# Google Firestore Mis-configurations ## Introduction Firebase is a platform developed by Google for creating mobile and web applications. Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end. ## What are we going to cover? This chapter covers the way to find the firebase URL's in an apk & common attacks that can occur on misconfigured google firestore which could lead to data breaches. ## Steps to setup lab * Navigate to your `~/tools` folder in your cloudhacker machine. You will see the `FireVu.apk` * Follow the steps to attack ## Step to attack There are two ways to find the firebase URL's, one is via doing manual extraction and the another method is using automated tools like `FirebaseScanner`. * Here basically we'll use `Apktool` to extract the APK. * You can find your apktool in your tools folder. ### Extraction of APK We will use intentional vulnerable application to complete this exercise although any other application that can fetch firebase information would do. Therefore, some Firebase endpoints could be found in mobile applications. It is possible that the Firebase endpoint used is configured badly grating everyone privileges to read (and write) on it. We will use the [FireVu](https://github.com/sahad-mk/FireVu) application for this demo. * If you want to extract the apk from the applications in android, use this [Extractor App](https://play.google.com/store/apps/details?id=com.ext.ui\&hl=en) to do that. * Now, Decompile the APK using `apktool`, follow the below command to extract the source code from the APK. `apktool d FireVu.apk -o app` * It extracts the files into the `app` folder. ![apktool usage](/files/YxPnaWy1Oi1xhH88uaIN) * Once decompiled, we can see files & folders, now Go to the res/values/strings.xml and look for this and search for `firebase` keyword. ![apktool usage](/files/wupFMFZktDiNJfIZON2G) * Try to read the xml file & check if there are any firebase URL's. You may find something like this URL `https://xyz.firebaseio.com/` ![apktool usage](/files/U5fUCYxeqDKMYNofEYGf) `cat res/values/strings.xml | grep "firebase"` * Next, go to the browser and navigate to the found URL: `https://xyz.firebaseio.com/.json` . We have to add the `.json` to interact with realtime database. Which might have the READ/WRITE access. ![apktool usage](/files/7t2E6ijDrwS88Xm8mZz9) * Basically here you may encounter 2 type of responses: * `Permission Denied` This means that you cannot access it, so it's well configured * `null` response or a bunch of JSON data: This means that the database is public and you at least have read access. * In this case, you could check for writing privileges, an exploit to test writing privileges. This can be done using a [Firebase](https://github.com/shivsahni/FireBaseScanner) tool. ### Checking read/write access * Since we have the endpoint `https://firevu-db.firebaseio.com` , we'll check the weather we have write access. We have seen that any unauthorized user can retirieve the data from the `firevu-db`. ![apktool usage](/files/4WS8LTErQ5b5Kj4YED2U) * Let's try to check the Write access. Poorly implemented security rule which causes the above data leak. Any parent/child node in the database is readable by anyone. ### Rules from firebase security documentation Identifying your user is only part of security. Once you know who they are, you need a way to control their access to data in your database. Realtime Database Security Rules allow you to control access for each user. For example, here's a set of security rules that allows anyone to read the path /foo/, but no one to write to it: ```json { "rules": { "foo": { ".read": true, ".write": false } } } ``` Now, try to write the data from the users in the database. Check if we can delete the user1. ![apktool usage](/files/paqkVJjedMy1jRq2k01N) Since it dosen't have the write access we can't write the data to database. ## Additional References * [Firebase Takeover](https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1) * [Apktool Documentation](https://ibotpeaches.github.io/Apktool/documentation/) * [Firebase Unit Tests](https://firebase.google.com/docs/rules/unit-tests) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xcriminal.gitbook.io/about-me/cloudsec/cloud-databases-in-google-cloud/cloud-databases/attacking-google-firestore-misconfigurations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.