A new week in 2022 means another web hacking tip!
When testing an application ALWAYS look for third-party services in use like Firebase Realtime Databases (identified with any subdomain on *.firebaseio.com). Firebase Databases, when incorrectly configured to be publicly readable, will leak all database contents via JSON. To check this, all you need to do is visit the following link:
https[:]//*.firebaseio.com/.json
If it’s misconfigured, the /.json endpoint will list all DB contents. If it's NOT vulnerable, it will simply tell you ‘Permission denied.’
Keep this in mind for your next engagement!
