Forem: Victor Yrazusta Ibarra The latest articles on Forem by Victor Yrazusta Ibarra (@victor_yrazusta). https://forem.com/victor_yrazusta https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3652549%2Feac1c43b-1e7a-4698-a42e-14605292b8b4.png Forem: Victor Yrazusta Ibarra https://forem.com/victor_yrazusta en Introducing Firebomb: Open Source Firebase Penetration Testing Victor Yrazusta Ibarra Sat, 10 Jan 2026 15:45:50 +0000 https://forem.com/victor_yrazusta/introducing-firebomb-open-source-firebase-penetration-testing-2ddn https://forem.com/victor_yrazusta/introducing-firebomb-open-source-firebase-penetration-testing-2ddn <p>We're releasing <strong>Firebomb</strong>, our open source penetration testing tool for Firebase applications. It's the same tool powering our <a href="https://modernpentest.com/firebase-pentesting" rel="noopener noreferrer">automated Firebase security scanning</a> at ModernPentest.</p> <h2> The Firebase Security Problem </h2> <p>Firebase makes it incredibly easy to build applications. Point your client SDK at Google's infrastructure, write some security rules, and you have a scalable backend in minutes.</p> <p>But that ease of development has created an epidemic of insecure applications:</p> <ul> <li><strong>916 Firebase websites exposed 125 million user records in 2024</strong></li> <li><strong>31% of Firebase apps have exploitable security rules</strong></li> <li>Most developers deploy with test mode rules and never update them</li> </ul> <p>Generic security scanners don't understand Firebase's unique architecture—Firestore rules, RTDB permissions, Cloud Storage ACLs, the relationship between client SDKs and security rules. They miss the vulnerabilities that actually matter.</p> <p>Firebomb changes that.</p> <h2> What Firebomb Does </h2> <p>Firebomb is a comprehensive security testing framework specifically for Firebase. It automates the complete penetration testing workflow:</p> <h3> 1. Configuration Discovery </h3> <p>Firebomb automatically extracts Firebase credentials from web applications—no manual copying needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Discover from a live application</span> uv run firebomb discover <span class="nt">--url</span> https://target-app.com <span class="c"># Deep recursive crawl (follows all JS files)</span> uv run firebomb discover <span class="nt">--url</span> https://target-app.com <span class="nt">--recursive</span> <span class="c"># Validate discovered configs against Firebase APIs</span> uv run firebomb discover <span class="nt">--url</span> https://target-app.com <span class="nt">--recursive</span> <span class="nt">--validate</span> <span class="c"># Parse from local files</span> uv run firebomb discover <span class="nt">--file</span> bundle.js uv run firebomb discover <span class="nt">--har</span> traffic.har </code></pre> </div> <p>It finds credentials hidden in:</p> <ul> <li>Inline JavaScript and HTML</li> <li>Bundled and minified scripts (webpack, Vite, esbuild)</li> <li>Code-split chunks and lazy-loaded modules</li> <li>Next.js/React/Vue/Angular build artifacts</li> <li>Source maps (extracts original source code)</li> <li>Environment variables (<code>NEXT_PUBLIC_FIREBASE_*</code>, <code>VITE_FIREBASE_*</code>, etc.)</li> </ul> <h3> 2. Proactive Discovery (No Credentials Needed) </h3> <p>Firebomb can discover Firebase projects without extracting credentials first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Probe by project ID</span> uv run firebomb probe <span class="nt">--project-id</span> suspected-project <span class="c"># Generate and probe from company name</span> uv run firebomb probe <span class="nt">--name</span> <span class="s2">"Acme Corp"</span> <span class="c"># Discover from domain</span> uv run firebomb probe <span class="nt">--domain</span> acme.com </code></pre> </div> <p>This uses DNS enumeration and direct API probing to find Firebase projects and check for misconfigurations—useful when you suspect Firebase usage but can't find the config.</p> <h3> 3. Resource Enumeration </h3> <p>Once configured, Firebomb discovers all accessible Firebase resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run firebomb enum <span class="nt">--output</span> enumeration.json </code></pre> </div> <p>This reveals:</p> <ul> <li> <strong>Firestore</strong>: Collections, document counts, accessible fields</li> <li> <strong>Realtime Database</strong>: Paths, data structure, accessible nodes</li> <li> <strong>Cloud Storage</strong>: Buckets, file listings, ACL configurations</li> <li> <strong>Cloud Functions</strong>: Endpoints, authentication requirements</li> <li> <strong>Authentication</strong>: Enabled providers, configuration settings</li> </ul> <h3> 4. Security Testing </h3> <p>The core of Firebomb—automated vulnerability testing across all Firebase services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run firebomb <span class="nb">test</span> <span class="nt">--output</span> findings.json </code></pre> </div> <p><strong>Firestore Testing:</strong></p> <ul> <li>Public read/write access detection</li> <li>Missing authentication checks</li> <li>Cross-user data access vulnerabilities</li> <li>Document-level permission gaps</li> </ul> <p><strong>Realtime Database Testing:</strong></p> <ul> <li>Public path vulnerabilities</li> <li>Wildcard permission issues</li> <li>Root-level database exposure</li> <li>Path traversal risks</li> </ul> <p><strong>Cloud Storage Testing:</strong></p> <ul> <li>Publicly readable/writable buckets</li> <li>ACL misconfigurations</li> <li>Unauthorized file operations</li> </ul> <p><strong>Cloud Functions Testing:</strong></p> <ul> <li>Unauthenticated function access</li> <li>CORS misconfigurations</li> <li>Missing input validation</li> </ul> <p><strong>Authentication Testing:</strong></p> <ul> <li>Anonymous authentication enabled</li> <li>Email verification requirements</li> <li>Password policy strength</li> </ul> <p><strong>Sample Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────┐ │ Security Testing Results │ ├─────────────────────────────────────────────────────────────────┤ │ Firestore: users │ │ ✗ Collection publicly readable without authentication │ │ Documents exposed: 1,847 │ │ Severity: CRITICAL │ ├─────────────────────────────────────────────────────────────────┤ │ Firestore: posts │ │ ✓ Proper authentication required │ │ ✓ User-scoped access enforced │ ├─────────────────────────────────────────────────────────────────┤ │ Cloud Storage: user-uploads │ │ ✗ Bucket publicly writable │ │ Risk: Arbitrary file upload/malware hosting │ │ Severity: CRITICAL │ ├─────────────────────────────────────────────────────────────────┤ │ Authentication │ │ ⚠ Anonymous authentication enabled │ │ Risk: Unlimited account creation, resource abuse │ │ Severity: MEDIUM │ └─────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> 5. Authenticated Testing </h3> <p>Test how permissions differ between anonymous and authenticated users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Auto-generate email with verification (recommended)</span> uv run firebomb signup <span class="nt">--verify-email</span> <span class="c"># Or use manual email/password</span> uv run firebomb signup <span class="nt">--email</span> tester@example.com <span class="nt">--password</span> SecurePass123! <span class="c"># Run tests with authentication</span> uv run firebomb <span class="nb">test</span> <span class="nt">--auth</span> uv run firebomb enum <span class="nt">--auth</span> </code></pre> </div> <p>This reveals privilege escalation vulnerabilities—resources that should require authentication but don't, or resources accessible to any authenticated user instead of just the owner.