HIGH out of bounds writefirestore

Out Of Bounds Write in Firestore

Scan your API now

How Out Of Bounds Write Manifests in Firestore

Out Of Bounds Write (OOBW) in Firestore occurs when an application writes data beyond the intended boundaries of an array or collection, allowing attackers to modify data they shouldn't have access to. This vulnerability is particularly dangerous in Firestore because of its flexible document structure and array manipulation capabilities.

The most common Firestore OOBW patterns involve array operations that don't properly validate indices or array lengths. Consider this vulnerable pattern:

// Vulnerable: No bounds checking on array index
async function updateTaskStatus(docId, taskId, newStatus) {
  const doc = await db.collection('projects').doc(docId).get();
  const project = doc.data();
  
  project.tasks[taskId].status = newStatus; // No validation of taskId
  
  await db.collection('projects').doc(docId).update(project);
}

An attacker can exploit this by providing a taskId that exceeds the array length, potentially overwriting adjacent properties or creating new array elements. If the tasks array has 3 elements and the attacker provides taskId=10, they might overwrite the 4th element (creating it if it doesn't exist) or even modify other document properties if Firestore's internal storage allows it.

Another Firestore-specific OOBW pattern involves using arrayUnion and arrayRemove without proper authorization checks:

// Vulnerable: No ownership validation
async function addTagToDocument(docId, tag) {
  await db.collection('documents').doc(docId)
    .update({
      tags: firebase.firestore.FieldValue.arrayUnion(tag)
    });
}

// Attacker can add tags to any document
// If they know document IDs, they can tag documents they don't own

Firestore's FieldValue.arrayUnion() and FieldValue.arrayRemove() operations are atomic but don't perform authorization checks. An attacker who can guess or enumerate document IDs can modify any document's array fields, even if they shouldn't have access to those documents.

Nested array manipulation creates additional OOBW opportunities:

// Vulnerable nested array access
async function updateNestedArray(docId, outerIndex, innerIndex, newValue) {
  const doc = await db.collection('nested').doc(docId).get();
  const data = doc.data();
  
  data.outerArray[outerIndex].innerArray[innerIndex] = newValue;
  
  await db.collection('nested').doc(docId).update(data);
}

Without validating both outerIndex and innerIndex, attackers can traverse multiple levels of array nesting, potentially accessing and modifying data structures they shouldn't see. This becomes especially dangerous when combined with Firestore's ability to store complex nested objects.

Firestore's FieldValue.increment() operation can also lead to OOBW when used without proper validation:

// Vulnerable: No bounds on increment target
async function incrementCounter(docId, counterName, increment) {
  await db.collection('counters').doc(docId)
    .update({
      [counterName]: firebase.firestore.FieldValue.increment(increment)
    });
}

An attacker can manipulate counterName to target any numeric field in the document, potentially affecting counters they shouldn't be able to modify or even creating new numeric fields if the field doesn't exist.

Firestore-Specific Detection

Detecting Out Of Bounds Write vulnerabilities in Firestore requires both static code analysis and dynamic runtime testing. The most effective approach combines automated scanning with manual code review.

middleBrick's Firestore-specific detection includes 12 parallel security checks that identify OOBW patterns. The scanner tests unauthenticated endpoints by sending boundary values to array indices and monitoring for unexpected data modifications. For example, it will test array indices like -1, 0, array.length, and array.length+1 to identify boundary violations.

Key detection patterns middleBrick looks for:

{
  "out_of_bounds_write": {
    "severity": "high",
    "category": "Input Validation",
    "description": "Array index manipulation detected",
    "remediation": "Validate array indices against array length before access",
    "evidence": "Array index 15 provided for array of length 3"
  }
}

The scanner also tests Firestore's array operations by attempting to modify array fields on documents where the user shouldn't have permission. It uses a technique called

Scan your API now Free API security scan

Frequently Asked Questions

How does middleBrick detect Out Of Bounds Write in Firestore?
middleBrick uses black-box scanning to test array boundary conditions by sending boundary values to array indices and monitoring for unexpected data modifications. It tests negative indices, indices beyond array length, and attempts to modify array fields on documents where the user shouldn't have permission. The scanner also analyzes your Firestore security rules to ensure they properly validate array access patterns.
What's the difference between OOBW and BOLA in Firestore?
BOLA (Broken Object Level Authorization) in Firestore occurs when users can access or modify objects they don't own, typically through IDOR (Insecure Direct Object Reference) vulnerabilities. OOBW is a more specific subset where the vulnerability involves array or collection boundaries - users can modify data beyond the intended array limits. While BOLA is about object ownership, OOBW is about boundary violations within authorized objects.

Related Pages

Out Of Bounds Write in APIsLearn about Out Of Bounds Write vulnerabilities in APIs, how attackers exploit them, detection methods, and prevention tOut Of Bounds Write with Bearer TokensLearn how out‑of‑bounds writes can occur when parsing Bearer tokens, how middleBrick detects them, and language‑specificOut Of Bounds Write with Api KeysHow out-of-bounds writes occur in API key handling, detection via black-box scanning, and language-specific fixes using Out Of Bounds Write with Basic AuthOut Of Bounds Write vulnerabilities in Basic Auth allow attackers to write beyond memory boundaries during credential prHipaa: Out Of Bounds WriteHow Out of Bounds Write vulnerabilities cause HIPAA violations. Learn detection with SAST/ASan and remediation with secuGdpr: Out Of Bounds WriteLearn how out-of-bounds write vulnerabilities in APIs can lead to GDPR risks, how to detect them via black-box scanning Iso 27001: Out Of Bounds WriteLearn how ISO 27001 applies to Out Of Bounds Write vulnerabilities in APIs, with detection methods and code-level remediCis: Out Of Bounds WriteLearn about Out Of Bounds Write vulnerabilities in APIs, including detection and remediation using middleBrick's securitOut Of Bounds Write in Aspnet with FirestoreLearn how Out Of Bounds Write vulnerabilities occur in ASP.NET with Firestore, and implement secure code patterns with cOut Of Bounds Write in Actix with FirestoreLearn how Out Of Bounds Write can occur in Actix apps using Firestore, and apply concrete validation fixes with code exaOut Of Bounds Write in Adonisjs with FirestoreLearn how Out Of Bounds Write vulnerabilities arise with AdonisJS and Firestore, and apply concrete validation and FiresOut Of Bounds Write in Axum with FirestoreUnderstanding Out Of Bounds Write risks in Axum with Firestore, including detection and concrete Rust code fixes for doc