Agneyastra – A Security Tool to Identify Firebase Misconfigurations

Agneyastra – A Security Tool to Identify Firebase Misconfigurations

Firebase, a platform developed by Google, is widely used for web and mobile applications due to its robust services like real-time databases, authentication, cloud storage, and hosting.

However, its widespread adoption also makes it a frequent target for misconfigurations that can lead to severe security vulnerabilities.

This is where Agneyastra comes in—a powerful tool designed to help bug bounty hunters and security professionals detect Firebase misconfigurations with precision.

What is Agneyastra?

Agneyastra is named after a mythological weapon associated with fire, symbolizing its ability to "burn through" misconfigurations in Firebase services. It offers a comprehensive suite of features that ensures no vulnerability goes unnoticed.

Key Features of Agneyastra

  1. Detection Across All Firebase Services: Agneyastra can identify misconfigurations in all Firebase components, including Firestore, Realtime Database (RTDB), Cloud Storage, and Authentication.

  2. Correlation Engine and Secret Extraction: The tool correlates findings across services and extracts sensitive information (if any) for further analysis.

  3. Proof of Concept (POC) and Report Generation: Agneyastra automates the creation of POCs and detailed reports for identified vulnerabilities.

Installation Guide

To install Agneyastra, follow these steps:

1.Use the go install command:

go install github.com/JA3G3R/agneyastra/cmd/agneyastra@latest

2.Execute the tool using the following command:

./agneyastra --key <API_KEY> --all

Replace <API_KEY> with your Firebase API key.

Usage Example

Below is an example of how Agneyastra operates:

./agneyastra --key AIzaSyBv_y636JW_LYBcUQ7rN0b9Wukzop_gVEI --all
2024/11/22 23:17:40 Checking all services for misconfigurations
2024/11/22 23:17:42 Sign-in link sent to email: example@gmail.com
2024/11/22 23:17:44 Checking public read access. Dump directory:
2024/11/22 23:17:50 Running all firebase firestore misconfiguration checks
2024/11/22 23:18:00 Running all firebase rtdb misconfiguration checks

Sample Findings and Remedies

Agneyastra generates detailed reports highlighting vulnerabilities and suggesting remedies. Below are examples of findings:

Authentication Vulnerabilities

  • Anonymous Authentication:

    • Status: Vulnerable

    • Issue: Anonymous authentication enabled.

    • Remedy: Disable anonymous authentication from the Firebase Console.

  • Send Sign-in Link:

    • Status: Vulnerable

    • Issue: Sign-in link feature enabled.

    • Remedy: Disable "Send Sign-in Link" from the Firebase Console.

Cloud Storage Misconfigurations

  • Public Delete Access:

    • Status: Vulnerable

    • Issue: Public delete access allowed.

    • Remedy: Update rules to restrict delete operations to authenticated users (allow delete: if request.auth != null;).

  • Public Read Access:

    • Status: Vulnerable

    • Issue: Unauthenticated users can read storage objects.

    • Remedy: Restrict read permissions to authenticated users (allow read: if request.auth != null;).

Firestore Misconfigurations

  • Unauthenticated Write Access:

    • Status: Vulnerable

    • Issue: Unauthenticated users can write data.

    • Remedy: Update rules to restrict write operations (allow write: if request.auth != null;).

Realtime Database (RTDB) Misconfigurations

  • Unauthenticated Delete Access:

    • Status: Vulnerable

    • Issue: Unauthenticated users can delete database entries.

    • Remedy: Restrict delete operations to authenticated users (allow delete: if request.auth != null;).

Final Report Summary

Agneyastra provides a JSON-formatted report summarizing all findings. Below is an example structure:

{
  "api_keys": [
    {
      "api_key": "<API_KEY>",
      "auth": {
        "anon-auth": {
          "Vulnerable": "vulnerable:true",
          "Remedy": "Disable Anonymous Authentication"
        },
        ...
      },
      "services": {
        "bucket": {
          "delete": {
            ...
          },
          "read": {
            ...
          }
        },
        ...
      }
    }
  ]
}

Conclusion

Agneyastra is an essential tool for security professionals aiming to secure Firebase projects against potential misconfigurations.

Its robust detection capabilities, automated reporting, and actionable remedies make it a must-have for identifying and mitigating vulnerabilities effectively. You can learn more and Download Agneyastra in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog