supabase-extract-url

Supabase URL Extraction 🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED You MUST write to context files AS YOU GO , not just at the end. Write to .sb-pentest-context.json IMMEDIATELY after each discovery Log to .sb-pentest-audit.log BEFORE and AFTER each action DO NOT wait until the skill completes to update files If the skill crashes or is interrupted, all prior findings must already be saved This is not optional. Failure to write progressively is a critical error. This skill extracts the Supabase project URL from a web application's client-side code. When to Use This Skill After detecting Supabase usage, to get the exact project URL When you need the API base URL for further testing To identify which Supabase project an application uses Prerequisites Target URL accessible Supabase usage detected (or suspected) How It Works The skill scans for URL patterns in: 1. JavaScript Source Code // Direct URL references const SUPABASE_URL = 'https://abc123.supabase.co' createClient ( 'https://abc123.supabase.co' , key ) // Environment variable patterns process . env . SUPABASE_URL process . env . NEXT_PUBLIC_SUPABASE_URL import . meta . env . VITE_SUPABASE_URL 2. HTML Meta Tags and Scripts < meta name = " supabase-url " content = " https://abc123.supabase.co "

< script

window . SUPABASE_URL = 'https://abc123.supabase.co' </ script

1. Configuration Objects const config = { supabase : { url : 'https://abc123.supabase.co' } } URL Pattern Matching Recognized patterns: Pattern Example Standard https://abc123.supabase.co With region https://abc123.eu-central-1.supabase.co Custom domain Detected via API endpoint patterns Usage Basic Extraction Extract Supabase URL from https://myapp.example.com From Local Files If you have downloaded the source: Extract Supabase URL from ./dist/assets/ Output Format ═══════════════════════════════════════════════════════════ SUPABASE URL EXTRACTED ═══════════════════════════════════════════════════════════ Project URL: https://abc123def.supabase.co Project Ref: abc123def Region: us-east-1 (inferred) Found in: ├── /static/js/main.abc123.js (line 1247) │ └── const SUPABASE_URL = 'https://abc123def.supabase.co' │ └── /static/js/chunk.def456.js (line 89) └── createClient('https://abc123def.supabase.co', ...) API Endpoints: ├── REST API: https://abc123def.supabase.co/rest/v1/ ├── Auth API: https://abc123def.supabase.co/auth/v1/ ├── Storage: https://abc123def.supabase.co/storage/v1/ └── Realtime: wss://abc123def.supabase.co/realtime/v1/ Context updated: .sb-pentest-context.json ═══════════════════════════════════════════════════════════ Context Output Saved to .sb-pentest-context.json : { "supabase" : { "project_url" : "https://abc123def.supabase.co" , "project_ref" : "abc123def" , "region" : "us-east-1" , "endpoints" : { "rest" : "https://abc123def.supabase.co/rest/v1/" , "auth" : "https://abc123def.supabase.co/auth/v1/" , "storage" : "https://abc123def.supabase.co/storage/v1/" , "realtime" : "wss://abc123def.supabase.co/realtime/v1/" , "functions" : "https://abc123def.supabase.co/functions/v1/" } , "sources" : [ { "file" : "/static/js/main.abc123.js" , "line" : 1247 , "context" : "const SUPABASE_URL = 'https://abc123def.supabase.co'" } ] } } Multiple URLs If multiple Supabase URLs are found: ═══════════════════════════════════════════════════════════ MULTIPLE SUPABASE URLS FOUND ═══════════════════════════════════════════════════════════ ⚠️ Multiple Supabase projects detected
2. https://abc123.supabase.co (primary - most references) └── Found in: main.js, config.js
3. https://xyz789.supabase.co (secondary) └── Found in: analytics.js Using primary URL for further analysis. To use a different URL, specify it manually. ═══════════════════════════════════════════════════════════ Validation The skill validates extracted URLs by: Format check — Matches expected Supabase URL patterns Reachability check — Attempts to reach the REST API endpoint Response validation — Confirms Supabase-like response Validation: ├── Format: ✅ Valid Supabase URL format ├── Reachable: ✅ REST API responds (200 OK) └── Confirmed: ✅ Response matches Supabase pattern Common Issues ❌ Problem: URL not found despite Supabase detection ✅ Solution: The URL may be in a dynamically loaded chunk. Try: Extract URL with deep scan from https://myapp.example.com ❌ Problem: URL found but validation fails ✅ Solution: The project may be paused or the region may have connectivity issues. The URL is still recorded. ❌ Problem: Only custom domain found ✅ Solution: Custom domains are valid. The skill will note it as a custom domain and attempt to identify the underlying project. Security Notes This skill only reads publicly available code No authentication is attempted The URL alone does not grant access (key is also required) Next Steps After extracting the URL: Run supabase-extract-anon-key to find the API key Run supabase-extract-service-key to check for leaked service keys Proceed to API auditing skills MANDATORY: Progressive Context File Updates ⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end. Critical Rule: Write As You Go DO NOT batch all writes at the end. Instead: Before starting any action → Log the action to .sb-pentest-audit.log After each discovery → Immediately update .sb-pentest-context.json After each significant step → Log completion to .sb-pentest-audit.log This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved. Required Actions (Progressive) Update .sb-pentest-context.json with extracted data: { "supabase" : { "project_url" : "https://[ref].supabase.co" , "project_ref" : "[ref]" , "endpoints" : { ... } } } Log to .sb-pentest-audit.log : [TIMESTAMP] [supabase-extract-url] [START] Beginning URL extraction [TIMESTAMP] [supabase-extract-url] [SUCCESS] URL extracted: https://[ref].supabase.co [TIMESTAMP] [supabase-extract-url] [CONTEXT_UPDATED] .sb-pentest-context.json updated If files don't exist , create them before writing. FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE. MANDATORY: Evidence Collection 📁 Evidence Directory: .sb-pentest-evidence/02-extraction/ Evidence Files to Create File Content extracted-url.json URL extraction details with source locations Evidence Format { "evidence_id" : "EXT-URL-001" , "timestamp" : "2025-01-31T10:05:00Z" , "category" : "extraction" , "type" : "url_extraction" , "extracted_data" : { "project_url" : "https://abc123def.supabase.co" , "project_ref" : "abc123def" , "region" : "us-east-1" } , "sources" : [ { "file" : "/static/js/main.js" , "line" : 1247 , "context" : "const SUPABASE_URL = 'https://abc123def.supabase.co'" } ] , "endpoints_discovered" : { "rest" : "https://abc123def.supabase.co/rest/v1/" , "auth" : "https://abc123def.supabase.co/auth/v1/" , "storage" : "https://abc123def.supabase.co/storage/v1/" , "realtime" : "wss://abc123def.supabase.co/realtime/v1/" } }