playbooks

home / skills / yoanbernabeu / supabase-pentest-skills / supabase-extract-url

supabase-extract-url skill

/skills/extraction/supabase-extract-url

This skill extracts the Supabase project URL from client-side code and config to enable rapid testing and targeted security auditing.

npx playbooks add skill yoanbernabeu/supabase-pentest-skills --skill supabase-extract-url

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
8.7 KB
---
name: supabase-extract-url
description: Extract the Supabase project URL from client-side JavaScript code, environment variables, and configuration files.
---

# Supabase URL Extraction

> šŸ”“ **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED**
>
> You MUST write to context files **AS YOU GO**, not just at the end.
> - Write to `.sb-pentest-context.json` **IMMEDIATELY after each discovery**
> - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each action**
> - **DO NOT** wait until the skill completes to update files
> - If the skill crashes or is interrupted, all prior findings must already be saved
>
> **This is not optional. Failure to write progressively is a critical error.**

This skill extracts the Supabase project URL from a web application's client-side code.

## When to Use This Skill

- After detecting Supabase usage, to get the exact project URL
- When you need the API base URL for further testing
- To identify which Supabase project an application uses

## Prerequisites

- Target URL accessible
- Supabase usage detected (or suspected)

## How It Works

The skill scans for URL patterns in:

### 1. JavaScript Source Code

```javascript
// Direct URL references
const SUPABASE_URL = 'https://abc123.supabase.co'
createClient('https://abc123.supabase.co', key)

// Environment variable patterns
process.env.SUPABASE_URL
process.env.NEXT_PUBLIC_SUPABASE_URL
import.meta.env.VITE_SUPABASE_URL
```

### 2. HTML Meta Tags and Scripts

```html
<meta name="supabase-url" content="https://abc123.supabase.co">
<script>
  window.SUPABASE_URL = 'https://abc123.supabase.co'
</script>
```

### 3. Configuration Objects

```javascript
const config = {
  supabase: {
    url: 'https://abc123.supabase.co'
  }
}
```

## URL Pattern Matching

Recognized patterns:

| Pattern | Example |
|---------|---------|
| Standard | `https://abc123.supabase.co` |
| With region | `https://abc123.eu-central-1.supabase.co` |
| Custom domain | Detected via API endpoint patterns |

## Usage

### Basic Extraction

```
Extract Supabase URL from https://myapp.example.com
```

### From Local Files

If you have downloaded the source:
```
Extract Supabase URL from ./dist/assets/
```

## Output Format

```
ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•
 SUPABASE URL EXTRACTED
ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•

 Project URL: https://abc123def.supabase.co
 Project Ref: abc123def
 Region: us-east-1 (inferred)

 Found in:
 ā”œā”€ā”€ /static/js/main.abc123.js (line 1247)
 ā”‚   ā””ā”€ā”€ const SUPABASE_URL = 'https://abc123def.supabase.co'
 ā”‚
 ā””ā”€ā”€ /static/js/chunk.def456.js (line 89)
     ā””ā”€ā”€ createClient('https://abc123def.supabase.co', ...)

 API Endpoints:
 ā”œā”€ā”€ REST API: https://abc123def.supabase.co/rest/v1/
 ā”œā”€ā”€ Auth API: https://abc123def.supabase.co/auth/v1/
 ā”œā”€ā”€ Storage: https://abc123def.supabase.co/storage/v1/
 ā””ā”€ā”€ Realtime: wss://abc123def.supabase.co/realtime/v1/

 Context updated: .sb-pentest-context.json
ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•
```

## Context Output

Saved to `.sb-pentest-context.json`:

```json
{
  "supabase": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def",
    "region": "us-east-1",
    "endpoints": {
      "rest": "https://abc123def.supabase.co/rest/v1/",
      "auth": "https://abc123def.supabase.co/auth/v1/",
      "storage": "https://abc123def.supabase.co/storage/v1/",
      "realtime": "wss://abc123def.supabase.co/realtime/v1/",
      "functions": "https://abc123def.supabase.co/functions/v1/"
    },
    "sources": [
      {
        "file": "/static/js/main.abc123.js",
        "line": 1247,
        "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
      }
    ]
  }
}
```

## Multiple URLs

If multiple Supabase URLs are found:

```
ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•
 MULTIPLE SUPABASE URLS FOUND
ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•

 āš ļø  Multiple Supabase projects detected

 1. https://abc123.supabase.co (primary - most references)
    ā””ā”€ā”€ Found in: main.js, config.js

 2. https://xyz789.supabase.co (secondary)
    ā””ā”€ā”€ Found in: analytics.js

 Using primary URL for further analysis.
 To use a different URL, specify it manually.
ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•
```

## Validation

The skill validates extracted URLs by:

1. **Format check** ā€” Matches expected Supabase URL patterns
2. **Reachability check** ā€” Attempts to reach the REST API endpoint
3. **Response validation** ā€” Confirms Supabase-like response

```
Validation:
ā”œā”€ā”€ Format: āœ… Valid Supabase URL format
ā”œā”€ā”€ Reachable: āœ… REST API responds (200 OK)
ā””ā”€ā”€ Confirmed: āœ… Response matches Supabase pattern
```

## Common Issues

āŒ **Problem:** URL not found despite Supabase detection
āœ… **Solution:** The URL may be in a dynamically loaded chunk. Try:
```
Extract URL with deep scan from https://myapp.example.com
```

āŒ **Problem:** URL found but validation fails
āœ… **Solution:** The project may be paused or the region may have connectivity issues. The URL is still recorded.

