FAQ
Installation
How do I install FireScan?
go install github.com/JacobDavidAlcock/firescan/cmd/firescan@latestWhat are the requirements?
Go 1.19+ for building from source. Pre-compiled binaries available for Linux, macOS, Windows.
Where's the binary installed?
$GOPATH/bin/firescan. Make sure $GOPATH/bin is in your PATH.
Firebase Security Testing
How do I test Firebase security rules?
Use FireScan to automatically test your Firebase security rules by scanning Realtime Database and Firestore with different authentication states. FireScan checks if your rules properly restrict access to sensitive data.
firescan > scan --allWhat's the best way to check Firebase security?
The most thorough approach combines automated scanning with manual review. FireScan automates the enumeration and testing of Firebase services, while you review the findings and verify business logic. Start with probe mode (read-only) for production apps.
Can I test Firebase security without writing code?
Yes. FireScan is a command-line tool that doesn't require writing code. Simply install, configure your Firebase project details, and run scans. The tool handles all the complexity of testing Firebase security rules automatically.
How do I find Firebase database vulnerabilities?
FireScan identifies Firebase Realtime Database and Firestore vulnerabilities by:
- Testing paths with and without authentication
- Checking for overly permissive security rules
- Enumerating accessible collections and documents
- Verifying permission boundaries
What are common Firebase security misconfigurations?
The most common issues FireScan finds:
- World-readable databases (
.read: truein rules) - Overly permissive authenticated access
- Missing path-level restrictions
- Public Cloud Storage buckets
- Unprotected Cloud Functions
Usage
How do I find projectID and apiKey?
View target app source, search for firebaseConfig:
const firebaseConfig = {
apiKey: "AIzaSyD...", // This
projectId: "my-app-12345", // And this
};What does --all do?
Runs all traditional scans (RTDB, Firestore, Storage, Functions, Hosting) with the all wordlist.
What's probe/test/audit mode?
- Probe: Read-only (default)
- Test: Safe writes with cleanup
- Audit: Deep testing, potentially destructive
See Safety Modes.
How do I test without authentication?
scan --unauthCan I use this on production?
Probe mode is safe (read-only). Test/audit modes require authorization.
Authentication
What's the default test account?
[email protected] / password123
How do I use my own account?
auth -e [email protected] -P password123Do tokens auto-refresh?
Yes. FireScan refreshes JWT tokens automatically.
Scanning
No findings. Is the app secure?
Possibly. Try:
- Different wordlists (
-l all) - Unauthenticated scan (
--unauth) - Multiple test accounts
What does "Permission denied" mean?
The path is properly secured. This is normal and good.
How do I scan faster?
scan --all -c 100Higher concurrency = faster.
How do I scan stealthily?
scan --all -c 10 --rate-limit 5Lower concurrency + rate limiting = less detectable.
Output
How do I get JSON output?
scan --all --json
scan --all --json > results.jsonWhat are severity levels?
- Critical: Unauthenticated access
- High: Authenticated over-privilege
- Medium: Information disclosure
- Low: Informational
Troubleshooting
"Invalid API Key" error
Verify the API key:
- Starts with
AIza - Exactly 39 characters
- No extra spaces
"Failed to create account"
Email/password auth may be disabled. Try:
auth --enum-providersScans are slow
Increase concurrency:
scan --all -c 100Getting rate limited
Add rate limiting:
scan --all --rate-limit 10Legal
Is this legal?
The tool is legal. Using it without authorization is not. Only test apps you own or have permission to test.
Can I use this for bug bounties?
Check the program rules. Most allow probe mode. Some prohibit automated scanning.
