Back to Details

supabase-detect

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Supabase Detection

Supabase 检测

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
  • Write to 
    .sb-pentest-context.json
    IMMEDIATELY after each discovery
  • Log to 
    .sb-pentest-audit.log
    BEFORE and AFTER each action
  • DO NOT wait until the skill completes to update files
  • If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill determines whether a web application uses Supabase as its backend.
🔴 重要提示:需逐步更新文件
你必须逐步写入上下文文件,而不是只在最后统一写入。
  • 每次发现后立即写入 
    .sb-pentest-context.json
  • 每次操作前后都要记录到 
    .sb-pentest-audit.log
  • 不要等到技能完成后才更新文件
  • 如果技能崩溃或被中断,所有已有的发现必须已保存
此要求为强制性,未逐步写入属于严重错误。
本技能用于判断Web应用是否使用Supabase作为后端。

When to Use This Skill

何时使用此技能

  • Starting a security audit on an unknown application
  • Verifying Supabase usage before running other audit skills
  • Quickly checking multiple applications for Supabase presence
  • 对未知应用启动安全审计时
  • 在运行其他审计技能前验证是否使用Supabase
  • 快速检查多个应用是否存在Supabase

Prerequisites

前提条件

  • Target URL must be publicly accessible
  • Internet connection to fetch and analyze the target
  • 目标URL必须可公开访问
  • 需联网以获取并分析目标内容

Detection Methods

检测方法

The skill uses multiple detection vectors:
本技能使用多种检测向量:

1. Domain Pattern Matching

1. 域名模式匹配

Searches for Supabase-related domains in:
  • HTML source code
  • JavaScript bundles
  • Network requests (via inline scripts)
Patterns detected:
*.supabase.co
*.supabase.com
supabase-cdn.com
在以下位置搜索Supabase相关域名:
  • HTML源代码
  • JavaScript包
  • 网络请求(通过内联脚本)
检测到的模式:
*.supabase.co
*.supabase.com
supabase-cdn.com

2. JavaScript Client Detection

2. JavaScript客户端检测

Looks for Supabase client library signatures:
javascript
// Import patterns
import { createClient } from '@supabase/supabase-js'
const { createClient } = require('@supabase/supabase-js')

// Client initialization
supabase.createClient(
createClient('https://
SUPABASE_URL
NEXT_PUBLIC_SUPABASE
VITE_SUPABASE
REACT_APP_SUPABASE
查找Supabase客户端库特征:
javascript
// Import patterns
import { createClient } from '@supabase/supabase-js'
const { createClient } = require('@supabase/supabase-js')

// Client initialization
supabase.createClient(
createClient('https://
SUPABASE_URL
NEXT_PUBLIC_SUPABASE
VITE_SUPABASE
REACT_APP_SUPABASE

3. API Endpoint Detection

3. API端点检测

Checks for characteristic Supabase endpoints:
/rest/v1/
/auth/v1/
/storage/v1/
/realtime/v1/
/functions/v1/
检查典型的Supabase端点:
/rest/v1/
/auth/v1/
/storage/v1/
/realtime/v1/
/functions/v1/

4. Response Header Analysis

4. 响应头分析

Looks for Supabase-specific headers:
x-supabase-*
sb-*
查找Supabase特定的响应头:
x-supabase-*
sb-*

Usage

使用方法

Basic Detection

基础检测

Check if https://myapp.example.com uses Supabase
Check if https://myapp.example.com uses Supabase

Detection with Verbose Output

带详细输出的检测

Detect Supabase on https://myapp.example.com with full details
Detect Supabase on https://myapp.example.com with full details

Output Format

输出格式

Supabase Detected

检测到Supabase

═══════════════════════════════════════════════════════════
 SUPABASE DETECTED
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ✅ Supabase usage confirmed

 Detection Evidence:
 ├── Domain: abc123def.supabase.co (found in main.js)
 ├── Client: @supabase/supabase-js v2.x detected
 ├── Endpoints: /rest/v1/, /auth/v1/, /storage/v1/
 └── Headers: x-supabase-api-version present

 Project Reference: abc123def
 Project URL: https://abc123def.supabase.co

 Context saved to: .sb-pentest-context.json
═══════════════════════════════════════════════════════════
═══════════════════════════════════════════════════════════
 检测到Supabase
═══════════════════════════════════════════════════════════

 目标URL: https://myapp.example.com
 状态: ✅ 已确认使用Supabase

 检测证据:
 ├── 域名: abc123def.supabase.co (在main.js中发现)
 ├── 客户端: 检测到@supabase/supabase-js v2.x
 ├── 端点: /rest/v1/, /auth/v1/, /storage/v1/
 └── 响应头: 存在x-supabase-api-version

 项目标识: abc123def
 项目URL: https://abc123def.supabase.co

 上下文已保存至: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

Supabase Not Detected

未检测到Supabase

═══════════════════════════════════════════════════════════
 DETECTION RESULT
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ❌ Supabase not detected

