Firebase Subdomain Enumeration & PoC Testing
This repository provides a workflow to find subdomains of firebaseio.com, test them for public accessibility, and exploit a .json endpoint to check for write vulnerabilities. Additionally, mitigation steps are provided to fix the issue.
β Requirements
Curl
π Workflow
β
Subdomain Enumeration
Use subfinder to enumerate subdomains for firebaseio.com:
subfinder -d firebaseio.com -o subdomains.txtβ
Test Subdomains
Once subdomains are collected, use httpx to check .json endpoints for accessible responses (HTTP status code 200):
httpx -l subdomains.txt -path "/.json" -mc 200 -o valid_subdomains.txtβ
Firebase Checking vulnerability (Automatic Scanning & Exploit)
β
PoC Testing
Use curl to send a POST request to the .json endpoint to test if data can be written without authentication:
If successful, the server is vulnerable to unauthenticated write access.
π¨ How to Fix it :
To secure the Firebase database:
Set Firebase Database Rules:
Open the Firebase Console.
Go to Database > Rules.
Update the rules to restrict access only to authenticated users. Example:
Audit Subdomains:
Ensure there are no unused or publicly misconfigured Firebase databases.
Monitor Activity Logs:
Use Firebase to monitor access logs for suspicious activities.
π Alternative Methods to Identify SharePoint Sites
Using Search Engines
FOFA: Query:
"domain="firebaseio.com""Shodan: Query:
http.title:"Firebase""ZoomEye: Query:
site:"firebaseio.com""
β References
Here are real-world examples of Firebaseio vulnerabilities reported on HackerOne :
β οΈ Disclaimer
This script is intended for educational purposes and for security testing of systems you own or have explicit permission to test. Do not use this for unauthorized activities.
π° Support Me
If you find this work helpful, you can support me:
Thanks for your support! β€οΈ
Last updated