# Week 28 - Firebase  Misconfigurations

## Firebase Realtime Database Misconfigurations

A new week in 2022 means another web hacking tip!\
&#x20;\
When testing an application ALWAYS look for third-party services in use like Firebase Realtime Databases (identified with any subdomain on \*.[firebaseio.com](http://firebaseio.com)). Firebase Databases, when incorrectly configured to be publicly readable, will leak all database contents via JSON. To check this, all you need to do is visit the following link:\
&#x20;\
https\[:]//\*.[firebaseio.com/.json](http://firebaseio.com/.json)\
&#x20;\
If it’s misconfigured, the /.json endpoint will list all DB contents. If it's NOT vulnerable, it will simply tell you ‘Permission denied.’\
&#x20;\
Keep this in mind for your next engagement!

![SRC: https://atos.net/en/lp/securitydive/misconfigured-firebase-a-real-time-cyber-threat](/files/hpglVhA4rQPScA5pXHsB)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/weekly-tips/week-28-firebase-misconfigurations.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.