 Scanned:
 ├── HTML source: No Supabase patterns
 ├── JavaScript bundles: 3 files analyzed, no matches
 ├── Network patterns: No Supabase endpoints
 └── Response headers: No Supabase headers

 Note: The app may use a self-hosted Supabase or custom domain.
       Try providing a known Supabase URL manually if you have one.
═══════════════════════════════════════════════════════════
═══════════════════════════════════════════════════════════
 检测结果
═══════════════════════════════════════════════════════════

 目标URL: https://myapp.example.com
 状态: ❌ 未检测到Supabase

 扫描内容:
 ├── HTML源代码: 无Supabase相关模式
 ├── JavaScript包: 已分析3个文件,无匹配项
 ├── 网络模式: 无Supabase端点
 └── 响应头: 无Supabase相关头

 说明: 该应用可能使用自托管Supabase或自定义域名。
       若已知Supabase URL,可手动提供以重新检测。
═══════════════════════════════════════════════════════════

Context Output

上下文输出

When Supabase is detected, the skill saves to 
.sb-pentest-context.json
:
json
{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "2025-01-31T10:00:00Z",
    "evidence": [
      {
        "type": "domain",
        "value": "abc123def.supabase.co",
        "location": "/static/js/main.js",
        "line": 1247
      },
      {
        "type": "client_library",
        "value": "@supabase/supabase-js",
        "version": "2.x"
      }
    ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}
当检测到Supabase时,技能会将内容保存至 
.sb-pentest-context.json
json
{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "2025-01-31T10:00:00Z",
    "evidence": [
      {
        "type": "domain",
        "value": "abc123def.supabase.co",
        "location": "/static/js/main.js",
        "line": 1247
      },
      {
        "type": "client_library",
        "value": "@supabase/supabase-js",
        "version": "2.x"
      }
    ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

Audit Log Entry

审计日志条目

Each detection is logged to 
.sb-pentest-audit.log
:
[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com
[2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB
[2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB
[2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co
[2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high
每次检测都会记录到 
.sb-pentest-audit.log
[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com
[2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB
[2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB
[2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co
[2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high

Confidence Levels

置信度等级

LevelCriteria
HighMultiple evidence types (domain + client + endpoints)
MediumSingle strong evidence (domain or explicit client init)
LowOnly indirect evidence (generic patterns, possible false positive)
等级判定标准
存在多种类型证据(域名 + 客户端 + 端点)
单一强证据(域名或明确的客户端初始化代码)
仅间接证据(通用模式,可能存在误报)

Edge Cases

边缘情况

Custom Domains

自定义域名

Some Supabase projects use custom domains (e.g., 
api.mycompany.com
). In this case:
Detect Supabase on https://myapp.com with custom API domain api.mycompany.com
部分Supabase项目使用自定义域名(例如 
api.mycompany.com
)。这种情况下:
Detect Supabase on https://myapp.com with custom API domain api.mycompany.com

Self-Hosted Supabase

自托管Supabase

Self-hosted instances won't have 
.supabase.co
domains. Look for:
  • PostgREST patterns (
    /rest/v1/
    )
  • GoTrue auth patterns (
    /auth/v1/
    )
  • Supabase client library in code
自托管实例不会有 
.supabase.co
域名。可通过以下特征查找:
  • PostgREST模式 (
    /rest/v1/
    )
  • GoTrue认证模式 (
    /auth/v1/
    )
  • 代码中的Supabase客户端库

Single Page Applications

单页应用

For SPAs with lazy-loaded chunks:
Detect Supabase on https://myapp.com including all JS chunks
对于使用懒加载代码块的SPA:
Detect Supabase on https://myapp.com including all JS chunks

Common Issues

常见问题

Problem: Detection returns false negative on SPA ✅ Solution: The app may lazy-load Supabase. Try interacting with the app first to load all chunks, or provide known patterns.
Problem: Multiple Supabase projects detected ✅ Solution: This can happen with multi-tenant setups. The skill will list all found projects.
Problem: Detection is slow ✅ Solution: Large JS bundles take time to analyze. Use 
--quick
mode for faster but less thorough detection:
Quick detect Supabase on https://myapp.com
问题: SPA检测返回假阴性 ✅ 解决方案: 应用可能懒加载Supabase。可先与应用交互以加载所有代码块,或提供已知模式。
问题: 检测到多个Supabase项目 ✅ 解决方案: 多租户架构下可能出现此情况,技能会列出所有找到的项目。
问题: 检测速度慢 ✅ 解决方案: 大型JavaScript包需要更多分析时间。使用
--quick
模式可加快检测速度,但检测深度会降低:
Quick detect Supabase on https://myapp.com

Next Steps

后续步骤

After detection:
  1. Run 
    supabase-extract-url
    to confirm and extract the project URL
  2. Run 
    supabase-extract-anon-key
    to find the API key
  3. Or use 
    supabase-pentest
    for a full guided audit
检测完成后:
  1. 运行
    supabase-extract-url
    以确认并提取项目URL
  2. 运行
    supabase-extract-anon-key
    以查找API密钥
  3. 或使用
    supabase-pentest
    进行完整的引导式审计

