Project Description
I have a newly built software platform running entirely on Firebase and, as part of my contract with the end-client, I must supply an independent penetration-testing report. The application itself is straightforward—no AI components or unusual integrations—so the engagement will be tightly focused on classic web and cloud-hosted attack surfaces.
Key focus areas
• Authentication issues: confirm sign-in, session handling and privilege escalation vectors are fully locked down.
• Data leakage: verify that Firestore, Cloud Storage buckets and any API endpoints are not exposing sensitive information through misconfigurations or improper access rules.
• Injection attacks: test for SQL-like or NoSQL injection, as well as any injection vectors in Cloud Functions or user-supplied inputs.
Scope & approach
I am open to any methodology—black-, white-, or grey-box—as long as the final deliverables cover the items above and reflect real-world scenarios against a live Firebase deployment.
Deliverables
1. Formal penetration-test report detailing methodology, evidence, risk ratings and reproducible steps.
2. Remediation recommendations prioritised by severity.
3. Executive summary slide (1-2 pages) suitable for non-technical stakeholders.
4. Optional re-test memo once fixes have been applied.
Acceptance criteria
• All three focus areas are specifically addressed and evidenced.
• No critical or high findings remain unvalidated in the re-test (if performed).
• Report is clear enough to hand directly to the end client without edits.
The environment will be provided through a dedicated test project in Firebase along with limited admin credentials. Please let me know your estimated timeline and any prerequisites you might need.