Introduction

FireScan is a command-line tool for testing Firebase application security. It enumerates accessible data, tests permissions, and identifies common misconfigurations.

What it does

FireScan tests:

Realtime Database access controls
Firestore collection permissions
Cloud Storage bucket security
Cloud Functions authorization
Authentication configuration

Quick example

bash

# Install
go install github.com/JacobDavidAlcock/firescan/cmd/firescan@latest

# Run
firescan
firescan > set projectID my-app
firescan > set apiKey AIza...
firescan > auth --create-account
firescan > scan --all

Use cases

Penetration testing Test Firebase apps during security assessments. Find data exposure, permission issues, and misconfigurations.

Pre-deployment validation Audit security rules before deploying to production. Catch mistakes early.

Security monitoring Regularly scan your Firebase apps to detect configuration drift or new vulnerabilities.

Key features

Read-only by default - Safe for production testing
Automatic token management - Handles JWT refresh automatically
Built-in wordlists - 200+ common paths for enumeration
Concurrent scanning - Configurable worker pools for speed
JSON output - Integrate with your tools

Safety

FireScan operates in three modes:

Probe (default): Read-only operations. Safe for production.
Test: Creates isolated test data. Requires confirmation.
Audit: Deep testing. Potentially destructive. Requires explicit authorization.

All scans run in probe mode unless you specify otherwise.

Authorization required

Only use FireScan on applications you own or have explicit permission to test. Unauthorized testing is illegal.

Next steps

Installation - Install FireScan
Quick Start - Run your first scan
API Reference - Command documentation

Introduction ​

What it does ​

Quick example ​

Use cases ​

Key features ​

Safety ​

Authorization required ​

Next steps ​