MANDATORY: Progressive Context File Updates

强制性要求:逐步更新上下文文件

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
⚠️ 本技能必须在执行过程中逐步更新跟踪文件,而非仅在最后统一更新。

Critical Rule: Write As You Go

核心规则:边执行边写入

DO NOT batch all writes at the end. Instead:
  1. Before starting any action → Log the action to 
    .sb-pentest-audit.log
  2. After each discovery → Immediately update 
    .sb-pentest-context.json
  3. After each significant step → Log completion to 
    .sb-pentest-audit.log
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
不要批量写入所有内容。正确流程:
  1. 开始任何操作前 → 将操作记录到 
    .sb-pentest-audit.log
  2. 每次发现后 → 立即更新 
    .sb-pentest-context.json
  3. 完成每个重要步骤后 → 将完成状态记录到 
    .sb-pentest-audit.log
这样可确保若技能被中断、崩溃或超时,截至该时间点的所有发现都已保存。

Required Actions (Progressive)

需执行的逐步操作

  1. Create/Update 
    .sb-pentest-context.json
     with results:
    json
    {
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "...",
    "evidence": [ ... ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}
  2. Create/Log to 
    .sb-pentest-audit.log
    :
    [TIMESTAMP] [supabase-detect] [START] Starting Supabase detection
[TIMESTAMP] [supabase-detect] [SUCCESS] Supabase detected with high confidence
[TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json created/updated
  3. IMPORTANT: As the first skill in the audit chain, this skill is responsible for creating the context files if they don't exist.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
  1. 创建/更新 
    .sb-pentest-context.json
     以保存结果:
    json
    {
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "...",
    "evidence": [ ... ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}
  2. 创建/记录到 
    .sb-pentest-audit.log
    [TIMESTAMP] [supabase-detect] [START] 开始Supabase检测
[TIMESTAMP] [supabase-detect] [SUCCESS] 以高置信度检测到Supabase
[TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json已创建/更新
  3. 重要提示:作为审计流程中的首个技能,若上下文文件不存在,本技能需负责创建。
未更新上下文文件的情况是不被允许的。

MANDATORY: Evidence Collection

强制性要求:证据收集

📁 Evidence Directory: 
.sb-pentest-evidence/01-detection/
📁 证据目录: 
.sb-pentest-evidence/01-detection/

Evidence Files to Create

需创建的证据文件

FileContent
initial-scan.json
Raw detection results with all evidence
supabase-endpoints.txt
List of discovered Supabase endpoints
client-code-snippets/
Directory with relevant code excerpts
文件内容
initial-scan.json
包含所有证据的原始检测结果
supabase-endpoints.txt
已发现的Supabase端点列表
client-code-snippets/
存放相关代码片段的目录

Evidence Format

证据格式

json
{
  "evidence_id": "DET-001",
  "timestamp": "2025-01-31T10:00:00Z",
  "category": "detection",
  "target_url": "https://myapp.example.com",

  "detection_results": {
    "supabase_detected": true,
    "confidence": "high",
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },

  "evidence": [
    {
      "type": "domain_pattern",
      "value": "abc123def.supabase.co",
      "location": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    },
    {
      "type": "client_library",
      "value": "@supabase/supabase-js",
      "version": "2.x"
    }
  ],

  "curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'"
}
json
{
  "evidence_id": "DET-001",
  "timestamp": "2025-01-31T10:00:00Z",
  "category": "detection",
  "target_url": "https://myapp.example.com",

  "detection_results": {
    "supabase_detected": true,
    "confidence": "high",
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },

  "evidence": [
    {
      "type": "domain_pattern",
      "value": "abc123def.supabase.co",
      "location": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    },
    {
      "type": "client_library",
      "value": "@supabase/supabase-js",
      "version": "2.x"
    }
  ],

  "curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'"
}

Add to curl-commands.sh

添加至curl-commands.sh

bash
undefined
bash
undefined

=== DETECTION ===

=== 检测阶段 ===

Check Supabase API availability

检查Supabase API可用性

curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100
undefined
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100
undefined

Add to timeline.md

添加至timeline.md

markdown
undefined
markdown
undefined

[TIMESTAMP] - Detection Phase Complete

[时间戳] - 检测阶段完成

  • Supabase detected with [confidence] confidence
  • Project: [project_ref]
  • Evidence: 
    01-detection/initial-scan.json
undefined
  • 以[置信度]置信度检测到Supabase
  • 项目: [project_ref]
  • 证据: 
    01-detection/initial-scan.json
undefined

Related Skills

相关技能

  • supabase-extract-url
    — Extract project URL from code
  • supabase-extract-anon-key
    — Find anon key
  • supabase-pentest
    — Full orchestrated audit
  • supabase-extract-url
    — 从代码中提取项目URL
  • supabase-extract-anon-key
    — 查找匿名密钥
  • supabase-pentest
    — 完整的编排式审计