Evidence Collection Management

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write evidence files AS YOU GO, not just at the end.

• Save each piece of evidence IMMEDIATELY after collection
• DO NOT wait until the skill completes to save evidence
• If the audit crashes or is interrupted, all prior evidence must already be saved

This is not optional. Failure to save evidence progressively is a critical error.

This skill initializes and manages the evidence collection system for professional security audits.

When to Use This Skill

• Automatically invoked at the start of supabase-pentest
• When you need to organize evidence for a professional report
• When conducting audits that require documented proof
• For compliance and legal purposes

Why Evidence Collection Matters

Professional security audits require:

Evidence Directory Structure

The skill creates .sb-pentest-evidence/ with this structure:

.sb-pentest-evidence/
├── README.md                    # Evidence index and summary
├── curl-commands.sh             # All curl commands used (reproducible)
├── timeline.md                  # Chronological evidence timeline
│
├── 01-detection/
│   ├── initial-scan.json        # Raw detection results
│   ├── supabase-endpoints.txt   # Discovered endpoints
│   └── client-code-snippets/    # Relevant code excerpts
│       └── supabase-init.js
│
├── 02-extraction/
│   ├── extracted-url.json       # URL extraction proof
│   ├── extracted-anon-key.json  # Anon key with decoded JWT
│   ├── extracted-jwts.json      # All JWTs found
│   ├── service-key-exposure/    # If service key found (P0)
│   │   ├── location.txt
│   │   └── decoded-payload.json
│   └── db-string-exposure/      # If DB string found (P0)
│       └── connection-details.json
│
├── 03-api-audit/
│   ├── openapi-schema.json      # Raw OpenAPI/PostgREST schema
│   ├── tables/
│   │   ├── tables-list.json     # All exposed tables
│   │   └── tables-metadata.json # Column details per table
│   ├── data-samples/            # Sample data retrieved (redacted)
│   │   ├── users-sample.json
│   │   ├── orders-sample.json
│   │   └── ...
│   ├── rls-tests/               # RLS policy test results
│   │   ├── users-anon.json      # Anon access attempt
│   │   ├── users-auth.json      # Authenticated access
│   │   └── cross-user-test.json # Cross-user access attempt
│   └── rpc-tests/               # RPC function test results
│       ├── function-list.json
│       └── vulnerable-functions/
│           └── get-all-users.json
│
├── 04-storage-audit/
│   ├── buckets-config.json      # Bucket configurations
│   ├── buckets/
│   │   ├── avatars/
│   │   │   └── file-list.json
│   │   ├── backups/             # If sensitive (P0)
│   │   │   ├── file-list.json
│   │   │   └── sample-contents/ # Redacted samples
│   │   └── ...
│   └── public-url-tests/        # Direct URL access tests
│       └── backup-access.json
│
├── 05-auth-audit/
│   ├── auth-settings.json       # Auth configuration
│   ├── signup-tests/
│   │   ├── open-signup.json     # Signup availability
│   │   ├── weak-password.json   # Weak password test
│   │   └── rate-limit.json      # Rate limiting test
│   └── enumeration-tests/
│       ├── login-timing.json    # Timing attack data
│       ├── recovery-timing.json
│       └── otp-enumeration.json
│
├── 06-realtime-audit/
│   ├── websocket-connection.json
│   ├── postgres-changes/        # Table subscription tests
│   │   └── users-streaming.json
│   ├── broadcast-channels/      # Channel access tests
│   │   └── admin-channel.json
│   └── presence-data/
│       └── exposed-users.json
│
├── 07-functions-audit/
│   ├── discovered-functions.json
│   └── function-tests/
│       ├── hello-world.json
│       ├── get-user-data-idor.json
│       └── admin-panel-escalation.json
│
└── screenshots/                 # Optional: browser screenshots
    └── ...

Usage

Initialize Evidence Directory

Initialize evidence collection for audit

Manual Evidence Save

Save evidence: [description] to [category]

Evidence File Format

Each evidence file follows this structure:

{
  "evidence_id": "API-001",
  "timestamp": "2025-01-31T10:30:00Z",
  "category": "api-audit",
  "type": "data-sample",
  "finding_id": "P0-001",
  "description": "Users table data accessible without authentication",

  "request": {
    "method": "GET",
    "url": "https://abc123.supabase.co/rest/v1/users?select=*&limit=5",
    "headers": {
      "apikey": "[REDACTED - anon key]",
      "Authorization": "Bearer [REDACTED - anon key]"
    },
    "curl_command": "curl -X GET 'https://abc123.supabase.co/rest/v1/users?select=*&limit=5' -H 'apikey: eyJ...' -H 'Authorization: Bearer eyJ...'"
  },

  "response": {
    "status": 200,
    "headers": {
      "content-type": "application/json",
      "x-total-count": "1247"
    },
    "body": [
      {
        "id": "550e8400-e29b-41d4-a716-446655440001",
        "email": "[REDACTED]@example.com",
        "name": "[REDACTED]",
        "created_at": "2025-01-15T10:30:00Z"
      }
    ],
    "body_redacted": true,
    "total_rows_indicated": 1247
  },

  "analysis": {
    "severity": "P0",
    "impact": "All user PII accessible without authentication",
    "affected_data": ["email", "name", "id"],
    "row_count": 1247
  }
}

Curl Commands File

All curl commands are collected in curl-commands.sh:

#!/bin/bash
# Supabase Security Audit - Reproducible Commands
# Target: https://myapp.example.com
# Project: abc123def.supabase.co
# Date: 2025-01-31
#
# IMPORTANT: Replace [ANON_KEY] with actual key before running
# WARNING: These commands may modify data - use with caution

SUPABASE_URL="https://abc123def.supabase.co"
ANON_KEY="eyJ..."

