FireScan

Appearance

FAQ

Installation

How do I install FireScan?

bash
go install github.com/JacobDavidAlcock/firescan/cmd/firescan@latest

What are the requirements?

Go 1.19+ for building from source. Pre-compiled binaries available for Linux, macOS, Windows.

Where's the binary installed?

$GOPATH/bin/firescan. Make sure $GOPATH/bin is in your PATH.

Usage

How do I find projectID and apiKey?

View target app source, search for firebaseConfig:

javascript
const firebaseConfig = {
  apiKey: "AIzaSyD...",        // This
  projectId: "my-app-12345",   // And this
};

What does --all do?

Runs all traditional scans (RTDB, Firestore, Storage, Functions, Hosting) with the all wordlist.

What's probe/test/audit mode?

  • Probe: Read-only (default)
  • Test: Safe writes with cleanup
  • Audit: Deep testing, potentially destructive

See Safety Modes.

How do I test without authentication?

bash
scan --unauth

Can I use this on production?

Probe mode is safe (read-only). Test/audit modes require authorization.

Authentication

What's the default test account?

[email protected] / password123

How do I use my own account?

bash
auth -e [email protected] -P password123

Do tokens auto-refresh?

Yes. FireScan refreshes JWT tokens automatically.

Scanning

No findings. Is the app secure?

Possibly. Try:

  • Different wordlists (-l all)
  • Unauthenticated scan (--unauth)
  • Multiple test accounts

What does "Permission denied" mean?

The path is properly secured. This is normal and good.

How do I scan faster?

bash
scan --all -c 100

Higher concurrency = faster.

How do I scan stealthily?

bash
scan --all -c 10 --rate-limit 5

Lower concurrency + rate limiting = less detectable.

Output

How do I get JSON output?

bash
scan --all --json
scan --all --json > results.json

What are severity levels?

  • Critical: Unauthenticated access
  • High: Authenticated over-privilege
  • Medium: Information disclosure
  • Low: Informational

Troubleshooting

"Invalid API Key" error

Verify the API key:

  • Starts with AIza
  • Exactly 39 characters
  • No extra spaces

"Failed to create account"

Email/password auth may be disabled. Try:

bash
auth --enum-providers

Scans are slow

Increase concurrency:

bash
scan --all -c 100

Getting rate limited

Add rate limiting:

bash
scan --all --rate-limit 10

Is this legal?

The tool is legal. Using it without authorization is not. Only test apps you own or have permission to test.

Can I use this for bug bounties?

Check the program rules. Most allow probe mode. Some prohibit automated scanning.

See also