Back to Details

supabase-evidence

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Evidence Collection Management

证据收集管理

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write evidence files AS YOU GO, not just at the end.
  • Save each piece of evidence IMMEDIATELY after collection
  • DO NOT wait until the skill completes to save evidence
  • If the audit crashes or is interrupted, all prior evidence must already be saved
This is not optional. Failure to save evidence progressively is a critical error.
This skill initializes and manages the evidence collection system for professional security audits.
🔴 重要提示:需逐步更新文件
你必须随时编写证据文件,而不是等到最后才统一处理。
  • 收集到每一份证据后立即保存
  • 切勿等到技能执行完成后再保存证据
  • 若审计过程崩溃或中断,所有已收集的证据必须已提前保存
此要求为强制性规定。未逐步保存证据属于严重错误。
本技能为专业安全审计初始化并管理证据收集系统。

When to Use This Skill

何时使用此技能

  • Automatically invoked at the start of 
    supabase-pentest
  • When you need to organize evidence for a professional report
  • When conducting audits that require documented proof
  • For compliance and legal purposes
  • supabase-pentest
    启动时自动调用
  • 当你需要为专业报告整理审计证据时
  • 进行需要记录证明材料的审计工作时
  • 出于合规性及法律相关目的时

Why Evidence Collection Matters

证据收集的重要性

Professional security audits require:
RequirementPurpose
ReproducibilityOthers can verify findings
Legal proofDocumentation for legal/compliance
Remediation verificationProve issues existed before fix
Audit trailComplete record of what was tested
专业安全审计需满足以下要求:
要求目的
可复现性他人可验证审计发现
法律证明用于合规性或法律事务的文档记录
修复验证证明问题在修复前确实存在
审计追踪完整记录所有测试内容

