A tool for testing Firebase Security Rules by simulating real client SDK behavior. Unlike most Firebase pentest scripts that rely on the REST API, firepwn uses the actual Firebase Client SDK to test both authentication and authorization across multiple Google services.
Configure a target project by entering its firebaseConfig values (apiKey, authDomain, databaseURL, projectId, storageBucket). Supports both individual form fields and pasting a raw JSON/JS config object.
Supports multiple Firebase Authentication methods:
- Email/Password - sign in with existing credentials or register a new account
- Google OAuth - paste an
oauthIdTokencaptured from the target app's sign-in flow (e.g. from browser DevTools) to assume a Google session
- MFA (SMS) - complete multi-factor authentication challenges with SMS verification codes
- Anonymous - sign in anonymously to test rules that allow unauthenticated or anonymous users
Full CRUD operations on Firestore:
- Get - with document limit, sort order, and query filters (
==,<,<=,>,>=,array-contains,in) - Set - create documents or overwrite existing ones (with optional merge mode)
- Update - modify specific fields in existing documents
- Delete - remove documents
Supports nested collections/subcollections.
Interact with Firebase Storage buckets:
- List files and directories
- Upload / Download files
- Delete files
- Get metadata for stored objects
Invoke callable Cloud Functions with custom parameters to test authorization on backend logic.
Automatically discover and test Firestore collections:
- Collection discovery - probes 120+ common collection names (users, orders, settings, etc.) to find readable data
- Custom collections - add your own collection names to scan, with an option to scan custom names only
- Write/Delete testing - optionally test write and delete access on discovered collections (disabled by default to avoid accidental damage)
- Configurable concurrency - control scan speed from gentle (5) to aggressive (50) parallel probes
- Live results - real-time progress bar with per-collection R/W/D permission badges
Firebase services are attached to window globals during initialization, so you can run custom queries directly from the browser console:
| Variable | Reference |
|---|---|
window.authService |
Auth |
window.firestoreService |
Firestore |
window.functionsService |
Functions |
window.storageService |
Storage |
All operations are logged in a real-time output panel with success/error/info indicators.
- Launch the tool and fill in the initialization form with the target project's
firebaseConfig. - Click Start to bootstrap the Firebase SDKs. The rest of the UI unlocks once initialization succeeds.
- Use the Auth panel to authenticate (email/password, OAuth, or MFA).
- Run Firestore queries, Storage operations, or Cloud Function invocations from the respective panels to verify authorization controls.
npm install
npm run devThen open http://localhost:3000.