Open in app

Sign in

Write

Sign in

Insecure Firebase Unauthorized Write Access on Crypto Exchange Bug Bounty

Scr1pty
3 min readJun 5, 2024

--

>Hello My Hackermen!

Wazup, scr1pty on touch! This post is about how I found Unrestricted Anonymous Write Permissions in a Firebase Database.

Recon Stage

After my recon of the target, I found Firebase in use on one of the assets. I’ve found it with Wappalyzer while opening all subdomain links but there are more ways to find it:

  • [JS Miner] Secrets/Credentials BurpSuite extension: This can highlight Firebase environment details (public API key, environment, database link). [Most helpful method]
  • Nuclei technologies scan: This can also enumerate Firebase.
  • Using Wappalyzer: This was my method in this situation.
  • Tools like firebaseEnum: firebaseEnum can be used, but I didn’t find any Firebase endpoints with this tool — maybe you’ll have better luck!

>The Exploit Idea

Using Wappalyzer, I was able to see that the web host uses Firebase integration. Then I found an Insecure Firebase Exploit and tried to launch it against the target. This exploit launches POST and PUT request methods to upload your custom file into the database, like:

example.com/malicious.json

However, it didn’t work and returned the error “No Firebase database was found.”

I’ve decided to see how my exploit works…

I opened the code editor and saw that if you input any Firebase endpoint (http://example.com) into the exploit, the code automatically concatenates it into “http://example.com.firebaseio.com/". Since I didn’t find any JS files with the actual Firebase database name, I tried deleting the concatenation from the exploit to upload files directly to the web host.

I’ve got a successful message “Exploited Successfully”. Let’s check it with Burpsuite!

And BOOM! It worked! My file was successfully uploaded to the target!

If you visit a link by browser only the automated file’s download will triggered, but in Burp you will see the file’s content.

Later, I figured out that the actual weakness is that the Anonymous PUT method was enabled, which allows unauthenticated users to upload any files. This proves that this vulnerability is still critical. So instead of using the exploit, we can just craft a PUT request with the provided data, and it will also trigger the vulnerability!

>Impact:

  1. Data Integrity and Confidentiality: Unauthorized write access allows attackers to manipulate data stored in the database, potentially injecting malicious content which could be served to users or used to phish information.
  2. Unauthorized Write Access: The ability to upload any file without authentication compromises the integrity of the application and can serve as a vector for further attacks, such as serving malware.
  3. Reputational Damage: Exploits of this nature can harm the trust users have in the platform, potentially leading to loss of business and user base.

Personal Advice

  • Always test the PUT Request Method to see if it’s enabled to upload your information/files into a web application.
  • If you see Firebase, try to connect it with leaked public API keys (it will be possible only by a huge administrator’s mistake) OR use exploits to write any data into it.
  • Even if you are not able to write your file into Firebase, you can still try .json or user.json paths to get information disclosure from the database, like this:

https://examplefirebase.com/.json

OR

https://examplefirebase.com/users.json

Happy hacking hackerman!

Since I will be coming back from vacation soon, I’ll be preparing my recon post. Stay tuned!

Bug Bounty
Penetration Testing
Bug Bounty Tips
Crypto
Security

--

--

Scr1pty

Written by Scr1pty

54 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams