FirebaseExploiter – Tool to Discovers Exploitable Firebase

FirebaseExploiter - Automate Tool to Scan Vulnerable Firebase and exploit it

Firebase is a popular mobile and web application development platform that provides developers with a range of features such as real-time database, authentication, and hosting services. FirebaseExploiter takes advantage of the misconfigured Firebase databases and attempts to extract sensitive information or modify the data stored within it.


FirebaseExploiter is a vulnerability discovery tool that discovers Firebase Database which are open and can be exploitable. Primarily built for mass hunting bug bounties and for penetration testing.

Mostly bug hunter uses several techniques to extract data from Firebase databases. Firstly, it attempts to read data from the database without any authentication. Secondly, it looks for publicly accessible files that may contain sensitive information. Finally, it attempts to write data to the database and modify existing records to test if the database has proper write permission.

With this tool you can automatically scan vulnerable firebase and also exploit it.


  • Mass vulnerability scanning from list of hosts
  • Custom JSON data in exploit.json to upload during exploit
  • Custom URI path for exploit

FirebaseExploiter Installation

FirebaseExploiter was built using go1.19. Make sure you use latest version of Go to install successfully. Run the following command to install the latest version:

go install -v[email protected]

Running FirebaseExploiter

To scan a specific domain to check for Insecure Firebase DB.

firebaseExploiter -url

To exploit a Firebase DB to write your own JSON document in it.

firebaseExploiter -url -exploit

Mass scanning for Insecure Firebase Databases from list of target hosts.

firebaseExploiter -file firebase_domains.txt

Exploiting vulnerable Firebase DBs from the list of target hosts.

firebaseExploiter -file firebase_domains.txt -exploit

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

one × three =