āŒ **Problem:** Only custom domain found
āœ… **Solution:** Custom domains are valid. The skill will note it as a custom domain and attempt to identify the underlying project.

## Security Notes

- This skill only reads publicly available code
- No authentication is attempted
- The URL alone does not grant access (key is also required)

## Next Steps

After extracting the URL:
1. Run `supabase-extract-anon-key` to find the API key
2. Run `supabase-extract-service-key` to check for leaked service keys
3. Proceed to API auditing skills

## MANDATORY: Progressive Context File Updates

āš ļø **This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.**

### Critical Rule: Write As You Go

**DO NOT** batch all writes at the end. Instead:

1. **Before starting any action** ā†’ Log the action to `.sb-pentest-audit.log`
2. **After each discovery** ā†’ Immediately update `.sb-pentest-context.json`
3. **After each significant step** ā†’ Log completion to `.sb-pentest-audit.log`

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

### Required Actions (Progressive)

1. **Update `.sb-pentest-context.json`** with extracted data:
   ```json
   {
     "supabase": {
       "project_url": "https://[ref].supabase.co",
       "project_ref": "[ref]",
       "endpoints": { ... }
     }
   }
   ```

2. **Log to `.sb-pentest-audit.log`**:
   ```
   [TIMESTAMP] [supabase-extract-url] [START] Beginning URL extraction
   [TIMESTAMP] [supabase-extract-url] [SUCCESS] URL extracted: https://[ref].supabase.co
   [TIMESTAMP] [supabase-extract-url] [CONTEXT_UPDATED] .sb-pentest-context.json updated
   ```

3. **If files don't exist**, create them before writing.

**FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.**

## MANDATORY: Evidence Collection

šŸ“ **Evidence Directory:** `.sb-pentest-evidence/02-extraction/`

### Evidence Files to Create

| File | Content |
|------|---------|
| `extracted-url.json` | URL extraction details with source locations |

### Evidence Format

```json
{
  "evidence_id": "EXT-URL-001",
  "timestamp": "2025-01-31T10:05:00Z",
  "category": "extraction",
  "type": "url_extraction",

  "extracted_data": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def",
    "region": "us-east-1"
  },

  "sources": [
    {
      "file": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    }
  ],

  "endpoints_discovered": {
    "rest": "https://abc123def.supabase.co/rest/v1/",
    "auth": "https://abc123def.supabase.co/auth/v1/",
    "storage": "https://abc123def.supabase.co/storage/v1/",
    "realtime": "wss://abc123def.supabase.co/realtime/v1/"
  }
}
```

## Related Skills

- `supabase-detect` ā€” Detect Supabase usage first
- `supabase-extract-anon-key` ā€” Extract the anon key
- `supabase-extract-service-key` ā€” Check for service key leaks

Overview

This skill extracts the Supabase project URL from client-side JavaScript, environment variables, HTML, and configuration files. It discovers project references, infers endpoints, validates reachability, and records findings for follow-up auditing. The skill persistently logs progress and saves context and evidence as discoveries occur.

How this skill works

The skill scans served pages and provided local source directories for URL patterns, environment variable names, meta tags, and createClient calls. When it finds candidate URLs it validates format, attempts a reachable REST/auth check, and infers common Supabase endpoints. Each discovery is immediately recorded to context and audit logs and an evidence file is created for later review.

When to use it

  • After detecting or suspecting Supabase usage in a web app
  • Before running API or key extraction skills to obtain the project base URL
  • When you need to identify the Supabase project reference and region
  • When preparing a targeted RLS, storage, or auth audit

Best practices

  • Run a shallow scan first, then a deep scan to catch dynamically loaded chunks
  • Log progress and save context progressively to avoid data loss on interruption
  • Validate discovered URLs via the REST/auth endpoints to reduce false positives
  • Prioritize the most-referenced URL when multiple projects are found and record alternatives
  • Record exact source locations (file, line, snippet) for reproducible evidence

Example use cases

  • Extract the Supabase URL from a deployed single-page application to begin API testing
  • Scan a downloaded build directory (./dist, ./build) to locate embedded SUPABASE_URL constants
  • Detect and record multiple Supabase URLs when analytics or third-party scripts reference different projects
  • Infer REST, Auth, Storage, Realtime, and Functions endpoints for follow-up validation and exploitation testing

FAQ

What formats of Supabase URLs are recognized?

Standard project refs (https://<ref>.supabase.co), regional variants (https://<ref>.<region>.supabase.co), and custom domains mapped to Supabase are recognized and handled.

Does finding the URL give access to the project?

No. The URL identifies the project endpoints but does not include keys. Further key extraction steps are required to interact with protected APIs.