Supabase Usalama

Reading time: 11 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Kulingana na landing page: Supabase ni mbadala wa Firebase wa open source. Anzisha mradi wako na Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, na Vector embeddings.

Subdomain

Kwa kawaida wakati mradi unaundwa, mtumiaji atapokea supabase.co subdomain kama: jnanozjdybtpqgcwhdiz.supabase.co

Mipangilio ya Database

tip

This data can be accessed from a link like https://supabase.com/dashboard/project/<project-id>/settings/database

Database hii itafunguliwa katika kanda fulani ya AWS, na ili kuungana nayo inawezekana kufanya hivyo kwa kuungana kwa: postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres (hii iliumbwa katika us-west-1).
Nenosiri ni nenosiri ambalo mtumiaji aliweka hapo awali.

Kwa hivyo, kwa kuwa subdomain ni jambo linalojulikana na inatumiwa kama username na kanda za AWS ni chache, inaweza kuwa inawezekana kujaribu brute force the password.

Sehemu hii pia ina chaguzi za:

  • Weka upya nenosiri la database
  • Sanidi connection pooling
  • Sanidi SSL: Kataa plain-text connections (kwa default zimewezeshwa)
  • Sanidi ukubwa wa Disk
  • Tekeleza vikwazo na marufuku za mtandao

API Configuration

tip

This data can be accessed from a link like https://supabase.com/dashboard/project/<project-id>/settings/api

URL ya kufikia supabase API katika mradi wako itakuwa kama: https://jnanozjdybtpqgcwhdiz.supabase.co.

anon api keys

Itatoa pia anon API key (role: "anon"), kama: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk ambayo application itahitaji kutumia ili kuwasiliana na API.

Inawezekana kupata API REST ya kuwasiliana na API hii katika docs, lakini endpoints zinazovutia zaidi zitakuwa:

Signup (/auth/v1/signup) ``` POST /auth/v1/signup HTTP/2 Host: id.io.net Content-Length: 90 X-Client-Info: supabase-js-web/2.39.2 Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124" Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Content-Type: application/json;charset=UTF-8 Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk Sec-Ch-Ua-Platform: "macOS" Accept: */* Origin: https://cloud.io.net Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://cloud.io.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i

{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}

</details>

<details>

<summary>Ingia (/auth/v1/token?grant_type=password)</summary>

POST /auth/v1/token?grant_type=password HTTP/2 Host: hypzbtgspjkludjcnjxl.supabase.co Content-Length: 80 X-Client-Info: supabase-js-web/2.39.2 Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124" Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Content-Type: application/json;charset=UTF-8 Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk Sec-Ch-Ua-Platform: "macOS" Accept: / Origin: https://cloud.io.net Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://cloud.io.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i

{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}

</details>

Hivyo, wakati wowote utakapogundua mteja anayetumia supabase na subdomain waliyotolewa (inawezekana kuwa subdomain ya kampuni ina CNAME juu ya subdomain yao ya supabase), unaweza kujaribu **kuunda akaunti mpya kwenye platform kwa kutumia supabase API**.

### Ufunguo wa siri / service_role wa API

Ufunguo wa API wa siri pia utaundwa na **`role: "service_role"`**. Ufunguo huu wa API unapaswa kubaki siri kwa sababu utaweza kuipita **Row Level Security**.

Ufunguo wa API unafanana na huu: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`

### JWT Secret

Siri ya JWT itaundwa pia ili application iweze **kuunda na kusaini tokeni za JWT maalum**.

## Authentication

### Signups

<div class="mdbook-alerts mdbook-alerts-tip">
<p class="mdbook-alerts-title">
  <span class="mdbook-alerts-icon"></span>
  tip
</p>


Kwa **chaguo-msingi** supabase itaruhusu **watumiaji wapya kuunda akaunti** kwenye mradi wako kwa kutumia API endpoints zilizotajwa hapo juu.

</div>


Hata hivyo, akaunti hizi mpya, kwa chaguo-msingi, **zitahitajika kuthibitisha anwani yao ya barua pepe** ili waweze kuingia kwenye akaunti. Inawezekana kuwezesha **"Allow anonymous sign-ins"** ili kuruhusu watu kuingia bila kuthibitisha barua pepe yao. Hii inaweza kutoa ufikiaji wa **data isiyotegemewa** (wanapata majukumu `public` na `authenticated`).\
Hii ni wazo baya sana kwa sababu supabase hutoza kwa kila mtumiaji anayeendelea hivyo watu wanaweza kuunda watumiaji na kuingia na supabase itatoza kwao:

<figure><img src="../images/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

#### Auth: Server-side signup enforcement

Kuficha kitufe cha usajili kwenye frontend haitoshi. Ikiwa **Auth server bado inaruhusu usajili**, mshambuliaji anaweza kupiga API moja kwa moja kwa ufunguo wa umma `anon` na kuunda watumiaji yoyote.