</p> <h3> 6. Data Extraction </h3> <p>Query specific collections or paths:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Query specific Firestore collection</span> uv run firebomb query <span class="nt">--collection</span> <span class="nb">users</span> <span class="nt">--output</span> users.json <span class="c"># Query RTDB path</span> uv run firebomb query <span class="nt">--path</span> /messages <span class="nt">--output</span> messages.json <span class="c"># Export with limits</span> uv run firebomb query <span class="nt">--collection</span> orders <span class="nt">--limit</span> 100 <span class="nt">--output</span> sample.json </code></pre> </div> <h3> 7. Bulk Data Dump </h3> <p>Export all accessible data for evidence collection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dump all accessible Firebase data</span> uv run firebomb dump <span class="nt">--output</span> evidence.json <span class="c"># Dump with authentication</span> uv run firebomb dump <span class="nt">--auth</span> <span class="nt">--output</span> auth-evidence.json <span class="c"># Dump specific collections only</span> uv run firebomb dump <span class="nt">--firestore-only</span> <span class="nt">--collections</span> <span class="nb">users</span>,orders <span class="nt">--output</span> data.json <span class="c"># Limit documents per collection</span> uv run firebomb dump <span class="nt">--limit</span> 500 <span class="nt">--output</span> sample.json </code></pre> </div> <p>The dump command fetches actual document contents from Firestore, full data trees from RTDB, and file listings from Cloud Storage.</p> <h3> 8. Professional Reports </h3> <p>Generate stakeholder-ready security assessments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># HTML report for executives</span> uv run firebomb report <span class="nt">--format</span> html <span class="nt">--output</span> assessment.html <span class="c"># JSON report for developers</span> uv run firebomb report <span class="nt">--format</span> json <span class="nt">--output</span> findings.json </code></pre> </div> <p>Reports include:</p> <ul> <li>Executive summary with risk assessment</li> <li>Detailed findings with severity classification</li> <li>CWE and OWASP mapping</li> <li>Remediation guidance with code examples</li> <li>Evidence and proof of concept</li> </ul> <h2> Key Features </h2> <h3> Smart Credential &amp; Session Management </h3> <p>Firebomb caches discovered configurations and authentication sessions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Discover and cache (default behavior)</span> uv run firebomb discover <span class="nt">--url</span> https://app.com <span class="c"># Later: credentials auto-loaded</span> uv run firebomb enum uv run firebomb <span class="nb">test</span> <span class="c"># View cached configurations</span> uv run firebomb cached <span class="c"># View cached sessions</span> uv run firebomb cached <span class="nt">--sessions</span> <span class="c"># Remove specific project</span> uv run firebomb cached <span class="nt">--remove</span> my-project <span class="c"># Clear all cached data</span> uv run firebomb cached <span class="nt">--clear</span> </code></pre> </div> <h3> Comprehensive Service Coverage </h3> <p>Unlike generic scanners, Firebomb understands all Firebase services:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>What Firebomb Tests</th> </tr> </thead> <tbody> <tr> <td>Firestore</td> <td>Rules, collection access, cross-user data leakage</td> </tr> <tr> <td>RTDB</td> <td>Permissions, path traversal, wildcard rules</td> </tr> <tr> <td>Storage</td> <td>Bucket ACLs, file type restrictions, public access</td> </tr> <tr> <td>Functions</td> <td>Authentication, CORS, input validation</td> </tr> <tr> <td>Auth</td> <td>Provider config, anonymous auth, MFA settings</td> </tr> <tr> <td>Discovery</td> <td>DNS probing, API probing, framework detection</td> </tr> </tbody> </table></div> <h3> Severity Classification </h3> <p>Findings are categorized by actual risk:</p> <ul> <li> <strong>CRITICAL</strong>: Complete data exposure, write access to all data</li> <li> <strong>HIGH</strong>: Significant data leakage, unauthorized access</li> <li> <strong>MEDIUM</strong>: Configuration weaknesses, potential abuse vectors</li> <li> <strong>LOW</strong>: Best practice violations, minor issues</li> <li> <strong>INFO</strong>: Documentation, recommendations</li> </ul> <h3> Remediation Guidance </h3> <p>Every finding includes specific fix instructions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────┐ │ Finding: Firestore collection 'users' publicly readable │ ├─────────────────────────────────────────────────────────────────┤ │ Severity: CRITICAL │ │ CWE: CWE-284 (Improper Access Control) │ │ OWASP: A01:2021 - Broken Access Control │ ├─────────────────────────────────────────────────────────────────┤ │ Current Rules: │ │ match /users/{userId} { │ │ allow read: if true; │ │ } │ ├─────────────────────────────────────────────────────────────────┤ │ Recommended Fix: │ │ match /users/{userId} { │ │ allow read: if request.auth != null │ │ &amp;&amp; request.auth.uid == userId; │ │ } │ └─────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Advanced Capabilities </h2> <h3> Framework Auto-Detection </h3> <p>Firebomb automatically detects and optimizes for modern frameworks:</p> <ul> <li> <strong>Next.js</strong>: Parses <code>_buildManifest.js</code>, follows chunk patterns</li> <li> <strong>React</strong>: Handles Create React App and custom builds</li> <li> <strong>Vue/Nuxt</strong>: Detects Vue-specific bundle patterns</li> <li> <strong>Vite</strong>: Extracts from Vite build outputs</li> <li> <strong>Angular</strong>: Supports Angular CLI builds</li> </ul> <h3> Deep JavaScript Analysis </h3> <ul> <li>Recursive crawling with configurable depth and file limits</li> <li>Webpack chunk extraction and following</li> <li>Source map parsing for original source code</li> <li>Environment variable pattern detection (<code>NEXT_PUBLIC_*</code>, <code>VITE_*</code>, etc.)</li> <li>Minified code correlation for scattered config values</li> </ul> <h2> Installation </h2> <p>Firebomb requires Python 3.11+ and uses <code>uv</code> for dependency management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repository</span> git clone https://github.com/ModernPentest/firebomb.git <span class="nb">cd </span>firebomb <span class="c"># Run with uv (handles dependencies automatically)</span> uv run firebomb <span class="nt">--help</span> </code></pre> </div> <h2> Example Workflow </h2> <p>Here's a complete security assessment workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Discover Firebase configuration with validation</span> uv run firebomb discover <span class="nt">--url</span> https://target-app.com <span class="nt">--recursive</span> <span class="nt">--validate</span> <span class="c"># 2. Or probe by company name if config not found</span> uv run firebomb probe <span class="nt">--name</span> <span class="s2">"Target Company"</span> <span class="c"># 3. Enumerate all resources</span> uv run firebomb enum <span class="nt">--output</span> enum.json <span class="c"># 4. Run security tests</span> uv run firebomb <span class="nb">test</span> <span class="nt">--output</span> findings.json <span class="c"># 5. Create test user with auto-verification</span> uv run firebomb signup <span class="nt">--verify-email</span> <span class="c"># 6. Test with authentication</span> uv run firebomb <span class="nb">test</span> <span class="nt">--auth</span> <span class="nt">--output</span> auth-findings.json <span class="c"># 7. Dump evidence from vulnerable resources</span> uv run firebomb dump <span class="nt">--limit</span> 100 <span class="nt">--output</span> evidence.json <span class="c"># 8. Generate professional report</span> uv run firebomb report <span class="nt">--format</span> html <span class="nt">--output</span> security-assessment.html </code></pre> </div> <h2> Responsible Use </h2> <p>Firebomb is designed for <strong>authorized security testing only</strong>. Always ensure you have:</p> <ul> <li>Written authorization from the Firebase project owner</li> <li>Permission to test the specific project</li> <li>Understanding of applicable laws</li> </ul> <p>Never use this tool against applications you don't own or have explicit permission to test.