Evidence Directory Structure

证据目录结构

The skill creates 
.sb-pentest-evidence/
with this structure:
.sb-pentest-evidence/
├── README.md                    # Evidence index and summary
├── curl-commands.sh             # All curl commands used (reproducible)
├── timeline.md                  # Chronological evidence timeline
├── 01-detection/
│   ├── initial-scan.json        # Raw detection results
│   ├── supabase-endpoints.txt   # Discovered endpoints
│   └── client-code-snippets/    # Relevant code excerpts
│       └── supabase-init.js
├── 02-extraction/
│   ├── extracted-url.json       # URL extraction proof
│   ├── extracted-anon-key.json  # Anon key with decoded JWT
│   ├── extracted-jwts.json      # All JWTs found
│   ├── service-key-exposure/    # If service key found (P0)
│   │   ├── location.txt
│   │   └── decoded-payload.json
│   └── db-string-exposure/      # If DB string found (P0)
│       └── connection-details.json
├── 03-api-audit/
│   ├── openapi-schema.json      # Raw OpenAPI/PostgREST schema
│   ├── tables/
│   │   ├── tables-list.json     # All exposed tables
│   │   └── tables-metadata.json # Column details per table
│   ├── data-samples/            # Sample data retrieved (redacted)
│   │   ├── users-sample.json
│   │   ├── orders-sample.json
│   │   └── ...
│   ├── rls-tests/               # RLS policy test results
│   │   ├── users-anon.json      # Anon access attempt
│   │   ├── users-auth.json      # Authenticated access
│   │   └── cross-user-test.json # Cross-user access attempt
│   └── rpc-tests/               # RPC function test results
│       ├── function-list.json
│       └── vulnerable-functions/
│           └── get-all-users.json
├── 04-storage-audit/
│   ├── buckets-config.json      # Bucket configurations
│   ├── buckets/
│   │   ├── avatars/
│   │   │   └── file-list.json
│   │   ├── backups/             # If sensitive (P0)
│   │   │   ├── file-list.json
│   │   │   └── sample-contents/ # Redacted samples
│   │   └── ...
│   └── public-url-tests/        # Direct URL access tests
│       └── backup-access.json
├── 05-auth-audit/
│   ├── auth-settings.json       # Auth configuration
│   ├── signup-tests/
│   │   ├── open-signup.json     # Signup availability
│   │   ├── weak-password.json   # Weak password test
│   │   └── rate-limit.json      # Rate limiting test
│   └── enumeration-tests/
│       ├── login-timing.json    # Timing attack data
│       ├── recovery-timing.json
│       └── otp-enumeration.json
├── 06-realtime-audit/
│   ├── websocket-connection.json
│   ├── postgres-changes/        # Table subscription tests
│   │   └── users-streaming.json
│   ├── broadcast-channels/      # Channel access tests
│   │   └── admin-channel.json
│   └── presence-data/
│       └── exposed-users.json
├── 07-functions-audit/
│   ├── discovered-functions.json
│   └── function-tests/
│       ├── hello-world.json
│       ├── get-user-data-idor.json
│       └── admin-panel-escalation.json
└── screenshots/                 # Optional: browser screenshots
    └── ...
本技能会创建
.sb-pentest-evidence/
目录,结构如下:
.sb-pentest-evidence/
├── README.md                    # Evidence index and summary
├── curl-commands.sh             # All curl commands used (reproducible)
├── timeline.md                  # Chronological evidence timeline
├── 01-detection/
│   ├── initial-scan.json        # Raw detection results
│   ├── supabase-endpoints.txt   # Discovered endpoints
│   └── client-code-snippets/    # Relevant code excerpts
│       └── supabase-init.js
├── 02-extraction/
│   ├── extracted-url.json       # URL extraction proof
│   ├── extracted-anon-key.json  # Anon key with decoded JWT
│   ├── extracted-jwts.json      # All JWTs found
│   ├── service-key-exposure/    # If service key found (P0)
│   │   ├── location.txt
│   │   └── decoded-payload.json
│   └── db-string-exposure/      # If DB string found (P0)
│       └── connection-details.json
├── 03-api-audit/
│   ├── openapi-schema.json      # Raw OpenAPI/PostgREST schema
│   ├── tables/
│   │   ├── tables-list.json     # All exposed tables
│   │   └── tables-metadata.json # Column details per table
│   ├── data-samples/            # Sample data retrieved (redacted)
│   │   ├── users-sample.json
│   │   ├── orders-sample.json
│   │   └── ...
│   ├── rls-tests/               # RLS policy test results
│   │   ├── users-anon.json      # Anon access attempt
│   │   ├── users-auth.json      # Authenticated access
│   │   └── cross-user-test.json # Cross-user access attempt
│   └── rpc-tests/               # RPC function test results
│       ├── function-list.json
│       └── vulnerable-functions/
│           └── get-all-users.json
├── 04-storage-audit/
│   ├── buckets-config.json      # Bucket configurations
│   ├── buckets/
│   │   ├── avatars/
│   │   │   └── file-list.json
│   │   ├── backups/             # If sensitive (P0)
│   │   │   ├── file-list.json
│   │   │   └── sample-contents/ # Redacted samples
│   │   └── ...
│   └── public-url-tests/        # Direct URL access tests
│       └── backup-access.json
├── 05-auth-audit/
│   ├── auth-settings.json       # Auth configuration
│   ├── signup-tests/
│   │   ├── open-signup.json     # Signup availability
│   │   ├── weak-password.json   # Weak password test
│   │   └── rate-limit.json      # Rate limiting test
│   └── enumeration-tests/
│       ├── login-timing.json    # Timing attack data
│       ├── recovery-timing.json
│       └── otp-enumeration.json
├── 06-realtime-audit/
│   ├── websocket-connection.json
│   ├── postgres-changes/        # Table subscription tests
│   │   └── users-streaming.json
│   ├── broadcast-channels/      # Channel access tests
│   │   └── admin-channel.json
│   └── presence-data/
│       └── exposed-users.json
├── 07-functions-audit/
│   ├── discovered-functions.json
│   └── function-tests/
│       ├── hello-world.json
│       ├── get-user-data-idor.json
│       └── admin-panel-escalation.json
└── screenshots/                 # Optional: browser screenshots
    └── ...

Usage

使用方法

Initialize Evidence Directory

初始化证据目录

Initialize evidence collection for audit
Initialize evidence collection for audit

Manual Evidence Save

手动保存证据

Save evidence: [description] to [category]
Save evidence: [description] to [category]

Evidence File Format

证据文件格式

Each evidence file follows this structure:
json
{
  "evidence_id": "API-001",
  "timestamp": "2025-01-31T10:30:00Z",
  "category": "api-audit",
  "type": "data-sample",
  "finding_id": "P0-001",
  "description": "Users table data accessible without authentication",