Jaribio la haraka (kutoka kwa client isiyethibitishwa):
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">bash</span></div>

```bash
curl -X POST \
-H "apikey: <SUPABASE_ANON_KEY>" \
-H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
-H "Content-Type: application/json" \
-d '{"email":"attacker@example.com","password":"Sup3rStr0ng!"}' \
https://<PROJECT_REF>.supabase.co/auth/v1/signup

Expected hardening:

  • Zima usajili wa email/password kwenye Dashboard: Authentication → Providers → Email → Disable sign ups (invite-only), au weka setting sawa ya GoTrue.
  • Thibitisha API sasa inarudisha 4xx kwa mwito uliotumika hapo awali na hakuna mtumiaji mpya ameundwa.
  • Ikiwa unategemea invites au SSO, hakikisha providers zote zingine zimesitishwa isipokuwa zinahitajika wazi.

RLS and Views: Write bypass via PostgREST

Kutumia Postgres VIEW ku “ficha” nguzo zenye taarifa nyeti na kuziweka wazi kupitia PostgREST kunaweza kubadilisha jinsi vibali vinavyotathminiwa. Katika PostgreSQL:

  • Ordinary views hufanya kazi kwa vibali vya mmiliki wa view kwa chaguo-msingi (definer semantics). Katika PG ≥15 unaweza kuchagua security_invoker.
  • Row Level Security (RLS) inatumika kwenye base tables. Wamiliki wa jedwali wanapita RLS isipokuwa FORCE ROW LEVEL SECURITY imewekwa kwenye jedwali.
  • Updatable views zinaweza kupokea INSERT/UPDATE/DELETE ambazo kisha zinaombwa kwenye base table. Bila WITH CHECK OPTION, maandishi ambayo hayalingani na predicate ya view bado yanaweza kufanikiwa.

Risk pattern observed in the wild:

  • View yenye nguzo zilizopunguzwa imewekwa wazi kupitia Supabase REST na imetolewa kwa anon/authenticated.
  • PostgREST inaruhusu DML kwenye updatable view na operesheni inatathminiwa kwa vibali vya mmiliki wa view, kwa ufanisi ikipita sera za RLS zilizokusudiwa kwenye base table.
  • Matokeo: wateja wenye vibali vidogo wanaweza kuhariri kwa wingi rows (mfano, profile bios/avatars) ambazo hawastahili kuhariri.

Illustrative write via view (attempted from a public client):

bash
curl -X PATCH \
-H "apikey: <SUPABASE_ANON_KEY>" \
-H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
-H "Content-Type: application/json" \
-H "Prefer: return=representation" \
-d '{"bio":"pwned","avatar_url":"https://i.example/pwn.png"}' \
"https://<PROJECT_REF>.supabase.co/rest/v1/users_view?id=eq.<victim_user_id>"

Hardening checklist for views and RLS:

  • Pendelea kufichua base tables na grants wazi za least-privilege na sera za RLS zilizo sahihi.
  • If you must expose a view:
  • Fanya isiwe ya kusasishwa (mfano, jumuisha expressions/joins) au kata INSERT/UPDATE/DELETE kwenye view kwa roles zote zisizo za kuaminika.
  • Lazimisha ALTER VIEW <v> SET (security_invoker = on) ili haki za invoker zitumike badala za za owner.
  • Kwa base tables, tumia ALTER TABLE <t> FORCE ROW LEVEL SECURITY; ili hata owners wawekwe chini ya RLS.
  • Ikiwa unaruhusu uandishi kupitia updatable view, ongeza WITH [LOCAL|CASCADED] CHECK OPTION na RLS inayolingana kwenye base tables ili kuhakikisha mistari tu iliyoruhusiwa inaweza kuandikwa/kubadilishwa.
  • Katika Supabase, epuka kuipa anon/authenticated haki zozote za kuandika kwenye views isipokuwa umehakiki tabia end-to-end kwa mitihani.

Detection tip:

  • Kutoka kwa anon na mtumiaji wa mtihani wa authenticated, jaribu shughuli zote za CRUD dhidi ya kila table/view iliyofichuliwa. Kila uandishi uliofanikiwa ulipokuwa unatarajia kukataliwa unaashiria misconfiguration.

OpenAPI-driven CRUD probing from anon/auth roles

PostgREST hutoa dokumenti ya OpenAPI ambayo unaweza kutumia kuratibu rasilimali zote za REST, kisha kuchunguza kiotomatiki operesheni zinazoruhusiwa kutoka kwa roles za kiwango cha chini.