</p> <h2> How It Powers ModernPentest </h2> <p>Firebomb is the foundation of our <a href="https://dev.to/firebase-pentesting">Firebase security scanning</a> at ModernPentest. Our AI agents use Firebomb as their primary tool for:</p> <ul> <li>Automated Firestore rules analysis</li> <li>RTDB permission auditing</li> <li>Cloud Storage ACL testing</li> <li>Continuous monitoring for configuration drift</li> </ul> <p>ModernPentest adds:</p> <ul> <li> <strong>AI-powered analysis</strong> - Agents interpret findings and prioritize by actual business risk</li> <li> <strong>Continuous scanning</strong> - Automated weekly/daily scans catch regressions</li> <li> <strong>SOC 2 reports</strong> - Auditor-ready documentation generated automatically</li> <li> <strong>Remediation guidance</strong> - Specific fix recommendations tailored to your codebase</li> </ul> <p>For manual control, use Firebomb directly. For automated, continuous security with compliance reporting, <a href="https://modernpentest.com/firebase-pentesting" rel="noopener noreferrer">try ModernPentest</a>.</p> <h2> Get Started </h2> <p>The code is available on GitHub:</p> <p><strong><a href="https://github.com/ModernPentest/firebomb" rel="noopener noreferrer">github.com/ModernPentest/firebomb</a></strong></p> <p>Star the repo, try it on your Firebase projects, and let us know what you find. We welcome contributions, bug reports, and feature requests.</p> <p>For a deep dive into Firebase security best practices, check out our guide: <a href="https://modernpentest.com/blog/securing-firebase-in-production" rel="noopener noreferrer">Securing Firebase in Production</a>.</p> <p><em>Firebomb is part of our commitment to open source security tooling. Follow us for more tools and guides on securing modern web applications.</em></p> security cli firebase showdev Introducing Supabomb: Open Source Supabase Penetration Testing Victor Yrazusta Ibarra Mon, 08 Dec 2025 19:20:36 +0000 https://forem.com/victor_yrazusta/introducing-supabomb-open-source-supabase-penetration-testing-4dnb https://forem.com/victor_yrazusta/introducing-supabomb-open-source-supabase-penetration-testing-4dnb <p>We're excited to announce the open source release of <strong>Supabomb</strong>, our specialized penetration testing tool for Supabase applications. It's the same tool that powers our <a href="//modernpentest.com/supabase-security">automated Supabase security scanning</a> at ModernPentest.</p> <h2> Why We Built Supabomb </h2> <p>Supabase has become the go-to backend for modern web applications. Its PostgreSQL foundation, real-time capabilities, and developer-friendly APIs make it incredibly powerful. But with that power comes security complexity.</p> <p>After auditing dozens of Supabase applications, we noticed the same patterns repeatedly:</p> <ul> <li> <strong>23% of apps have exploitable RLS policies</strong> - Missing or misconfigured Row-Level Security is shockingly common</li> <li> <strong>Most security tools miss Supabase-specific issues</strong> - Generic scanners don't understand PostgREST or RLS</li> <li> <strong>Manual testing is tedious and incomplete</strong> - Checking every table and policy by hand takes hours</li> </ul> <p>We built Supabomb to solve these problems. It's fast, thorough, and specifically designed for Supabase's unique architecture.</p> <h2> What Supabomb Does </h2> <p>Supabomb automates the entire Supabase security assessment workflow:</p> <h3> 1. Credential Discovery </h3> <p>No need to manually copy API keys from your frontend code. Supabomb automatically discovers Supabase credentials from:</p> <ul> <li>Web application URLs (parses HTML and JavaScript)</li> <li>JavaScript bundles (including code-split and lazy-loaded modules)</li> <li>HAR files from network traffic</li> <li>Deep crawling with Katana integration </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Discover credentials from a live application</span> uv run supabomb discover <span class="nt">--url</span> https://your-app.com <span class="c"># Deep discovery with JavaScript execution</span> uv run supabomb discover <span class="nt">--url</span> https://your-app.com <span class="nt">--katana</span> </code></pre> </div> <p><strong>Sample output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Crawling with Katana: https://demo-saas.example.com/ Max JS files: 50, Timeout: 120s ✓ Supabase instance found! ╭───────────────────┬───────────────────────────────────────────────────────╮ │ Project Reference │ abcdefghijklmnopqrst │ │ URL │ https://abcdefghijklmnopqrst.supabase.co │ │ Anon Key │ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzd... │ │ Source │ Katana crawl of https://demo-saas.example.com/ │ │ Edge Functions │ 4 discovered │ ╰───────────────────┴───────────────────────────────────────────────────────╯ Discovered Edge Functions: ╭─────┬─────────────────────────┬─────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────╮ │ <span class="c"># │ Function Name │ Arguments │ Example │</span> ├─────┼─────────────────────────┼─────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────┤ │ 1 │ create-checkout-session │ <span class="nv">plan</span><span class="o">=</span>d, <span class="nv">billing_period</span><span class="o">=</span>m, additional_use... │ functions.invoke<span class="o">(</span><span class="s2">"create-checkout-session"</span>,<span class="o">{</span>body:<span class="o">{</span>plan:d,bil... │ │ 2 │ get-invoices │ <span class="nv">customerId</span><span class="o">=</span>a, <span class="nv">limit</span><span class="o">=</span>20 │ functions.invoke<span class="o">(</span><span class="s2">"get-invoices"</span>,<span class="o">{</span>body:<span class="o">{</span>customerId:a.stripe_c... │ │ 3 │ send-notification │ <span class="nv">userId</span><span class="o">=</span>u, <span class="nv">message</span><span class="o">=</span>m, <span class="nv">channel</span><span class="o">=</span>c │ functions.invoke<span class="o">(</span><span class="s2">"send-notification"</span>,<span class="o">{</span>body:<span class="o">{</span>userId:u,message... │ │ 4 │ generate-report │ <span class="nv">reportType</span><span class="o">=</span>t, <span class="nv">startDate</span><span class="o">=</span>s, <span class="nv">endDate</span><span class="o">=</span>e │ functions.invoke<span class="o">(</span><span class="s2">"generate-report"</span>,<span class="o">{</span>body:<span class="o">{</span>reportType:t,start... │ ╰─────┴─────────────────────────┴─────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────╯ 💾 Credentials saved to .supabomb.json </code></pre> </div> <h3> 2. Resource Enumeration </h3> <p>Once credentials are discovered, Supabomb enumerates everything accessible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run supabomb enum </code></pre> </div> <p><strong>Sample output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> 📋 Using cached credentials <span class="k">for </span>abcdefghijklmnopqrst Enumerating Supabase instance: abcdefghijklmnopqrst ✓ Connection successful Tables: ╭─────────────────────┬──────┬─────────┬───────────╮ │ Name │ Read │ Columns │ Anon Rows │ ├─────────────────────┼──────┼─────────┼───────────┤ │ <span class="nb">users</span> │ ✓ │ 12 │ 1,847 │ │ profiles │ ✓ │ 8 │ 1,847 │ │ organizations │ ✓ │ 6 │ 423 │ │ projects │ ✓ │ 14 │ 2,156 │ │ tasks │ ✓ │ 18 │ 15,432 │ │ comments │ ✓ │ 7 │ 48,291 │ │ attachments │ ✓ │ 9 │ 8,734 │ │ notifications │ ✗ │ 11 │ N/A │ │ api_keys │ ✗ │ 8 │ N/A │ │ audit_logs │ ✗ │ 15 │ N/A │ │ billing_info │ ✓ │ 10 │ 423 │ │ subscriptions │ ✓ │ 12 │ 398 │ │ invitations │ ✓ │ 7 │ 156 │ │ webhooks │ ✗ │ 9 │ N/A │ │ settings │ ✓ │ 5 │ 423 │ ╰─────────────────────┴──────┴─────────┴───────────╯ RPC Functions: ╭─────────────────────────────┬────────────┬────────────╮ │ Name │ Accessible │ Parameters │ ├─────────────────────────────┼────────────┼────────────┤ │ get_user_projects │ ✓ │ args │ │ get_org_members │ ✓ │ args │ │ admin_list_users │ ✓ │ args │ │ admin_delete_user │ ✗ │ args │ │ get_current_user_role │ ✓ │ args │ │ is_admin │ ✓ │ args │ │ update_user_permissions │ ✗ │ args │ │ generate_api_key │ ✗ │ args │ │ validate_invitation │ ✗ │ args │ │ cleanup_expired_sessions │ ✓ │ args │ ╰─────────────────────────────┴────────────┴────────────╯ </code></pre> </div> <p>This reveals:</p> <ul> <li>All accessible database tables with column information</li> <li>RPC (Remote Procedure Call) functions</li> <li>Storage buckets</li> <li>Row counts (anonymous vs. authenticated comparison)</li> </ul> <h3> 3. Security Testing </h3> <p>The core of Supabomb - automated security testing that covers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run supabomb <span class="nb">test</span> </code></pre> </div> <p><strong>What it tests:</strong></p> <ul> <li>RLS policy effectiveness on every table</li> <li>Authentication configuration (is anonymous signup enabled?)