Week 28 - Firebase Misconfigurations
Last updated
Last updated
A new week in 2022 means another web hacking tip! When testing an application ALWAYS look for third-party services in use like Firebase Realtime Databases (identified with any subdomain on *.firebaseio.com). Firebase Databases, when incorrectly configured to be publicly readable, will leak all database contents via JSON. To check this, all you need to do is visit the following link: https[:]//*.firebaseio.com/.json If it’s misconfigured, the /.json endpoint will list all DB contents. If it's NOT vulnerable, it will simply tell you ‘Permission denied.’ Keep this in mind for your next engagement!