  "request": {
    "method": "GET",
    "url": "https://abc123.supabase.co/rest/v1/users?select=*&limit=5",
    "headers": {
      "apikey": "[REDACTED - anon key]",
      "Authorization": "Bearer [REDACTED - anon key]"
    },
    "curl_command": "curl -X GET 'https://abc123.supabase.co/rest/v1/users?select=*&limit=5' -H 'apikey: eyJ...' -H 'Authorization: Bearer eyJ...'"
  },

  "response": {
    "status": 200,
    "headers": {
      "content-type": "application/json",
      "x-total-count": "1247"
    },
    "body": [
      {
        "id": "550e8400-e29b-41d4-a716-446655440001",
        "email": "[REDACTED]@example.com",
        "name": "[REDACTED]",
        "created_at": "2025-01-15T10:30:00Z"
      }
    ],
    "body_redacted": true,
    "total_rows_indicated": 1247
  },

  "analysis": {
    "severity": "P0",
    "impact": "All user PII accessible without authentication",
    "affected_data": ["email", "name", "id"],
    "row_count": 1247
  }
}
每个证据文件遵循以下结构:
json
{
  "evidence_id": "API-001",
  "timestamp": "2025-01-31T10:30:00Z",
  "category": "api-audit",
  "type": "data-sample",
  "finding_id": "P0-001",
  "description": "Users table data accessible without authentication",

  "request": {
    "method": "GET",
    "url": "https://abc123.supabase.co/rest/v1/users?select=*&limit=5",
    "headers": {
      "apikey": "[REDACTED - anon key]",
      "Authorization": "Bearer [REDACTED - anon key]"
    },
    "curl_command": "curl -X GET 'https://abc123.supabase.co/rest/v1/users?select=*&limit=5' -H 'apikey: eyJ...' -H 'Authorization: Bearer eyJ...'"
  },

  "response": {
    "status": 200,
    "headers": {
      "content-type": "application/json",
      "x-total-count": "1247"
    },
    "body": [
      {
        "id": "550e8400-e29b-41d4-a716-446655440001",
        "email": "[REDACTED]@example.com",
        "name": "[REDACTED]",
        "created_at": "2025-01-15T10:30:00Z"
      }
    ],
    "body_redacted": true,
    "total_rows_indicated": 1247
  },

  "analysis": {
    "severity": "P0",
    "impact": "All user PII accessible without authentication",
    "affected_data": ["email", "name", "id"],
    "row_count": 1247
  }
}

Curl Commands File

Curl命令文件

All curl commands are collected in 
curl-commands.sh
:
bash
#!/bin/bash
所有curl命令会被收集到
curl-commands.sh
中:
bash
#!/bin/bash

Supabase Security Audit - Reproducible Commands

Supabase Security Audit - Reproducible Commands

Target: https://myapp.example.com

Target: https://myapp.example.com

Project: abc123def.supabase.co

Project: abc123def.supabase.co

Date: 2025-01-31

Date: 2025-01-31

IMPORTANT: Replace [ANON_KEY] with actual key before running

IMPORTANT: Replace [ANON_KEY] with actual key before running

WARNING: These commands may modify data - use with caution

WARNING: These commands may modify data - use with caution

SUPABASE_URL="https://abc123def.supabase.co" ANON_KEY="eyJ..."
SUPABASE_URL="https://abc123def.supabase.co" ANON_KEY="eyJ..."

=== DETECTION ===

=== DETECTION ===

Check if Supabase is used

Check if Supabase is used

curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100

=== TABLE LISTING ===

=== TABLE LISTING ===

Get OpenAPI schema (list all tables)

Get OpenAPI schema (list all tables)

curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY"
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY"

=== DATA ACCESS TESTS ===

=== DATA ACCESS TESTS ===

Test: Users table (P0 - should be blocked)

Test: Users table (P0 - should be blocked)

curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5"
-H "apikey: $ANON_KEY"
-H "Authorization: Bearer $ANON_KEY"
curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5"
-H "apikey: $ANON_KEY"
-H "Authorization: Bearer $ANON_KEY"

Test: Orders table (should be blocked by RLS)

Test: Orders table (should be blocked by RLS)

curl -s "$SUPABASE_URL/rest/v1/orders?select=*&limit=5"
-H "apikey: $ANON_KEY"
-H "Authorization: Bearer $ANON_KEY"
curl -s "$SUPABASE_URL/rest/v1/orders?select=*&limit=5"
-H "apikey: $ANON_KEY"
-H "Authorization: Bearer $ANON_KEY"

=== RLS BYPASS TESTS ===

=== RLS BYPASS TESTS ===

... additional commands ...