</li> <li>RPC function access control</li> <li>Storage bucket permissions</li> <li>Edge function JWT requirements</li> </ul> <p><strong>Sample output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> 📋 Using cached credentials <span class="k">for </span>abcdefghijklmnopqrst Testing Supabase instance: abcdefghijklmnopqrst ✓ Connection successful ╭──────────────────────────────────────────────────────── Security Test Summary ────────────────────────────────────────────────────────────╮ │ Total Findings: 5 │ │ Risk Score: 24 │ │ │ │ Critical: 1 │ │ High: 1 │ │ Medium: 2 │ │ Low: 1 │ │ Info: 0 │ ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ Findings: ╭────────────────────────────────────────── 1. Table <span class="s1">'users'</span> accessible without authentication ─────────────────────────────────────────────╮ │ Severity: CRITICAL │ │ Affected: Table: <span class="nb">users</span> <span class="o">(</span>1,847 rows exposed<span class="o">)</span> │ │ │ │ Description: │ │ The <span class="s1">'users'</span> table can be <span class="nb">read </span>by unauthenticated <span class="nb">users </span>using the anonymous API key. This exposes sensitive user data including emails, │ │ names, and profile information. │ │ │ │ Recommendation: │ │ Add RLS policies to restrict access: │ │ - CREATE POLICY <span class="s2">"Users can view own profile"</span> ON <span class="nb">users </span>FOR SELECT USING <span class="o">(</span>auth.uid<span class="o">()</span> <span class="o">=</span> <span class="nb">id</span><span class="o">)</span><span class="p">;</span> │ │ - Ensure RLS is enabled: ALTER TABLE <span class="nb">users </span>ENABLE ROW LEVEL SECURITY<span class="p">;</span> │ ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭───────────────────────────────────── 2. RPC <span class="k">function</span> <span class="s1">'admin_list_users'</span> accessible with anonymous key ────────────────────────────────────╮ │ Severity: HIGH │ │ Affected: RPC: admin_list_users │ │ │ │ Description: │ │ The RPC <span class="k">function</span> <span class="s1">'admin_list_users'</span> can be called with the anonymous API key. This admin <span class="k">function </span>returns user data and should require │ │ authentication and admin role verification. │ │ │ │ Recommendation: │ │ Add authentication check at the start of the <span class="k">function</span>: │ │ - IF auth.uid<span class="o">()</span> IS NULL THEN RAISE EXCEPTION <span class="s1">'Not authenticated'</span><span class="p">;</span> │ │ - Verify admin role before returning data │ ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─────────────────────────────────────────────── 3. Anonymous signup is enabled ────────────────────────────────────────────────────────────╮ │ Severity: MEDIUM │ │ Affected: Auth API │ │ │ │ Description: │ │ The Supabase instance allows anonymous <span class="nb">users </span>to create accounts. This may be intentional, but could lead to abuse <span class="k">if </span>not properly │ │ configured with email confirmation and rate limiting. │ │ │ │ Recommendation: │ │ Review signup configuration. Consider: │ │ - Enabling email confirmation │ │ - Implementing rate limiting │ │ - Adding CAPTCHA protection │ ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭────────────────────────────────────────── 4. RPC <span class="k">function</span> <span class="s1">'is_admin'</span> accessible with anonymous key ───────────────────────────────────────╮ │ Severity: MEDIUM │ │ Affected: RPC: is_admin │ │ │ │ Description: │ │ The RPC <span class="k">function</span> <span class="s1">'is_admin'</span> can be called with the anonymous API key. While it only returns a boolean, it could be used to enumerate │ │ admin <span class="nb">users </span>by testing different user IDs. │ │ │ │ Recommendation: │ │ Review the <span class="k">function</span><span class="s1">'s logic and ensure it only checks the current authenticated user'</span>s role. │ ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─────────────────────────────────────────────── 5. Storage bucket <span class="s1">'avatars'</span> is public ─────────────────────────────────────────────────────╮ │ Severity: LOW │ │ Affected: Storage: avatars │ │ │ │ Description: │ │ The <span class="s1">'avatars'</span> storage bucket allows public <span class="nb">read </span>access. This is common <span class="k">for </span>profile pictures but verify no sensitive files are stored. │ │ │ │ Recommendation: │ │ Confirm this is intentional and implement upload restrictions to prevent abuse. │ ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ </code></pre> </div> <h3> 4. Write Permission Testing </h3> <p>Beyond read access, Supabomb tests if data can be modified:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run supabomb test-write </code></pre> </div> <p><strong>Sample output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>📋 Using cached credentials <span class="k">for </span>abcdefghijklmnopqrst Testing write permissions: abcdefghijklmnopqrst ✓ Connection successful Mode: anonymous ✓ Testing 15 table<span class="o">(</span>s<span class="o">)</span> Write Permission Test Results ╭───────────────────┬────────┬────────┬────────┬──────────────────────────────────────────────────────────────────╮ │ Table │ INSERT │ UPDATE │ DELETE │ Details │ ├───────────────────┼────────┼────────┼────────┼──────────────────────────────────────────────────────────────────┤ │ <span class="nb">users</span> │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ │ profiles │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ │ organizations │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ │ projects │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ │ tasks │ ✓ │ ✓ │ ✗ │ INSERT and UPDATE allowed! Row created with <span class="nb">id</span>: 847291 │ │ comments │ ✓ │ ✗ │ ✗ │ INSERT allowed! Row created with <span class="nb">id</span>: 159372 │ │ attachments │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ │ notifications │ ✗ │ - │ - │ Insert denied by RLS: permission denied <span class="k">for </span>table notifications │ │ api_keys │ ✗ │ - │ - │ Insert denied by RLS: permission denied <span class="k">for </span>table api_keys │ │ audit_logs │ ✗ │ - │ - │ Insert denied by RLS: permission denied <span class="k">for </span>table audit_logs │ │ billing_info │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ │ subscriptions │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ │ invitations │ ⚠ │ - │ - │ Insert possible but needs crafted data: missing org_id reference │ │ webhooks │ ✗ │ - │ - │ Insert denied by RLS: permission denied <span class="k">for </span>table webhooks │ │ settings │ ✗ │ - │ - │ Insert denied by RLS: new row violates row-level security policy │ ╰───────────────────┴────────┴────────┴────────┴──────────────────────────────────────────────────────────────────╯ Legend: ✓ <span class="o">=</span> Allowed, ✗ <span class="o">=</span> Denied <span class="o">(</span>RLS<span class="o">)</span>, ⚠ <span class="o">=</span> Possible with crafted data, - <span class="o">=</span> Not tested </code></pre> </div> <p>This intelligently:</p> <ul> <li>Generates test data based on actual table schema</li> <li>Respects referential integrity when testing</li> <li>Distinguishes between RLS denials and validation errors</li> <li>Automatically cleans up test data after testing</li> </ul> <h3> 5. Authenticated Testing </h3> <p>Test how RLS policies differ between anonymous and authenticated users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Register a test user (with automatic email verification)</span> uv run supabomb signup <span class="nt">--verify-email</span> <span class="c"># Subsequent commands automatically use cached auth session</span> uv run supabomb <span class="nb">test </span>uv run supabomb query <span class="nt">-t</span> <span class="nb">users</span> <span class="c"># Force anonymous access with --use-anon flag</span> uv run supabomb query <span class="nt">-t</span> <span class="nb">users</span> <span class="nt">--use-anon</span> </code></pre> </div> <h3> 6. Data Export </h3> <p>Export accessible data for evidence collection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Query specific table to JSON</span> uv run supabomb query <span class="nt">-t</span> <span class="nb">users</span> <span class="nt">-o</span> users.json <span class="c"># Export to CSV</span> uv run supabomb query <span class="nt">-t</span> <span class="nb">users</span> <span class="nt">-o</span> users.csv <span class="nt">-f</span> csv <span class="c"># Dump all accessible tables</span> uv run supabomb dump <span class="nt">-o</span> ./evidence/ </code></pre> </div> <h3> 7. All-in-One Assessment </h3> <p>Run the complete workflow with a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run supabomb all <span class="nt">--url</span> https://your-app.com <span class="nt">-o</span> report.json </code></pre> </div> <p>This executes: discovery → registration → enumeration → data dump, generating a comprehensive JSON report.</p> <p><strong>Additional options:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Include write permission testing</span> uv run supabomb all <span class="nt">--url</span> https://your-app.com <span class="nt">-o</span> report.json <span class="nt">--test-write</span> <span class="c"># Use Katana for deep JavaScript crawling</span> uv run supabomb all <span class="nt">--url</span> https://your-app.com <span class="nt">-o</span> report.json <span class="nt">--katana</span> </code></pre> </div> <h2> Key Features That Set Supabomb Apart </h2> <h3> Intelligent Credential Caching </h3> <p>Supabomb caches discovered credentials in <code>~/.supabomb.json</code>. Once you've scanned an app, subsequent commands automatically use the cached credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># First time: discover and cache</span> uv run supabomb discover <span class="nt">--url</span> https://app.com <span class="c"># Later: just run commands (credentials auto-loaded)</span> uv run supabomb enum uv run supabomb <span class="nb">test</span> </code></pre> </div> <p><strong>Manage cached credentials:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List all cached credentials</span> uv run supabomb cached <span class="c"># Remove a specific project</span> uv run supabomb cached <span class="nt">--remove</span> abcdefghij <span class="c"># Clear all cached credentials</span> uv run supabomb cached <span class="nt">--clear</span> </code></pre> </div> <h3> Deep JavaScript Analysis </h3> <p>Many tools only scan inline scripts. Supabomb analyzes up to 50+ JavaScript files per scan, including:</p> <ul> <li>Directly linked scripts</li> <li>Dynamically imported modules</li> <li>Code-split chunks</li> <li>Lazy-loaded bundles</li> <li>Next.js/React/Vue bundle formats</li> </ul> <p>This catches credentials hidden in complex frontend builds.</p> <h3> Automatic Email Verification </h3> <p>When testing requires a verified account, Supabomb integrates with temporary email services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run supabomb signup <span class="nt">--verify-email</span> </code></pre> </div> <p><strong>Sample output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>✓ Email verification required - using temporary email service Created temporary email: xyz123@mail.tm Registering user... ⏳ Account created, waiting <span class="k">for </span>verification email... ✓ Verification email received! ✓ Email verified successfully! ✓ Login successful! ┌──────────────┬──────────────────────────────────────────┐ │ Property │ Value │ ├──────────────┼──────────────────────────────────────────┤ │ User ID │ 550e8400-e29b-41d4-a716-446655440000 │ │ Email │ xyz123@mail.tm │ │ Role │ authenticated │ └──────────────┴──────────────────────────────────────────┘ 💾 Session saved to .supabomb.json </code></pre> </div> <p>This automatically:</p> <ol> <li>Creates a temporary email address</li> <li>Registers with your Supabase project</li> <li>Waits for the verification email</li> <li>Clicks the verification link</li> <li>Caches the authenticated session</li> </ol> <p>No manual intervention needed.</p> <h3> Side-by-Side Access Comparison </h3> <p>Instantly see what's exposed to anonymous vs. authenticated users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌────────────────┬───────────┬───────────────┐ │ Table │ Anon Rows │ Auth Rows │ ├────────────────┼───────────┼───────────────┤ │ public_posts │ 150 │ 150 │ │ user_profiles │ 1,234 │ 1,234 ⚠️ │ │ private_data │ 0 │ 42 │ │ admin_logs │ 0 │ 0 │ └────────────────┴───────────┴───────────────┘ ⚠️ Warning: user_profiles accessible without auth </code></pre> </div> <h3> Edge Function Discovery </h3> <p>Unique to Supabomb: it extracts edge function invocations directly from JavaScript code and tests them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run supabomb check-jwt <span class="nt">-e</span> send_email <span class="nt">-e</span> get_posts </code></pre> </div> <p><strong>Sample output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Checking edge functions: abcdefghijklmnopqrst ┌─────────────────────────┬──────────────────┬──────────────────────────┬──────────────┐ │ Function Name │ Requires JWT │ Accessible with Anon Key │ Status Code │ ├─────────────────────────┼──────────────────┼──────────────────────────┼──────────────┤ │ create-checkout-session │ Yes │ No │ 401 │ │ get-invoices │ Yes │ No │ 401 │ │ send-notification │ No │ Yes │ 200 │ │ generate-report │ No │ Yes │ 200 │ └─────────────────────────┴──────────────────┴──────────────────────────┴──────────────┘ </code></pre> </div> <p>This reveals which edge functions require JWT authentication and which are publicly accessible.</p> <h2> Installation </h2> <p>Supabomb requires Python 3.13+ and uses <code>uv</code> for dependency management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repository</span> git clone https://github.com/Victoratus/supabomb.git <span class="nb">cd </span>supabomb <span class="c"># Run with uv (handles dependencies automatically)</span> uv run supabomb <span class="nt">--help</span> </code></pre> </div> <p>For deep crawling features, install Katana:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>github.com/projectdiscovery/katana/cmd/katana@latest </code></pre> </div> <h2> Example Workflow </h2> <p>Here's a typical security assessment workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Discover credentials from the target application</span> uv run supabomb discover <span class="nt">--url</span> https://target-app.com <span class="nt">--katana</span> <span class="c"># 2. See what resources are accessible (anonymous)</span> uv run supabomb enum <span class="c"># 3. Run security tests</span> uv run supabomb <span class="nb">test</span> <span class="c"># 4. If issues found, test write permissions</span> uv run supabomb test-write <span class="c"># 5. Register for authenticated testing</span> uv run supabomb signup <span class="nt">--verify-email</span> <span class="c"># 6. Re-run tests with authenticated session (automatic)</span> uv run supabomb enum uv run supabomb <span class="nb">test</span> <span class="c"># 7. Export evidence</span> uv run supabomb dump <span class="nt">-o</span> ./evidence/ </code></pre> </div> <h2> Responsible Use </h2> <p>Supabomb is designed for <strong>authorized security assessments only</strong>. Always ensure you have:</p> <ul> <li>Written authorization from the application owner</li> <li>Permission to test the specific Supabase project</li> <li>Understanding of applicable laws in your jurisdiction</li> </ul> <p>Never use this tool against applications you don't own or have explicit permission to test.