# === DETECTION ===
# Check if Supabase is used
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100

# === TABLE LISTING ===
# Get OpenAPI schema (list all tables)
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY"

# === DATA ACCESS TESTS ===
# Test: Users table (P0 - should be blocked)
curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer $ANON_KEY"

# Test: Orders table (should be blocked by RLS)
curl -s "$SUPABASE_URL/rest/v1/orders?select=*&limit=5" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer $ANON_KEY"

# === RLS BYPASS TESTS ===
# ... additional commands ...

Timeline File

The timeline.md provides chronological evidence:

# Audit Timeline

## 2025-01-31 10:00:00 - Audit Started
- Target: https://myapp.example.com
- Authorization confirmed

## 2025-01-31 10:05:00 - Detection Phase
- Supabase detected with high confidence
- Project URL: https://abc123def.supabase.co
- Evidence: `01-detection/initial-scan.json`

## 2025-01-31 10:10:00 - P0 CRITICAL: Service Key Exposed
- Service role key found in client code
- Location: /static/js/admin.chunk.js:89
- Evidence: `02-extraction/service-key-exposure/`

## 2025-01-31 10:15:00 - API Audit Started
- 8 tables discovered
- Evidence: `03-api-audit/tables/tables-list.json`

## 2025-01-31 10:20:00 - P0 CRITICAL: Users Table Exposed
- All 1,247 user records accessible
- PII exposed: email, name
- Evidence: `03-api-audit/data-samples/users-sample.json`

...

Context Output

Updates .sb-pentest-context.json:

{
  "evidence": {
    "directory": ".sb-pentest-evidence",
    "initialized_at": "2025-01-31T10:00:00Z",
    "files_count": 45,
    "categories": {
      "detection": 3,
      "extraction": 5,
      "api-audit": 15,
      "storage-audit": 8,
      "auth-audit": 7,
      "realtime-audit": 4,
      "functions-audit": 3
    },
    "critical_evidence": [
      "02-extraction/service-key-exposure/",
      "03-api-audit/data-samples/users-sample.json",
      "04-storage-audit/buckets/backups/"
    ]
  }
}

Evidence Collection Rules

What to Collect

Redaction Rules

Sensitive data MUST be redacted in evidence files:

{
  "original": "john.doe@example.com",
  "redacted": "[REDACTED]@example.com"
}

{
  "original": "John Doe",
  "redacted": "[REDACTED]"
}

{
  "original": "sk_live_xxxxxxxxxxxxxxxxxxxx",
  "redacted": "sk_live_[REDACTED]"
}

NEVER store in evidence:

• Actual passwords
• Full credit card numbers
• Full API keys (show first/last 4 chars only)
• Full personal data (partial redaction required)

Naming Conventions

[category]-[test-name]-[timestamp].json

Examples:

• users-anon-access-20250131-103000.json
• admin-function-no-auth-20250131-143000.json

MANDATORY: Evidence File Updates

⚠️ Evidence MUST be saved PROGRESSIVELY during execution.

Critical Rule: Save As You Go

DO NOT batch all evidence at the end. Instead:

1. Before each test → Create evidence file placeholder
2. After each request → Save request details immediately
3. After each response → Save response immediately
4. After analysis → Add analysis to evidence file

Directory Initialization

At audit start, create:

mkdir -p .sb-pentest-evidence/{01-detection,02-extraction,03-api-audit/tables,03-api-audit/data-samples,03-api-audit/rls-tests,03-api-audit/rpc-tests,04-storage-audit/buckets,04-storage-audit/public-url-tests,05-auth-audit/signup-tests,05-auth-audit/enumeration-tests,06-realtime-audit/postgres-changes,06-realtime-audit/broadcast-channels,07-functions-audit/function-tests,screenshots}

Log to Audit Log

[TIMESTAMP] [supabase-evidence] [START] Initializing evidence directory
[TIMESTAMP] [supabase-evidence] [CREATED] .sb-pentest-evidence/
[TIMESTAMP] [supabase-evidence] [CONTEXT_UPDATED] Evidence tracking initialized

Integration with Other Skills

This skill is automatically invoked by supabase-pentest. Each audit skill should:

1. Save evidence to the appropriate subdirectory
2. Use consistent naming conventions
3. Add entries to curl-commands.sh
4. Update timeline.md for significant findings

Related Skills

• supabase-pentest — Orchestrator that initializes evidence collection
• supabase-report — Uses evidence for comprehensive reporting
• All audit skills — Contribute evidence to their respective directories