███████╗██╗██████╗ ███████╗███████╗ ██████╗ █████╗ ███╗   ██╗
██╔════╝██║██╔══██╗██╔════╝██╔════╝██╔════╝██╔══██╗████╗  ██║
█████╗  ██║██████╔╝█████╗  ███████╗██║     ███████║██╔██╗ ██║
██╔══╝  ██║██╔══██╗██╔══╝  ╚════██║██║     ██╔══██║██║╚██╗██║
██║     ██║██║  ██║███████╗███████║╚██████╗██║  ██║██║ ╚████║
╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚══════╝ ╚═════╝╚═╝  ╚═╝  ╚═══╝

FireScan is a powerful security tool designed for penetration testers and developers to audit the security posture of Firebase applications. It provides an interactive console to enumerate databases, test storage rules, check function security, and much more, all from a single, easy-to-use interface.

🎯 What's New in v2.1.0

This release focuses on reliability, performance, and security, addressing issues and adding features that make FireScan more robust.

🐛 Bug Fixes

• Fixed FCM False Positive: Fixed a bug where FCM vulnerability scanner incorrectly flagged 401 Unauthorized responses as vulnerabilities. The scanner now correctly identifies only successful (2xx) responses as potential security issues. (Issues #1)
• Fixed Build Error: Corrected a formatting issue in management API testing that prevented compilation.

🛡️ Security & Reliability Improvements

• HTTP Request Timeouts: All HTTP requests now have a 30-second timeout to prevent hanging on unresponsive endpoints. Configurable transport settings ensure optimal performance.
• Input Validation: Added validation for all user inputs including Project IDs, API keys, JWTs, emails, file paths, and more.
• Rate Limiting: New built-in rate limiter protects Firebase APIs from being overwhelmed. Configure with --rate-limit flag (requests per second) during scans.
• Structured Logging System: All new logging with severity levels (DEBUG, INFO, WARNING, ERROR, CRITICAL), file persistence, and automatic finding logs. Configure with --log and --log-level flags.

📊 Enhanced Error Reporting

• Real-Time Error Display: Scanner errors are now displayed immediately as they occur, with detailed context including timestamp, job type, path, and error message.
• Error Summary Statistics: Scan summaries now include total error counts alongside findings, giving complete visibility into scan results.
• Better Resource Cleanup: Fixed silent failures in scanner workers and improved response body handling to prevent memory leaks.

🔧 Developer Experience

• Better Error Messages: Input validation provides clear, actionable error messages that explain exactly what's wrong and how to fix it.
• Improved Performance: Centralised HTTP client with connection pooling and keep-alive support for faster scans.
• Code Quality: Major refactoring for better maintainability and future feature development.

📝 Usage Examples

Basic scan with rate limiting:

firescan scan --services firestore,rtdb --rate-limit 10

Scan with logging enabled:

firescan scan --services all --log firescan.log --log-level info

Validate inputs before scanning:

firescan set projectid my-firebase-project
firescan set apikey AIzaSy...
firescan scan --services firestore

📦 Installation

Download the latest binary for your platform from the Releases page, or build from source:

git clone https://github.com/JacobDavidAlcock/firescan.git
cd firescan
go build -o firescan cmd/firescan/main.go

🙏 Acknowledgments

Special thanks to [@cerodriguezl] for reporting the FCM false positive bug and providing detailed reproduction steps. Community contributions like these make FireScan better for everyone!

📋 Full Changelog

Bug Fixes:

• Fix FCM false positive with 401 Unauthorized responses
• Fix build error in management API quota endpoint

New Features:

• Add HTTP request timeouts (30s default)
• Add comprehensive input validation
• Add configurable rate limiting
• Add structured logging system with file persistence
• Add real-time error display during scans

Improvements:

• Enhanced error reporting with detailed context
• Better resource cleanup and memory management
• Improved HTTP client with connection pooling
• Better error messages and user feedback

See the full diff: v2.0.0...v2.1.0

Thank you to everyone using FireScan and contributing to its development. Happy scanning! 🔥

███████╗██╗██████╗ ███████╗███████╗ ██████╗ █████╗ ███╗   ██╗
██╔════╝██║██╔══██╗██╔════╝██╔════╝██╔════╝██╔══██╗████╗  ██║
█████╗  ██║██████╔╝█████╗  ███████╗██║     ███████║██╔██╗ ██║
██╔══╝  ██║██╔══██╗██╔══╝  ╚════██║██║     ██╔══██║██║╚██╗██║
██║     ██║██║  ██║███████╗███████║╚██████╗██║  ██║██║ ╚████║
╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝

FireScan is a powerful security tool designed for penetration testers and developers to audit the security posture of Firebase applications. It provides an interactive console to enumerate databases, test storage rules, check function security, and much more, all from a single, easy-to-use interface.

🚀 The Advanced Security Update! 🚀

This release marks a massive leap forward for FireScan, introducing a powerful suite of advanced security testing modules, major UX improvements, and a complete code refactor for better performance and maintainability.

✨ Highlights ✨

• Complete Project Refactor: The entire codebase has been modularised for improved stability and to make future feature development faster than ever.
• Enhanced Session Management: You can now save and resume authentication sessions, check your auth status, and refresh tokens on the fly.
• Dynamic UI Feedback: A new dynamic status display provides real-time feedback during scans, so you always know what FireScan is doing.
• Expanded Wordlists: Default wordlists have been significantly expanded for more comprehensive enumeration across all Firebase services.

🛡️ New Security Modules 🛡️

• Unauthenticated Scanning: A new --unauth flag lets you perform tests for scenarios where authentication is disabled, helping to identify services that are improperly exposed to the public.
• Advanced Service Enumeration: Go beyond simple discovery with new probe, test, and audit modes for safer and deeper service analysis.
• App Check & Auth Testing: Uncover weaknesses in your Firebase App Check implementation and test for advanced authentication vulnerabilities.
• Deep Security Tests for Storage & Management API: We've added a full suite of tests for common misconfigurations, including CORS, ACLs, directory traversal, and insecure Management API endpoints.
• FCM & RTDB Advanced Tests: Launch targeted tests against Firebase Cloud Messaging and Realtime Database rule contexts to find complex security flaws.

Thank you to the community for your feedback, and happy scanning!

███████╗██╗██████╗ ███████╗███████╗ ██████╗ █████╗ ███╗   ██╗
██╔════╝██║██╔══██╗██╔════╝██╔════╝██╔════╝██╔══██╗████╗  ██║
█████╗  ██║██████╔╝█████╗  ███████╗██║     ███████║██╔██╗ ██║
██╔══╝  ██║██╔══██╗██╔══╝  ╚════██║██║     ██╔══██║██║╚██╗██║
██║     ██║██║  ██║███████╗███████║╚██████╗██║  ██║██║ ╚████║
╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝

FireScan is a powerful security tool designed for penetration testers and developers to audit the security posture of Firebase applications. It provides an interactive console to enumerate databases, test storage rules, check function security, and much more, all from a single, easy-to-use interface.

🚀 This is the first official release of FireScan!

Features:

• Interactive console with command history and tab-completion.
• Full enumeration support for RTDB, Firestore, Storage, Functions, and Hosting.
• Automated authentication and token management.
• And much more!