</p> <h2> How It Powers ModernPentest </h2> <p>Supabomb is the foundation of our <a href="//modernpentest.com/supabase-security">Supabase security scanning</a> at ModernPentest. Our AI agents use Supabomb as their primary tool for:</p> <ul> <li>Automated RLS policy analysis</li> <li>Storage bucket permission auditing</li> <li>PostgREST API security testing</li> <li>Continuous monitoring for configuration drift</li> </ul> <p>The difference? ModernPentest adds:</p> <ul> <li> <strong>AI-powered analysis</strong> - Our agents interpret findings and prioritize by actual risk</li> <li> <strong>Continuous scanning</strong> - Automated weekly/daily scans catch regressions</li> <li> <strong>SOC 2 reports</strong> - Auditor-ready documentation generated automatically</li> <li> <strong>Remediation guidance</strong> - Specific fix recommendations for each finding</li> </ul> <p>If you want manual control, use Supabomb directly. If you want automated, continuous security with compliance reporting, <a href="//modernpentest.com/supabase-security">try ModernPentest</a>.</p> <h2> Get Started </h2> <p>The code is available on GitHub:</p> <p><strong><a href="https://github.com/Victoratus/supabomb" rel="noopener noreferrer">github.com/Victoratus/supabomb</a></strong></p> <p>Star the repo, try it on your projects, and let us know what you find. We welcome contributions, bug reports, and feature requests.</p> <p>For comprehensive coverage of common Supabase security issues, check out our guide: <a href="//modernpentest.com/blog/supabase-security-misconfigurations">10 Common Supabase Security Misconfigurations</a>.</p> <p><em>Supabomb is part of our commitment to open source security tooling. Follow us for more tools and guides on securing modern web applications.</em></p> supabase security opensource cli 10 Common Supabase Security Misconfigurations (and How to Fix Them) Victor Yrazusta Ibarra Mon, 08 Dec 2025 19:14:41 +0000 https://forem.com/victor_yrazusta/10-common-supabase-security-misconfigurations-and-how-to-fix-them-do8 https://forem.com/victor_yrazusta/10-common-supabase-security-misconfigurations-and-how-to-fix-them-do8 <p>Supabase has become one of the most popular backend-as-a-service platforms for modern web applications. Its PostgreSQL foundation, real-time capabilities, and developer-friendly APIs make it an excellent choice for startups and established companies alike.</p> <p>However, with great power comes great responsibility. Supabase's flexibility means there are many ways to misconfigure your security settings, potentially exposing sensitive user data. In this guide, we'll cover the 10 most common Supabase security misconfigurations we've seen in production applications.</p> <h2> 1. Missing Row-Level Security (RLS) </h2> <p><strong>Severity: Critical</strong></p> <p>The most dangerous misconfiguration is having no Row-Level Security (RLS) enabled at all. When RLS is disabled, anyone with your Supabase URL and anon key (which is public) can read, update, or delete all data in your tables.</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This table has NO RLS - anyone can access all data</span> <span class="k">create</span> <span class="k">table</span> <span class="n">user_profiles</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">email</span> <span class="nb">text</span><span class="p">,</span> <span class="n">full_name</span> <span class="nb">text</span><span class="p">,</span> <span class="n">credit_card_last_four</span> <span class="nb">text</span> <span class="p">);</span> </code></pre> </div> <h3> The Fix </h3> <p>Always enable RLS and create appropriate policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Enable RLS</span> <span class="k">alter</span> <span class="k">table</span> <span class="n">user_profiles</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="c1">-- Allow users to read only their own profile</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Users can read own profile"</span> <span class="k">on</span> <span class="n">user_profiles</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span><span class="p">);</span> <span class="c1">-- Allow users to update only their own profile</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Users can update own profile"</span> <span class="k">on</span> <span class="n">user_profiles</span> <span class="k">for</span> <span class="k">update</span> <span class="k">using</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span><span class="p">);</span> </code></pre> </div> <h2> 2. Overly Permissive RLS Policies </h2> <p><strong>Severity: High</strong></p> <p>Even with RLS enabled, policies that are too broad can expose data. A common mistake is using <code>true</code> or weak conditions.</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This policy allows ANY authenticated user to read ALL profiles</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Authenticated users can read profiles"</span> <span class="k">on</span> <span class="n">user_profiles</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="k">role</span><span class="p">()</span> <span class="o">=</span> <span class="s1">'authenticated'</span><span class="p">);</span> </code></pre> </div> <h3> The Fix </h3> <p>Be specific about what data each user can access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Only allow reading your own profile OR public profiles</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Users can read own or public profiles"</span> <span class="k">on</span> <span class="n">user_profiles</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span> <span class="k">OR</span> <span class="n">is_public</span> <span class="o">=</span> <span class="k">true</span> <span class="p">);</span> </code></pre> </div> <h2> 3. Service Role Key Exposure </h2> <p><strong>Severity: Critical</strong></p> <p>The <code>service_role</code> key bypasses all RLS policies and should NEVER be exposed to the client. We've seen this key hardcoded in frontend applications, environment variables leaked in client bundles, and even committed to public repositories.</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// NEVER do this - service_role key in frontend code</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY</span> <span class="c1">// DANGER!</span> <span class="p">);</span> </code></pre> </div> <h3> The Fix </h3> <p>Only use the <code>anon</code> key in client-side code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Correct - using anon key which respects RLS</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span> <span class="p">);</span> </code></pre> </div> <p>Keep <code>service_role</code> key only in server-side code (API routes, server actions, edge functions).</p> <h2> 4. Insecure Storage Bucket Policies </h2> <p><strong>Severity: High</strong></p> <p>Supabase Storage uses similar RLS-style policies, but many developers forget to configure them, leaving files publicly accessible.</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Default policy allows public access to all files</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Public access"</span> <span class="k">on</span> <span class="k">storage</span><span class="p">.