks and put them together. If you know other checks feel free to create issue and I'll see if they can be added too.
- Python 3.7 or higher
- pip (Python package manager)
-
Clone or download the repository
git clone https://github.com/haones/firebase-tester cd firebase-tester
-
Create a virtual environment (recommended)
python3 -m venv venv # On Linux/Mac: source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install required dependencies
pip install requests>=2.28.0
-
Make the script executable (optional, Linux/Mac only)
chmod +x fb_tester.py
Test with a complete Firebase configuration:
python3 fb_tester.py --firebase-config '{"apiKey":"AIza...","authDomain":"project.firebaseapp.com","projectId":"project-prd","storageBucket":"project.appspot.com"}'
Test with individual parameters:
python3 fb_tester.py --api-key "AIza..." --project-id "project-prd" --storage-bucket "project.appspot.com"
Enable debug mode to see curl commands:
python3 fb_tester.py --firebase-config '...' --debug
Use custom credentials for registration test:
python3 fb_tester.py --firebase-config '...' --email "test@example.com" --password "SecurePass123!"
Option | Description |
---|---|
--firebase-config |
Complete Firebase config as JSON string |
--api-key |
Firebase API key |
--auth-domain |
Firebase auth domain |
--database-url |
Firebase database URL |
--project-id |
Firebase project ID |
--storage-bucket |
Firebase storage bucket |
--sender-id |
Firebase messaging sender ID |
--app-id |
Firebase app ID |
--measurement-id |
Firebase measurement ID |
--email |
Email for registration test (default: test@bugbounty.com) |
--password |
Password for registration test (default: TestPassword123!) |
-d, --debug |
Enable debug output with curl commands |
- User Registration - Tests if new user registration is allowed with the API key
- Storage Bucket Access - Checks accessibility of Firebase Storage and Google Cloud Storage (tests anonymous, Bearer token, and Firebase token authentication)
- Storage Upload - Tests file upload capabilities (anonymous, Bearer token, and Firebase token authentication)
- Database Access - Tests read/write access to Firebase Realtime Database (anonymous, Bearer token, and Firebase token authentication)
- Database General Access - Tests common database endpoints for data exposure
- Remote Config - Attempts to fetch remote configuration data
- Firestore Collections - Checks for accessible Firestore collections using common collection names (anonymous, Bearer token, and Firebase token authentication)
- Crashlytics - Checks for access to crash reporting data
The tool provides clear status indicators for each check:
- ✓ - Check passed (potential vulnerability)
- ✗ - Check failed (secure)
- "-" - Check skipped (missing required configuration)
Authentication Types Tested:
- Anonymous - No authentication headers
- Bearer Token - Legacy authentication using
Authorization: Bearer {token}
- Firebase Token - Modern authentication using
Authorization: Firebase {token}
The tool automatically tests all three authentication methods when an ID token is available from successful registration.
python3 fb_tester.py --api-key "AIzaSyAbc123..." --project-id "my-project"
# Save your config to a file
echo '{"apiKey":"AIza...","projectId":"project-prd"}' > config.json
# Use it with the tool
python3 fb_tester.py --firebase-config "$(cat config.json)"
python3 fb_tester.py --firebase-config '...' -d > debug_output.txt
- https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/ @MuhammadKhizerJaved
- https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1 @Danang Tri Atmaja
- PHdays talk on firebase misconfigurations: https://x.com/bhavukjain1
HackerOne reports:
- Check for FCM takeover and support AAAA keys: https://web.archive.org/web/20220921183800/https://abss.me/posts/fcm-takeover/?s=09
- ✅ Check for accessible Cloud Firestore collections (try to guess): https://iosiro.com/blog/baserunner-exploiting-firebase-datastores - COMPLETED
Feel free to add new security checks by:
- Adding a new method to the
FirebaseConfigTester
class - Calling it from the
run_all_checks
method - Following the existing pattern for status reporting
This tool is for authorized security testing only. Always ensure you have permission before testing any Firebase configuration. The tool is provided as-is for educational purposes.