陌讯skills聚合平台

supabase-detect

📁 yoanbernabeu/supabase-pentest-skills 📅 13 days ago
53
总安装量
53
周安装量
#4040
全站排名
安装命令
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-detect

Agent 安装分布

claude-code 46
codex 27
opencode 27
antigravity 21
cursor 20

Skill 文档

Supabase Detection

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.

  • Write to .sb-pentest-context.json IMMEDIATELY after each discovery
  • Log to .sb-pentest-audit.log BEFORE and AFTER each action
  • DO NOT wait until the skill completes to update files
  • If the skill crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill determines whether a web application uses Supabase as its backend.

When to Use This Skill

  • Starting a security audit on an unknown application
  • Verifying Supabase usage before running other audit skills
  • Quickly checking multiple applications for Supabase presence

Prerequisites

  • Target URL must be publicly accessible
  • Internet connection to fetch and analyze the target

Detection Methods

The skill uses multiple detection vectors:

1. Domain Pattern Matching

Searches for Supabase-related domains in:

  • HTML source code
  • JavaScript bundles
  • Network requests (via inline scripts)

Patterns detected:

*.supabase.co
*.supabase.com
supabase-cdn.com

2. JavaScript Client Detection

Looks for Supabase client library signatures:

// Import patterns
import { createClient } from '@supabase/supabase-js'
const { createClient } = require('@supabase/supabase-js')

// Client initialization
supabase.createClient(
createClient('https://
SUPABASE_URL
NEXT_PUBLIC_SUPABASE
VITE_SUPABASE
REACT_APP_SUPABASE

3. API Endpoint Detection

Checks for characteristic Supabase endpoints:

/rest/v1/
/auth/v1/
/storage/v1/
/realtime/v1/
/functions/v1/

4. Response Header Analysis

Looks for Supabase-specific headers:

x-supabase-*
sb-*

Usage

Basic Detection

Check if https://myapp.example.com uses Supabase

Detection with Verbose Output

Detect Supabase on https://myapp.example.com with full details

Output Format

Supabase Detected

═══════════════════════════════════════════════════════════
 SUPABASE DETECTED
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ✅ Supabase usage confirmed

 Detection Evidence:
 ├── Domain: abc123def.supabase.co (found in main.js)
 ├── Client: @supabase/supabase-js v2.x detected
 ├── Endpoints: /rest/v1/, /auth/v1/, /storage/v1/
 └── Headers: x-supabase-api-version present

 Project Reference: abc123def
 Project URL: https://abc123def.supabase.co

 Context saved to: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

Supabase Not Detected

═══════════════════════════════════════════════════════════
 DETECTION RESULT
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ❌ Supabase not detected

 Scanned:
 ├── HTML source: No Supabase patterns
 ├── JavaScript bundles: 3 files analyzed, no matches
 ├── Network patterns: No Supabase endpoints
 └── Response headers: No Supabase headers

 Note: The app may use a self-hosted Supabase or custom domain.
       Try providing a known Supabase URL manually if you have one.
═══════════════════════════════════════════════════════════

Context Output

When Supabase is detected, the skill saves to .sb-pentest-context.json:

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "2025-01-31T10:00:00Z",
    "evidence": [
      {
        "type": "domain",
        "value": "abc123def.supabase.co",
        "location": "/static/js/main.js",
        "line": 1247
      },
      {
        "type": "client_library",
        "value": "@supabase/supabase-js",
        "version": "2.x"
      }
    ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

Audit Log Entry

Each detection is logged to .sb-pentest-audit.log:

[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com
[2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB
[2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB
[2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co
[2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high

Confidence Levels

Level Criteria
High Multiple evidence types (domain + client + endpoints)
Medium Single strong evidence (domain or explicit client init)
Low Only indirect evidence (generic patterns, possible false positive)

Edge Cases

Custom Domains

Some Supabase projects use custom domains (e.g., api.mycompany.com). In this case:

Detect Supabase on https://myapp.com with custom API domain api.mycompany.com

Self-Hosted Supabase

Self-hosted instances won’t have .supabase.co domains. Look for:

  • PostgREST patterns (/rest/v1/)
  • GoTrue auth patterns (/auth/v1/)
  • Supabase client library in code

Single Page Applications

For SPAs with lazy-loaded chunks:

Detect Supabase on https://myapp.com including all JS chunks

Common Issues

❌ Problem: Detection returns false negative on SPA ✅ Solution: The app may lazy-load Supabase. Try interacting with the app first to load all chunks, or provide known patterns.

❌ Problem: Multiple Supabase projects detected ✅ Solution: This can happen with multi-tenant setups. The skill will list all found projects.

❌ Problem: Detection is slow ✅ Solution: Large JS bundles take time to analyze. Use --quick mode for faster but less thorough detection:

Quick detect Supabase on https://myapp.com

Next Steps

After detection:

  1. Run supabase-extract-url to confirm and extract the project URL
  2. Run supabase-extract-anon-key to find the API key
  3. Or use supabase-pentest for a full guided audit

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

  1. Before starting any action → Log the action to .sb-pentest-audit.log
  2. After each discovery → Immediately update .sb-pentest-context.json
  3. After each significant step → Log completion to .sb-pentest-audit.log

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

  1. Create/Update .sb-pentest-context.json with results:

    {
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "...",
    "evidence": [ ... ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

  2. Create/Log to .sb-pentest-audit.log:

    [TIMESTAMP] [supabase-detect] [START] Starting Supabase detection
[TIMESTAMP] [supabase-detect] [SUCCESS] Supabase detected with high confidence
[TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json created/updated

  3. IMPORTANT: As the first skill in the audit chain, this skill is responsible for creating the context files if they don’t exist.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory: .sb-pentest-evidence/01-detection/

Evidence Files to Create

File Content
initial-scan.json Raw detection results with all evidence
supabase-endpoints.txt List of discovered Supabase endpoints
client-code-snippets/ Directory with relevant code excerpts

Evidence Format

{
  "evidence_id": "DET-001",
  "timestamp": "2025-01-31T10:00:00Z",
  "category": "detection",
  "target_url": "https://myapp.example.com",

  "detection_results": {
    "supabase_detected": true,
    "confidence": "high",
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },

  "evidence": [
    {
      "type": "domain_pattern",
      "value": "abc123def.supabase.co",
      "location": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    },
    {
      "type": "client_library",
      "value": "@supabase/supabase-js",
      "version": "2.x"
    }
  ],

  "curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'"
}

Add to curl-commands.sh

# === DETECTION ===
# Check Supabase API availability
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100

Add to timeline.md

## [TIMESTAMP] - Detection Phase Complete
- Supabase detected with [confidence] confidence
- Project: [project_ref]
- Evidence: `01-detection/initial-scan.json`

Related Skills

  • supabase-extract-url — Extract project URL from code
  • supabase-extract-anon-key — Find anon key
  • supabase-pentest — Full orchestrated audit
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。