A powerful Firebase misconfiguration scanner and exploitation tool for ethical hackers, developers, and security researchers.
- About the Vulnerability
- What FireSploit Does
- Installation
- Demo
- Usage
- Project Structure
- Best Practices
- Legal Disclaimer
- Contributing
- Author
- Support
- License
Let me take you through a real problem that's been silently affection thousand of apps across the world, Firebase a super handy easy to implement backend service that lets your app store and sync data in real-time.
The problem lies when you set security rules
{
"rules": {
".read": true,
".write": true
}
}
This security rules means anyone on the internet can read, write and exfiltrate entire database without authentication
In 2018, researchers at Appthority and various independent security analysts (including bug bounty hunters) discovered that over 28,000 Firebase apps were publicly exposing sensitive data due to incorrect security rules.
Scans a Firebase database endpoint for:
- .read misconfiguration (public access)
- .write misconfiguration (unauthorized data injection)
Exploits the database (optional):
- Reads and prints live data
- Injects a harmless payload to simulate attack
git clone https://github.com/secshubhamsharma/FireSploit.git
cd FireSploit
pip install -r requirements.txt
# Scan a single Firebase instance
python3 firesploit.py --url https://yourproject.firebaseio.com
# Scan multiple targets from a file
python3 firesploit.py --file firebase_targets.txt
# Save results to a file
python3 firesploit.py --file firebase_targets.txt --output report.txt
If .read access is open:
- It Dumps publicly accessible data
If .write access is open:
- It offers to inject a safe payload
{
"pwned_by": "FireSploit",
"status": "vulnerable",
"timestamp": "2025-07-04"
}
FireSploit/
├── firesploit.py # Main scanner and exploit tool
├── requirements.txt # Python dependencies
├── README.md # Project documentation
└── LICENSE # MIT License file
To secure your Firebase Realtime Database and prevent exploitation by tools like FireSploit, follow these guidelines:
- Implement Proper Firebase Security Rules
- Use strict .read and .write conditions:
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
- Avoid Setting Rules to true
This project is intended for educational and authorized testing purposes only.
Unauthorized access to Firebase projects that you don’t own or control is illegal and unethical.
The creator of FireSploit is not responsible for misuse of this tool.
Want to improve FireSploit? Contributions are welcome!
Shubham Sharma
- GitHub: @secshubhamsharma
- LinkedIn: @secshubhamsharma
- Email: [email protected]
- Medium: secshubhamsharma
If you found this tool helpful Then ⭐ star the repo and share it with others in the infosec community!
This project is licensed under the MIT License – see the LICENSE file for details.