Add '.json' at the end of database url if you see null or <data> in response that means database is insecure and anyone can read/write into database.

For example: https://insecure-firebase.firebaseio.com/.json returns null

curl -X POST https://insecure-firebase.firebaseio.com/testing.json \
-d '{"cat": "meow", "dog": "bowbow"}'

This will create a new data location /testing in database

Now visit https://insecure-firebase.firebaseio.com/testing.json or https://insecure-firebase.firebaseio.com/.json

and you will see new data is added to database

Firebase configuration rules which leads to this vulnerability

{
  /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
  "rules": {
    ".read": true,
    ".write": true
  }
}

As you can see in the above configuration both read and write set to true which means anyone can read and write to this firebase database, developer some times use this settings for testing purpose but letter forgets to change this to only allow app users to read or write data (rare to find).

When testing firebase database what i was doing before is adding .json at the end of database url if it returns null or any data then it means that database is vulnerable but if it returns permission denied then it means database is secure.

Then I watched a video shared by @B3nac where he showed that developer can set rules for child nodes also. Like this:

{
  /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
  "rules": {
    "Admin": {
    ".read": false,
    ".write": false
    },
    "Users": {
      ".read": true,
      ".write": false
    }
  }
}

For the purpose of demonstration i deployed a firebase database with the above rules so if you go to

https://in-firebase-683e6.firebaseio.com/.json

you will get permission denied error but if you go to https://in-firebase-683e6.firebaseio.com/Users.json you will get user data which is exposed due to rule set on Users node. So we can bruteforce endpoints to find other vulnerable endpoints.

Then I thought that developer can also set only write access to an endpoint which means if we go to that endpoint we will get permission denied error but if we try to write some data we can write. The permission rule at development end will look like this:

{
  /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
  "rules": {
    "Logs": {
      ".read": false,
      ".write": true
    }
  }
}

Here developer sets the write rule at Logs endpoint, So if you go to https://in-firebase-683e6.firebaseio.com/Logs.json you will get permission denied error but you can write data to it.

Example:

curl -X POST https://in-firebase-683e6.firebaseio.com/Logs.json -d '{"test": "testing"}'

If you run the above command you will get something like this in response {"name":"-M3B_iyZE1RPDaPNuknX"} which means write is successfull.

Currently working on this I will add more details later 

Developer can restrict api key to control which website, IP address or application can use API key

Recovering Firebase remote config: https://blog.deesee.xyz/android/automation/2019/08/03/firebase-remote-config-dump.html

Please setup your own database and test on it before palying with production database because one mistake can mess all the data out there.

@tauh33dkhan