Skip to content

0xbigshaq/firepwn-tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
screenshots
screenshots
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

firepwn

Most of the firebase pentest scripts on GitHub (like this one or this one) are using the Firebase REST API to test for configuration issues in Firebase apps. However:

  • They might provide false-positive results in some GCP environments
  • Those scripts test for authentication issues only and not authorization
  • They are just checking for allow read permissions. If the Firebase Security Rules are set to "deny read" but also allow write then you'll probably miss some critical findings(same thing about other queries such as delete, update, etc.)

After digging in Google's documentation for a while, I managed to realize how Firebase applications work internally and the real possibilities to exploit misconfigured Firebase Security Rules.

This is why I created firepwn: a tool for testing authentication and authorization by utilizing multiple Google services(Firebase Auth, Firestore and Cloud Functions) using the Client SDK.

Usage

  1. Launch the tool and populate the initialization form with the target project's firebaseConfig values (apiKey, authDomain, databaseURL, projectId).
  2. Click Start to bootstrap the Firebase SDKs. The rest of the UI unlocks once initialization succeeds.
  3. Use the Auth Service panel to authenticate:
    • Paste captured credentials or register a throwaway email/password account for classic testing.
    • Paste an oauthIdToken captured from your application's Google sign-in flow into the new Google OAuth form to assume an existing Google session.
  4. Run Firestore queries or Cloud Function invocations from the respective panels to verify authorization controls.

init_screenshot

Auth Features

Some applications use Firebase Authentication to manage its users (a very common design). If the app that you're testing has this feature enabled, you'll be able to login to your account and perform queries/cloud invocations as an authenticated user.

Login

login_screenshot

Registration

signup_screenshot

OAuth Login

firepwn offers a manual OAuth flow. Sign in to the target application via OAuth provider (tested working on Google), grab the provider-issued oauthIdToken (for example from your browser developer tools or the app's network logs) and paste it into the OAuth login field in firepwn.

oauth_screenshot

Fun fact: Firebase applications cannot prevent from new users to sign-up unless the application owner disable the whole authentication service.

It means that: even if you don't have credentials for a firebase application, you can always register a new account and then login using your fresh credentials.

How to close registration: If you want to close the registration option but keep the auth service alive, you can implement a custom Cloud Function that runs as a cron job to validate that nobody registered a new account. And more importantly, configure your Firebase Security Rules correctly.

Firestore DB Features

firepwn supports all of the useful Firestore DB methods:

  • Get (with limit, sort order, and filters)
  • Set (create, or overwrite if already exists)
  • Delete
  • Update

Get

get_screenshot

Note: Yes, it supports nested collections :D

Set

get_screenshot

Custom Scripting

It's possible to extend the abillities of firepwn by writing your own JavaScript code.

During initialization, I made sure that the firebase services will be stored in global variables(window.*) in case you'll want to write some custom code of your own to add complexity.

List of the variables:

variable Available methods/properties
window.authService https://firebase.google.com/docs/reference/js/v8/firebase.auth.Auth
window.firestoreService https://firebase.google.com/docs/reference/js/v8/firebase.firestore.Firestore
window.functionsService https://firebase.google.com/docs/reference/js/v8/firebase.functions.Functions
window.storageService https://firebase.google.com/docs/reference/js/v8/firebase.storage.Storage

Example 1: Firestore service

programmatic_dump

Example 2: Auth service

console_gif

Firebase Storage

If you see any references to gs:// or bucketDomain anywhere the app may use Firebase Storage. By including the storage bucket you can also try to perform list, download, upload, delete operations on Firebase Storage.

firebase_storage

Cloud Functions Feature

If the application's backend uses Google Cloud Functions, you can invoke those functions as well and perform tests to see if you're allowed to invoke any high privileged methods.

invoke_screenshot

Notes

Couple of notes:

  • In order to test the Cloud Functions and Firebase Storage feature you'll have to either:
    • Enable CORS in your firebase app
    • Alternatively, launch your Chrome with a --disable-web-security flag to override CORS errors
  • Sorry for my poor front-end syntax/DOM manipulations...I'm more of a backend dude :P

About

Firepwn is a tool made for testing the Security Rules of a firebase application.

Topics

firebase firebase-database firebase-security firestore firebase-pentest

Resources

Readme

License

GPL-3.0 license
Activity

Stars

573 stars

Watchers

4 watching

Forks

34 forks
Report repository

Releases

No releases published

Contributors 4

  •  
  •  
  •  
  •  

Languages