YOUR FIREBASE
SECURITY RULES
HAVE GAPS.
Standard OWASP Top 10 vulnerabilities manifest differently in serverless, frontend-first Firebase architectures. We find them before your CREST auditors do — and hand you the exact remediation code.
have A01 violations
OWASP TOP 10
FIREBASE EDITION
Each OWASP category manifests uniquely in Firebase's serverless, client-centric architecture. Here is exactly where your attack surface lives.
Broken Access Control
The most exploited Firebase vulnerability. Permissive wildcard rules grant any authenticated user full read/write access to all documents, bypassing document-level ownership entirely.
// ❌ VULNERABLE — No ownership check allow read, write: if request.auth != null; // ✅ REMEDIATED allow read, write: if request.auth.uid == resource.data.ownerId;
Injection
Cloud Functions that blindly pass client-supplied strings into shell commands, child processes, or dynamic eval contexts. Serverless does not eliminate injection — it obscures it.
// ❌ VULNERABLE
const cmd = `convert ${req.body.file}`;
exec(cmd); // Command injection
// ✅ REMEDIATED
const safe = path.basename(req.body.file);Insecure Design
No Firebase App Check integration leaves your Cloud Functions and Firestore APIs open to automated scraping, credential stuffing, and client-side reverse-engineering of your data model.
// Missing App Check enforcement // functions.https.onCall without // context.app.token validation
Security Misconfiguration
Unrestricted GCP API keys embedded in client bundles, or Storage Buckets with public read/write permissions — both trivially discoverable via browser DevTools or public repo scanning.
// ❌ Storage bucket misconfiguration allow read, write: if true; // Exposes ALL files to public internet
Auth Failures
Misconfigured custom JWT claims enabling privilege escalation, or background trigger functions that execute without validating the authentication context of the originating event.
// ❌ Unvalidated background trigger
exports.onUserWrite = functions
.firestore.document('users/{id}')
.onWrite(async (change) => {
// No auth context validation
await elevatePrivileges(change);
});Full assessment also covers: A02 Cryptographic Failures (insecure token storage), A06 Vulnerable Components (outdated Firebase SDK versions), A08 Software Integrity Failures (unsigned Cloud Function deployments), and A09 Logging Failures (missing audit trails in Firestore).
YOUR
REMEDIATION
CHECKLIST.
Not a vague risk report. A prioritized, OWASP-mapped checklist pointing to the exact file, line number, and rewritten code needed to close each vulnerability — before formal auditors arrive with their findings.
Wildcard document match with no UID ownership validation
Rewrite rules to enforce request.auth.uid == resource.data.ownerId on all user-scoped collections
Storage bucket allows public write without authentication check
Enforce request.auth != null and file size/type constraints on all write paths
Client-supplied filename passed directly to child_process.exec()
Sanitize with path.basename() and validate against allowlist before execution
onCall handler missing App Check token enforcement
Add context.app.token validation and configure App Check in Firebase Console
Firestore background trigger elevates privileges without verifying event source
Validate change.after.data() against expected schema; reject events missing auth metadata
WHY
BEFORE
CREST?
CREST-certified penetration testers are world-class generalists. Firebase is a highly specialized architecture. The gap between those two facts is where your risk lives.
Eliminate the gapCREST auditors bill by the hour.
Every hour they spend documenting known Firestore rule misconfigurations is an hour you are paying for. We eliminate the predictable findings before they arrive.
Firebase flaws are invisible to generic scanners.
Automated tools like Burp Suite or Nessus cannot read your Security Rules. Firebase vulnerabilities require manual, architecture-aware analysis — which is exactly what we do.
A failed CREST audit delays your roadmap.
A critical finding post-audit means a remediation sprint, a re-test, and a delayed compliance certificate. Our pre-audit removes that risk entirely.
FIND YOUR GAPS
BEFORE THEY DO.
A 30-minute scope call is all it takes. We review your Firebase architecture, confirm assessment scope, and deliver your OWASP-mapped remediation checklist within 48 hours.