</span><span class="n">objects</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span><span class="n">bucket_id</span> <span class="o">=</span> <span class="s1">'avatars'</span><span class="p">);</span> </code></pre> </div> <h3> The Fix </h3> <p>Restrict access based on ownership:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Users can only access their own files</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"User can access own files"</span> <span class="k">on</span> <span class="k">storage</span><span class="p">.</span><span class="n">objects</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span> <span class="n">bucket_id</span> <span class="o">=</span> <span class="s1">'user-files'</span> <span class="k">AND</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()::</span><span class="nb">text</span> <span class="o">=</span> <span class="p">(</span><span class="k">storage</span><span class="p">.</span><span class="n">foldername</span><span class="p">(</span><span class="n">name</span><span class="p">))[</span><span class="mi">1</span><span class="p">]</span> <span class="p">);</span> <span class="c1">-- Users can upload to their own folder</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"User can upload own files"</span> <span class="k">on</span> <span class="k">storage</span><span class="p">.</span><span class="n">objects</span> <span class="k">for</span> <span class="k">insert</span> <span class="k">with</span> <span class="k">check</span> <span class="p">(</span> <span class="n">bucket_id</span> <span class="o">=</span> <span class="s1">'user-files'</span> <span class="k">AND</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()::</span><span class="nb">text</span> <span class="o">=</span> <span class="p">(</span><span class="k">storage</span><span class="p">.</span><span class="n">foldername</span><span class="p">(</span><span class="n">name</span><span class="p">))[</span><span class="mi">1</span><span class="p">]</span> <span class="p">);</span> </code></pre> </div> <h2> 5. Missing Email Verification </h2> <p><strong>Severity: Medium</strong></p> <p>By default, Supabase allows users to sign up and immediately access the application without verifying their email. This enables account enumeration and fake account creation.</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// User can sign up and immediately access protected resources</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signUp</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// data.user exists and can be used immediately</span> </code></pre> </div> <h3> The Fix </h3> <ol> <li>Enable email confirmation in Supabase Dashboard under Authentication &gt; Settings</li> <li>Check email confirmation status in your RLS policies: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="n">policy</span> <span class="nv">"Only verified users can access data"</span> <span class="k">on</span> <span class="n">sensitive_data</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span> <span class="k">AND</span> <span class="n">auth</span><span class="p">.</span><span class="n">jwt</span><span class="p">()</span><span class="o">-&gt;&gt;</span><span class="s1">'email_confirmed_at'</span> <span class="k">is</span> <span class="k">not</span> <span class="k">null</span> <span class="p">);</span> </code></pre> </div> <h2> 6. Direct Table Access via PostgREST </h2> <p><strong>Severity: Medium</strong></p> <p>Supabase exposes your database through PostgREST, which means any table can be queried directly if not properly secured. Developers sometimes create tables without RLS, thinking they're "internal only."</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Anyone can query this table directly via the REST API</span> curl <span class="s1">'https://your-project.supabase.co/rest/v1/internal_logs'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"apikey: YOUR_ANON_KEY"</span> </code></pre> </div> <h3> The Fix </h3> <p>Always enable RLS on all tables, even "internal" ones:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Secure internal tables by denying all access via RLS</span> <span class="k">alter</span> <span class="k">table</span> <span class="n">internal_logs</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="c1">-- No policies = no access via PostgREST</span> <span class="c1">-- Access only through server-side code with service_role</span> </code></pre> </div> <h2> 7. Exposed Database Functions </h2> <p><strong>Severity: High</strong></p> <p>PostgreSQL functions created with <code>SECURITY DEFINER</code> run with the privileges of the function creator, not the calling user. If exposed via PostgREST without proper checks, they can bypass RLS.</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This function runs with elevated privileges</span> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">delete_user</span><span class="p">(</span><span class="n">target_id</span> <span class="n">uuid</span><span class="p">)</span> <span class="k">returns</span> <span class="n">void</span> <span class="k">language</span> <span class="k">sql</span> <span class="k">security</span> <span class="k">definer</span> <span class="k">as</span> <span class="err">$$</span> <span class="k">delete</span> <span class="k">from</span> <span class="n">user_profiles</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">target_id</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <h3> The Fix </h3> <p>Add authorization checks inside the function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">delete_user</span><span class="p">(</span><span class="n">target_id</span> <span class="n">uuid</span><span class="p">)</span> <span class="k">returns</span> <span class="n">void</span> <span class="k">language</span> <span class="n">plpgsql</span> <span class="k">security</span> <span class="k">definer</span> <span class="k">as</span> <span class="err">$$</span> <span class="k">begin</span> <span class="c1">-- Check if the calling user is authorized</span> <span class="n">if</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">!=</span> <span class="n">target_id</span> <span class="k">then</span> <span class="n">raise</span> <span class="n">exception</span> <span class="s1">'Not authorized'</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="k">delete</span> <span class="k">from</span> <span class="n">user_profiles</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">target_id</span><span class="p">;</span> <span class="k">end</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <h2> 8. Weak Password Requirements </h2> <p><strong>Severity: Medium</strong></p> <p>Supabase's default minimum password length is 6 characters, which is quite weak by modern standards.</p> <h3> The Fix </h3> <p>Configure stronger password requirements in your Supabase Dashboard under Authentication &gt; Settings:</p> <ul> <li>Minimum length: 12 characters</li> <li>Require uppercase, lowercase, numbers, and symbols</li> </ul> <p>Additionally, implement client-side validation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">passwordSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="mi">12</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Password must be at least 12 characters</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">A-Z</span><span class="se">]</span><span class="sr">/</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Password must contain uppercase letter</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">a-z</span><span class="se">]</span><span class="sr">/</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Password must contain lowercase letter</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">0-9</span><span class="se">]</span><span class="sr">/</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Password must contain a number</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[^</span><span class="sr">A-Za-z0-9</span><span class="se">]</span><span class="sr">/</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Password must contain special character</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> 9. Missing Rate Limiting </h2> <p><strong>Severity: Medium</strong></p> <p>Supabase doesn't have built-in rate limiting for authentication endpoints, making your app vulnerable to brute force attacks.