Hello all, I hope your doing well. So today we are going to discuss one the topic related android application vapt, which rarely found but quit interesting. As we know that lots of people use firebase to store data for android application, as well as we also get url of that database into application. so after reversing an apk file using apktool we easily get that value that we can easily test and get good bounty.

#Firebase & Security Misconguration

Firebase is real time database platform developed by google for creating web and mobile application. So anyone can simple use it with free plan as well while setting it their may be possibilities of some permissions misconfiguration like public read as well as write access you can check the picture given below.

Application having public read and write access so any attacker easily use this functionality to read sensitive data or can able to alter existing data.
#Recon for Firebase

As we can see that firebase usually use in mobile application so it’s really easy to find out firebase url from mobile application. First need to reverse engineering an apk file if we are talking about an android application using apktool.

apktool d app-name.apk 

After that we can simply check for firebaseio url into stings.xml file present in values directory, for that you can simply open that file and check url manually or run following command.

cat res/values/strings.xml | grep firebaseio
#Exploitation of Firebase

Exploitation is really simple to test that we are going to test for read and write access only so there so high level technical knowledge required for this. To test read access to need to visit url and put .json at the end, so you may able to see data or null.

database_name.firebaseio.com/.json

So you can see that this is my testing account it showing some data or may show null.

For write access we can simply use a simple python script named insecure-firebase-exploit you can download it from here https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit

git clone https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit.git
cd Insecure-Firebase-Exploit
python Firebase_Exploit.py
Simply need to enter database name which given in url and our data that we want to write.

You can also use firebase scanner which directly gives us url from an apk file https://github.com/shivsahni/FireBaseScanner obviously it’s automated that oing to decompile apk file and check for firebase url.

So I hope you enjoy this article and hopefully it will help you in pentration testing as well as bug hunting. If you want video or article on specific topic please let me know. 🙂

LEAVE A REPLY

Please enter your comment!
Please enter your name here