Scan Types

FireScan provides traditional and advanced scan types.

Traditional scans

Basic enumeration using wordlists. Safe for production (probe mode).

--rtdb

Enumerates Realtime Database paths.

bash

firescan > scan --rtdb -l users

Tests paths like /users, /user, /Users, /USER against security rules.

--firestore

Enumerates Firestore collections.

bash

firescan > scan --firestore -l all

--storage

Checks if Cloud Storage buckets are listable.

bash

firescan > scan --storage

--functions

Tests Cloud Functions across 7 regions.

bash

firescan > scan --functions

Regions tested:

us-central1, us-east1, us-east4
europe-west1, europe-west2
asia-east2, asia-northeast1

--hosting

Checks for publicly exposed firebase.json.

bash

firescan > scan --hosting

--all

Runs all traditional scans.

bash

firescan > scan --all

Advanced scans

Requires --test or --audit mode.

--unauth

Tests access without authentication.

bash

firescan > scan --unauth

Runs in probe mode (read-only).

--write

Tests write permissions (create/update/delete).

bash

firescan > scan --write --test

--rules

Validates security rules with test cases.

bash

firescan > scan --rules --rtdb --firestore --test

--authattack

Tests authentication security.

bash

firescan > scan --authattack --audit

Tests:

JWT algorithm confusion
Custom claims injection
Token expiration bypass
Signature validation

--storage-sec

Deep storage security testing.

bash

firescan > scan --storage-sec --test

Tests:

CORS misconfiguration
Bucket ACLs
Directory traversal
Malicious uploads (audit mode)

Options

Wordlists

bash

scan --rtdb -l users     # User-related paths
scan --rtdb -l config    # Configuration paths
scan --rtdb -l all       # All wordlists (200+ terms)

Built-in wordlists: users, config, passwords, functions, database, storage, security, all

Concurrency

bash

scan --all -c 100        # 100 workers (fast)
scan --all -c 10         # 10 workers (stealthy)

Default: 50 workers

Rate limiting

bash

scan --all --rate-limit 10    # 10 requests/second
scan --all --rate-limit 0     # Unlimited

JSON output

bash

scan --all --json
scan --all --json > results.json

Quick reference

Scan	Safety Mode	Use Case
`--all`	Probe	Standard enumeration
`--unauth`	Probe	Test without auth
`--rtdb -l users`	Probe	Target specific paths
`--write --test`	Test	Test write permissions
`--authattack --audit`	Audit	Deep auth testing

Safety Modes - Understand probe/test/audit
API Reference: scan - Full command details

Scan Types ​

Traditional scans ​

--rtdb ​

--firestore ​

--storage ​

--functions ​

--hosting ​

--all ​

Advanced scans ​

--unauth ​

--write ​

--rules ​

--authattack ​

--storage-sec ​

Options ​

Wordlists ​

Concurrency ​

Rate limiting ​

JSON output ​

Quick reference ​

Next ​

Scan Types

Traditional scans

--rtdb

--firestore

--storage

--functions

--hosting

--all

Advanced scans

--unauth

--write

--rules

--authattack

--storage-sec

Options

Wordlists

Concurrency

Rate limiting

JSON output

Quick reference

Next