Hello all, I hope your doing well. So today we are going to discuss one the topic related android application vapt, which rarely found but quit interesting. As we know that lots of people use firebase to store data for android application, as well as we also get url of that database into application. so after reversing an apk file using apktool we easily get that value that we can easily test and get good bounty.
#Firebase & Security Misconguration
Firebase is real time database platform developed by google for creating web and mobile application. So anyone can simple use it with free plan as well while setting it their may be possibilities of some permissions misconfiguration like public read as well as write access you can check the picture given below.
#Recon for Firebase
As we can see that firebase usually use in mobile application so it’s really easy to find out firebase url from mobile application. First need to reverse engineering an apk file if we are talking about an android application using apktool.
apktool d app-name.apk
After that we can simply check for firebaseio url into stings.xml file present in values directory, for that you can simply open that file and check url manually or run following command.
cat res/values/strings.xml | grep firebaseio
#Exploitation of Firebase
Exploitation is really simple to test that we are going to test for read and write access only so there so high level technical knowledge required for this. To test read access to need to visit url and put .json at the end, so you may able to see data or null.
For write access we can simply use a simple python script named insecure-firebase-exploit you can download it from here https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
git clone https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit.git cd Insecure-Firebase-Exploit python Firebase_Exploit.py
You can also use firebase scanner which directly gives us url from an apk file https://github.com/shivsahni/FireBaseScanner obviously it’s automated that oing to decompile apk file and check for firebase url.
So I hope you enjoy this article and hopefully it will help you in pentration testing as well as bug hunting. If you want video or article on specific topic please let me know. 🙂