Pentesting apps using Parse as a backend
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Parse Revealer is a pentesting utility for Mac OS X that helps with analysis of Parse account used in an application under test. More info on attacking Parse is available in this article (russian version).

It has the following capabilities at the moment:

  • Validity checking of Parse Application ID and Client Key.
  • Getting the list of access permissions for custom Parse classes.
  • Revealing the structure of custom Parse classes with 'Find' permission set to 'YES',
  • Exporting all the revealed data to .txt.

WARNING: Parse Revealer can leave a trace in Parse classes - it adds new fields and objects when testing the corresponding permissions, so be careful.


The installation is simple - build and run the application in Xcode.


  1. Enter the applicationId and clientKey derived from the target app.
  2. Enter the names of Parse classes, also derived from the target, and click 'Save'. Basic Setup
  3. Go to the 'ACL Revealing' tab and click 'Reveal'. After a few seconds you'll see the list of access permissions for all saved classes. ACL Revealing
  4. Go to the 'Structure Revealing' tab, also click 'Reveal', and enjoy the structure of your classes. Structure Revealing
  5. On the last tab you can export all the revealed data to txt format. Export




Egor Tolstoy - @igrekde.


ParseRevealer is available under the MIT license. See the LICENSE file for more info.


  • Browse through objects in a specified class,
  • Create, update and delete objects in a specified class,
  • Dump all the classes to different file formats,
  • Stable work with objects-defined ACLs.