Fetch the OpenAPI (works with the public anon key):

bash
curl -s https://<PROJECT_REF>.supabase.co/rest/v1/ \
-H "apikey: <SUPABASE_ANON_KEY>" \
-H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
-H "Accept: application/openapi+json" | jq '.paths | keys[]'

Mfumo wa Probe (mifano):

  • Soma safu moja (utarajia 401/403/200 kutegemea RLS):
bash
curl -s "https://<PROJECT_REF>.supabase.co/rest/v1/<table>?select=*&limit=1" \
-H "apikey: <SUPABASE_ANON_KEY>" \
-H "Authorization: Bearer <SUPABASE_ANON_KEY>"
  • Jaribu UPDATE imezuiwa (tumia filter isiyopo ili kuepuka kubadilisha data wakati wa majaribio):
bash
curl -i -X PATCH \
-H "apikey: <SUPABASE_ANON_KEY>" \
-H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
-H "Content-Type: application/json" \
-H "Prefer: return=minimal" \
-d '{"__probe":true}' \
"https://<PROJECT_REF>.supabase.co/rest/v1/<table_or_view>?id=eq.00000000-0000-0000-0000-000000000000"
  • Jaribio la INSERT limezuiwa:
bash
curl -i -X POST \
-H "apikey: <SUPABASE_ANON_KEY>" \
-H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
-H "Content-Type: application/json" \
-H "Prefer: return=minimal" \
-d '{"__probe":true}' \
"https://<PROJECT_REF>.supabase.co/rest/v1/<table_or_view>"
  • Thibitisha DELETE imezuiwa:
bash
curl -i -X DELETE \
-H "apikey: <SUPABASE_ANON_KEY>" \
-H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
"https://<PROJECT_REF>.supabase.co/rest/v1/<table_or_view>?id=eq.00000000-0000-0000-0000-000000000000"

Recommendations:

  • Automate probes zilizotajwa hapo juu kwa anon na mtumiaji aliye minimally authenticated na ziingize katika CI ili kugundua regressions.
  • Tenga kila table/view/function iliyofunguliwa kama surface ya daraja la kwanza. Usidhani view “inherits” posture sawa ya RLS kama base tables zake.

Passwords & sessions

Inawezekana kutaja urefu wa chini wa password (kwa chaguo-msingi), requirements (hapana kwa chaguo-msingi) na kuzuia kutumia leaked passwords.
Inashauriwa kuboresha requirements kwani zile za kawaida ni dhaifu.

  • User Sessions: Inawezekana kusanidi jinsi user sessions zinavyofanya kazi (timeouts, 1 session per user...)
  • Bot and Abuse Protection: Inawezekana kuwezesha Captcha.

SMTP Settings

Inawezekana kuweka SMTP kutuma emails.

Advanced Settings

  • Weka expire time kwa access tokens (3600 kwa chaguo-msingi)
  • Weka kugundua na ku-revoke refresh tokens ambazo zinaweza kuwa compromised na timeout
  • MFA: Onyesha ni kiasi gani cha MFA factors kinachoweza kusajiliwa kwa wakati mmoja kwa kila mtumiaji (10 kwa chaguo-msingi)
  • Max Direct Database Connections: Idadi ya juu ya connections zinazotumiwa kwa auth (10 kwa chaguo-msingi)
  • Max Request Duration: Muda wa juu unaoruhusiwa kwa Auth request kudumu (10s kwa chaguo-msingi)

Storage

tip

Supabase inaruhusu kuhifadhi faili na kuyafanya yafikike kupitia URL (inatumia S3 buckets).

  • Weka ukomo wa ukubwa wa faili zinazopakiwa (kwa kawaida ni 50MB)
  • Muunganisho wa S3 unatolewa kwa URL kama: https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3
  • Inawezekana kuomba S3 access key ambazo zimetengenezwa na access key ID (mfano a37d96544d82ba90057e0e06131d0a7b) na secret access key (mfano 58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628)

Edge Functions

Inawezekana pia kuhifadhi secrets katika supabase ambazo zitatumika na zitakuwa accessible by edge functions (zinaweza kuundwa na kufutwa kutoka kwenye web, lakini haiwezekani kupata thamani zao moja kwa moja).

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks