Skip to content

FAQ

Installation

How do I install FireScan?

bash
go install github.com/JacobDavidAlcock/firescan/cmd/firescan@latest

What are the requirements?

Go 1.19+ for building from source. Pre-compiled binaries available for Linux, macOS, Windows.

Where's the binary installed?

$GOPATH/bin/firescan. Make sure $GOPATH/bin is in your PATH.

Firebase Security Testing

How do I test Firebase security rules?

Use FireScan to automatically test your Firebase security rules by scanning Realtime Database and Firestore with different authentication states. FireScan checks if your rules properly restrict access to sensitive data.

bash
firescan > scan --all

What's the best way to check Firebase security?

The most thorough approach combines automated scanning with manual review. FireScan automates the enumeration and testing of Firebase services, while you review the findings and verify business logic. Start with probe mode (read-only) for production apps.

Can I test Firebase security without writing code?

Yes. FireScan is a command-line tool that doesn't require writing code. Simply install, configure your Firebase project details, and run scans. The tool handles all the complexity of testing Firebase security rules automatically.

How do I find Firebase database vulnerabilities?

FireScan identifies Firebase Realtime Database and Firestore vulnerabilities by:

  1. Testing paths with and without authentication
  2. Checking for overly permissive security rules
  3. Enumerating accessible collections and documents
  4. Verifying permission boundaries

What are common Firebase security misconfigurations?

The most common issues FireScan finds:

  • World-readable databases (.read: true in rules)
  • Overly permissive authenticated access
  • Missing path-level restrictions
  • Public Cloud Storage buckets
  • Unprotected Cloud Functions

Usage

How do I find projectID and apiKey?

View target app source, search for firebaseConfig:

javascript
const firebaseConfig = {
  apiKey: "AIzaSyD...",        // This
  projectId: "my-app-12345",   // And this
};

What does --all do?

Runs all traditional scans (RTDB, Firestore, Storage, Functions, Hosting) with the all wordlist.

What's probe/test/audit mode?

  • Probe: Read-only (default)
  • Test: Safe writes with cleanup
  • Audit: Deep testing, potentially destructive

See Safety Modes.

How do I test without authentication?

bash
scan --unauth

Can I use this on production?

Probe mode is safe (read-only). Test/audit modes require authorization.

Authentication

What's the default test account?

[email protected] / password123

How do I use my own account?

bash
auth -e [email protected] -P password123

Do tokens auto-refresh?

Yes. FireScan refreshes JWT tokens automatically.

Scanning

No findings. Is the app secure?

Possibly. Try:

  • Different wordlists (-l all)
  • Unauthenticated scan (--unauth)
  • Multiple test accounts

What does "Permission denied" mean?

The path is properly secured. This is normal and good.

How do I scan faster?

bash
scan --all -c 100

Higher concurrency = faster.

How do I scan stealthily?

bash
scan --all -c 10 --rate-limit 5

Lower concurrency + rate limiting = less detectable.

Output

How do I get JSON output?

bash
scan --all --json
scan --all --json > results.json

What are severity levels?

  • Critical: Unauthenticated access
  • High: Authenticated over-privilege
  • Medium: Information disclosure
  • Low: Informational

Troubleshooting

"Invalid API Key" error

Verify the API key:

  • Starts with AIza
  • Exactly 39 characters
  • No extra spaces

"Failed to create account"

Email/password auth may be disabled. Try:

bash
auth --enum-providers

Scans are slow

Increase concurrency:

bash
scan --all -c 100

Getting rate limited

Add rate limiting:

bash
scan --all --rate-limit 10

Is this legal?

The tool is legal. Using it without authorization is not. Only test apps you own or have permission to test.

Can I use this for bug bounties?

Check the program rules. Most allow probe mode. Some prohibit automated scanning.

See also