... additional commands ...

undefined
undefined

Timeline File

时间线文件

The 
timeline.md
provides chronological evidence:
markdown
undefined
timeline.md
提供按时间顺序排列的证据记录:
markdown
undefined

Audit Timeline

Audit Timeline

2025-01-31 10:00:00 - Audit Started

2025-01-31 10:00:00 - Audit Started

2025-01-31 10:05:00 - Detection Phase

2025-01-31 10:05:00 - Detection Phase

2025-01-31 10:10:00 - P0 CRITICAL: Service Key Exposed

2025-01-31 10:10:00 - P0 CRITICAL: Service Key Exposed

  • Service role key found in client code
  • Location: /static/js/admin.chunk.js:89
  • Evidence: 
    02-extraction/service-key-exposure/
  • Service role key found in client code
  • Location: /static/js/admin.chunk.js:89
  • Evidence: 
    02-extraction/service-key-exposure/

2025-01-31 10:15:00 - API Audit Started

2025-01-31 10:15:00 - API Audit Started

  • 8 tables discovered
  • Evidence: 
    03-api-audit/tables/tables-list.json
  • 8 tables discovered
  • Evidence: 
    03-api-audit/tables/tables-list.json

2025-01-31 10:20:00 - P0 CRITICAL: Users Table Exposed

2025-01-31 10:20:00 - P0 CRITICAL: Users Table Exposed

  • All 1,247 user records accessible
  • PII exposed: email, name
  • Evidence: 
    03-api-audit/data-samples/users-sample.json
...
undefined
  • All 1,247 user records accessible
  • PII exposed: email, name
  • Evidence: 
    03-api-audit/data-samples/users-sample.json
...
undefined

Context Output

上下文输出

Updates 
.sb-pentest-context.json
:
json
{
  "evidence": {
    "directory": ".sb-pentest-evidence",
    "initialized_at": "2025-01-31T10:00:00Z",
    "files_count": 45,
    "categories": {
      "detection": 3,
      "extraction": 5,
      "api-audit": 15,
      "storage-audit": 8,
      "auth-audit": 7,
      "realtime-audit": 4,
      "functions-audit": 3
    },
    "critical_evidence": [
      "02-extraction/service-key-exposure/",
      "03-api-audit/data-samples/users-sample.json",
      "04-storage-audit/buckets/backups/"
    ]
  }
}
更新
.sb-pentest-context.json
文件:
json
{
  "evidence": {
    "directory": ".sb-pentest-evidence",
    "initialized_at": "2025-01-31T10:00:00Z",
    "files_count": 45,
    "categories": {
      "detection": 3,
      "extraction": 5,
      "api-audit": 15,
      "storage-audit": 8,
      "auth-audit": 7,
      "realtime-audit": 4,
      "functions-audit": 3
    },
    "critical_evidence": [
      "02-extraction/service-key-exposure/",
      "03-api-audit/data-samples/users-sample.json",
      "04-storage-audit/buckets/backups/"
    ]
  }
}

Evidence Collection Rules

证据收集规则

What to Collect

需要收集的内容

CategoryEvidence TypeExample
AlwaysRaw API responsesJSON responses
AlwaysCurl commandsReproducible commands
AlwaysTimestampsWhen each test occurred
P0/P1Data samples (redacted)Sample rows with PII masked
P0Full request/responseComplete HTTP exchange
OptionalScreenshotsBrowser evidence
类别证据类型示例
必须收集原始API响应JSON响应内容
必须收集Curl命令可复现的命令
必须收集时间戳每次测试的执行时间
P0/P1级别问题脱敏后的样本数据已屏蔽个人敏感信息的样本行
P0级别问题完整请求/响应完整的HTTP交互内容
可选收集截图浏览器端证据

Redaction Rules

脱敏规则

Sensitive data MUST be redacted in evidence files:
json
{
  "original": "john.doe@example.com",
  "redacted": "[REDACTED]@example.com"
}

{
  "original": "John Doe",
  "redacted": "[REDACTED]"
}

{
  "original": "sk_live_xxxxxxxxxxxxxxxxxxxx",
  "redacted": "sk_live_[REDACTED]"
}
NEVER store in evidence:
  • Actual passwords
  • Full credit card numbers
  • Full API keys (show first/last 4 chars only)
  • Full personal data (partial redaction required)
证据文件中的敏感数据必须进行脱敏处理:
json
{
  "original": "john.doe@example.com",
  "redacted": "[REDACTED]@example.com"
}

{
  "original": "John Doe",
  "redacted": "[REDACTED]"
}

{
  "original": "sk_live_xxxxxxxxxxxxxxxxxxxx",
  "redacted": "sk_live_[REDACTED]"
}
严禁在证据中存储以下内容:
  • 真实密码
  • 完整信用卡号
  • 完整API密钥(仅保留首尾4位字符)
  • 完整个人数据(必须进行部分脱敏)

Naming Conventions

命名规范

[category]-[test-name]-[timestamp].json
Examples:
  • users-anon-access-20250131-103000.json
  • admin-function-no-auth-20250131-143000.json
[category]-[test-name]-[timestamp].json
示例:
  • users-anon-access-20250131-103000.json
  • admin-function-no-auth-20250131-143000.json

MANDATORY: Evidence File Updates

强制性要求:证据文件更新

⚠️ Evidence MUST be saved PROGRESSIVELY during execution.
⚠️ 必须在执行过程中逐步保存证据

Critical Rule: Save As You Go

核心规则:随时保存

DO NOT batch all evidence at the end. Instead:
  1. Before each test → Create evidence file placeholder
  2. After each request → Save request details immediately
  3. After each response → Save response immediately
  4. After analysis → Add analysis to evidence file
切勿在最后批量保存所有证据。正确流程为:
  1. 每次测试前 → 创建证据文件占位符
  2. 每次请求后 → 立即保存请求详情
  3. 每次响应后 → 立即保存响应内容
  4. 分析完成后 → 将分析结果添加至证据文件

Directory Initialization

目录初始化

At audit start, create:
bash
mkdir -p .sb-pentest-evidence/{01-detection,02-extraction,03-api-audit/tables,03-api-audit/data-samples,03-api-audit/rls-tests,03-api-audit/rpc-tests,04-storage-audit/buckets,04-storage-audit/public-url-tests,05-auth-audit/signup-tests,05-auth-audit/enumeration-tests,06-realtime-audit/postgres-changes,06-realtime-audit/broadcast-channels,07-functions-audit/function-tests,screenshots}
审计启动时,执行以下命令创建目录:
bash
mkdir -p .sb-pentest-evidence/{01-detection,02-extraction,03-api-audit/tables,03-api-audit/data-samples,03-api-audit/rls-tests,03-api-audit/rpc-tests,04-storage-audit/buckets,04-storage-audit/public-url-tests,05-auth-audit/signup-tests,05-auth-audit/enumeration-tests,06-realtime-audit/postgres-changes,06-realtime-audit/broadcast-channels,07-functions-audit/function-tests,screenshots}

Log to Audit Log

记录至审计日志

[TIMESTAMP] [supabase-evidence] [START] Initializing evidence directory
[TIMESTAMP] [supabase-evidence] [CREATED] .sb-pentest-evidence/
[TIMESTAMP] [supabase-evidence] [CONTEXT_UPDATED] Evidence tracking initialized
[TIMESTAMP] [supabase-evidence] [START] Initializing evidence directory
[TIMESTAMP] [supabase-evidence] [CREATED] .sb-pentest-evidence/
[TIMESTAMP] [supabase-evidence] [CONTEXT_UPDATED] Evidence tracking initialized

Integration with Other Skills

与其他技能的集成

This skill is automatically invoked by 
supabase-pentest
. Each audit skill should:
  1. Save evidence to the appropriate subdirectory
  2. Use consistent naming conventions
  3. Add entries to 
    curl-commands.sh
  4. Update 
    timeline.md
    for significant findings
本技能会被
supabase-pentest
自动调用。所有审计技能需遵循以下要求:
  1. 将证据保存至对应子目录
  2. 使用统一的命名规范
  3. 将命令添加至
    curl-commands.sh
  4. timeline.md
    中记录重要发现

Related Skills

相关技能

  • supabase-pentest
    — Orchestrator that initializes evidence collection
  • supabase-report
    — Uses evidence for comprehensive reporting
  • All audit skills — Contribute evidence to their respective directories
  • supabase-pentest
    — 初始化证据收集的编排器
  • supabase-report
    — 利用证据生成全面审计报告
  • 所有审计技能 — 向对应目录提交证据