</p> <h3> The Fix </h3> <p>Implement rate limiting at the application level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Using Upstash Redis for rate limiting</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Ratelimit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@upstash/ratelimit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Redis</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@upstash/redis</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ratelimit</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Ratelimit</span><span class="p">({</span> <span class="na">redis</span><span class="p">:</span> <span class="nx">Redis</span><span class="p">.</span><span class="nf">fromEnv</span><span class="p">(),</span> <span class="na">limiter</span><span class="p">:</span> <span class="nx">Ratelimit</span><span class="p">.</span><span class="nf">slidingWindow</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1 m</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// 5 attempts per minute</span> <span class="p">});</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">signIn</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="nx">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">success</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ratelimit</span><span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Too many login attempts. Please try again later.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithPassword</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> 10. Misconfigured Edge Functions </h2> <p><strong>Severity: High</strong></p> <p>Supabase Edge Functions are powerful serverless functions that run on Deno. A common mistake is deploying functions without proper JWT verification, making them accessible to anyone who knows the endpoint URL.</p> <h3> The Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This edge function has NO authentication check</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">serve</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">https://deno.land/std@0.168.0/http/server.ts</span><span class="dl">'</span> <span class="nf">serve</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// DANGER: Anyone can call this endpoint!</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">userId</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="c1">// Performing privileged operations without auth</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">adminClient</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">userId</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">userData</span><span class="p">))</span> <span class="p">})</span> </code></pre> </div> <h3> The Fix </h3> <p>Always verify the JWT token and extract the user from it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">serve</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">https://deno.land/std@0.168.0/http/server.ts</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">https://esm.sh/@supabase/supabase-js@2</span><span class="dl">'</span> <span class="nf">serve</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Extract the JWT from the Authorization header</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authHeader</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">'</span><span class="s1">Missing authorization header</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// Create a Supabase client with the user's JWT</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">Deno</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">SUPABASE_URL</span><span class="dl">'</span><span class="p">)</span> <span class="o">??</span> <span class="dl">''</span><span class="p">,</span> <span class="nx">Deno</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">SUPABASE_ANON_KEY</span><span class="dl">'</span><span class="p">)</span> <span class="o">??</span> <span class="dl">''</span><span class="p">,</span> <span class="p">{</span> <span class="na">global</span><span class="p">:</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="nx">authHeader</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="c1">// Verify the token and get the user</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">},</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUser</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span> <span class="o">||</span> <span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// Now safely use user.id instead of trusting client input</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">))</span> <span class="p">})</span> </code></pre> </div> <h2> Detecting These Issues Automatically </h2> <p>Manually checking all tables, policies, and configurations is tedious and error-prone. We built <strong><a href="https://github.com/Victoratus/supabomb" rel="noopener noreferrer">Supabomb</a></strong>, an open source CLI tool specifically for Supabase security testing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install and run</span> git clone https://github.com/Victoratus/supabomb.git <span class="nb">cd </span>supabomb <span class="c"># Discover credentials from your app</span> uv run supabomb discover <span class="nt">--url</span> https://your-app.com <span class="c"># Run security tests</span> uv run supabomb <span class="nb">test</span> </code></pre> </div> <p>Supabomb automatically:</p> <ul> <li>Discovers Supabase credentials from your frontend</li> <li>Enumerates all accessible tables and storage buckets</li> <li>Tests RLS policies and identifies misconfigurations</li> <li>Compares anonymous vs. authenticated access</li> <li>Generates detailed findings reports</li> </ul> <p>Read more about it in our <a href="//modernpentest.com/blog/introducing-supabomb">Introducing Supabomb</a> post.</p> <h2> Conclusion </h2> <p>Securing your Supabase application requires a defense-in-depth approach. Here's a checklist to review:</p> <ul> <li>[ ] RLS is enabled on ALL tables</li> <li>[ ] RLS policies are specific and well-tested</li> <li>[ ] Service role key is only used server-side</li> <li>[ ] Storage bucket policies are configured</li> <li>[ ] Email verification is required</li> <li>[ ] All database functions have proper authorization checks</li> <li>[ ] Password requirements are strong</li> <li>[ ] Rate limiting is implemented</li> <li>[ ] Edge Functions verify JWT tokens before processing requests</li> </ul> <h2> Automate Your Supabase Security </h2> <p>Want continuous protection instead of manual checks? <strong><a href="//modernpentest.com/supabase-security">ModernPentest's Supabase Security Scanning</a></strong> uses AI agents trained specifically on Supabase vulnerabilities to:</p> <ul> <li> <strong>Scan in under an hour</strong> - Full penetration test + SOC 2 report</li> <li> <strong>Catch RLS bypasses</strong> - The same issues covered in this guide, detected automatically</li> <li> <strong>Monitor continuously</strong> - Weekly/daily scans catch regressions before attackers do</li> <li> <strong>Generate compliance reports</strong> - Auditor-ready documentation for SOC 2, ISO 27001</li> </ul> <p>Our agents use Supabomb under the hood, combined with AI analysis to prioritize findings by actual risk and provide specific remediation guidance.</p> <p><a href="//modernpentest.com/supabase-security"><strong>Start Your Free Security Scan →</strong></a></p> <p><em>This guide is part of our Security Guides series. Follow us for more content on securing modern web applications.</em></p> supabase security postgres webdev