Supabase Security
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Basic Information
As per their landing page: Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, and Vector embeddings.
Subdomain
Basically when a project is created, the user will receive a supabase.co subdomain like: jnanozjdybtpqgcwhdiz.supabase.co
Database configuration
This data can be accessed from a link like https://supabase.com/dashboard/project/<project-id>/settings/database
This database will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres
(this was crated in us-west-1).
The password is a password the user put previously.
Therefore, as the subdomain is a known one and it's used as username and the AWS regions are limited, it might be possible to try to brute force the password.
This section also contains options to:
Reset the database password
Configure connection pooling
Configure SSL: Reject plan-text connections (by default they are enabled)
Configure Disk size
Apply network restrictions and bans
API Configuration
This data can be accessed from a link like https://supabase.com/dashboard/project/<project-id>/settings/api
The URL to access the supabase API in your project is going to be like: https://jnanozjdybtpqgcwhdiz.supabase.co
.
anon api keys
It'll also generate an anon API key (role: "anon"
), like: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk
that the application will need to use in order to contact the API key exposed in our example in
It's possible to find the API REST to contact this API in the docs, but the most interesting endpoints would be:
So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to create a new account in the platform using the supabase API.
secret / service_role api keys
A secret API key will also be generated with role: "service_role"
. This API key should be secret because it will be able to bypass Row Level Security.
The API key looks like this: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354
JWT Secret
A JWT Secret will also be generate so the application can create and sign custom JWT tokens.
Authentication
Signups
By default supabase will allow new users to create accounts on your project by using the previously mentioned API endpoints.
However, these new accounts, by default, will need to validate their email address to be able to login into the account. It's possible to enable "Allow anonymous sign-ins" to allow people to login without verifying their email address. This could grant access to unexpected data (they get the roles public
and authenticated
).
This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those:
Passwords & sessions
It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords. It's recommended to improve the requirements as the default ones are weak.
User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...)
Bot and Abuse Protection: It's possible to enable Captcha.
SMTP Settings
It's possible to set an SMTP to send emails.
Advanced Settings
Set expire time to access tokens (3600 by default)
Set to detect and revoke potentially compromised refresh tokens and timeout
MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default)
Max Direct Database Connections: Max number of connections used to auth (10 by default)
Max Request Duration: Maximum time allowed for an Auth request to last (10s by default)
Storage
Supabase allows to store files and make them accesible over a URL (it uses S3 buckets).
Set the upload file size limit (default is 50MB)
The S3 connection is given with a URL like:
https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3
It's possible to request S3 access key that are formed by an
access key ID
(e.g.a37d96544d82ba90057e0e06131d0a7b
) and asecret access key
(e.g.58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628
)
Edge Functions
It's possible to store secrets in supabase also which will be accessible by edge functions (the can be created and deleted from the web, but it's not possible to access their value directly).
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated