Supabase URL Extraction

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.

• Write to .sb-pentest-context.json IMMEDIATELY after each discovery

• Log to .sb-pentest-audit.log BEFORE and AFTER each action

• DO NOT wait until the skill completes to update files

• If the skill crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill extracts the Supabase project URL from a web application's client-side code.

When to Use This Skill

• After detecting Supabase usage, to get the exact project URL

• When you need the API base URL for further testing

• To identify which Supabase project an application uses

Prerequisites

• Target URL accessible

• Supabase usage detected (or suspected)

How It Works

The skill scans for URL patterns in:

1. JavaScript Source Code

// Direct URL references const SUPABASE_URL = 'https://abc123.supabase.co' createClient('https://abc123.supabase.co', key)

// Environment variable patterns process.env.SUPABASE_URL process.env.NEXT_PUBLIC_SUPABASE_URL import.meta.env.VITE_SUPABASE_URL

2. HTML Meta Tags and Scripts

<meta name="supabase-url" content="https://abc123.supabase.co"> <script> window.SUPABASE_URL = 'https://abc123.supabase.co' </script>

3. Configuration Objects

const config = { supabase: { url: 'https://abc123.supabase.co' } }

URL Pattern Matching

Recognized patterns:

Pattern Example

Standard https://abc123.supabase.co

With region https://abc123.eu-central-1.supabase.co

Custom domain Detected via API endpoint patterns

Usage

Basic Extraction

Extract Supabase URL from https://myapp.example.com

From Local Files

If you have downloaded the source:

Extract Supabase URL from ./dist/assets/

Output Format

═══════════════════════════════════════════════════════════ SUPABASE URL EXTRACTED ═══════════════════════════════════════════════════════════

Project URL: https://abc123def.supabase.co Project Ref: abc123def Region: us-east-1 (inferred)

Found in: ├── /static/js/main.abc123.js (line 1247) │ └── const SUPABASE_URL = 'https://abc123def.supabase.co' │ └── /static/js/chunk.def456.js (line 89) └── createClient('https://abc123def.supabase.co', ...)

API Endpoints: ├── REST API: https://abc123def.supabase.co/rest/v1/ ├── Auth API: https://abc123def.supabase.co/auth/v1/ ├── Storage: https://abc123def.supabase.co/storage/v1/ └── Realtime: wss://abc123def.supabase.co/realtime/v1/

Context updated: .sb-pentest-context.json ═══════════════════════════════════════════════════════════

Context Output

Saved to .sb-pentest-context.json :

{ "supabase": { "project_url": "https://abc123def.supabase.co", "project_ref": "abc123def", "region": "us-east-1", "endpoints": { "rest": "https://abc123def.supabase.co/rest/v1/", "auth": "https://abc123def.supabase.co/auth/v1/", "storage": "https://abc123def.supabase.co/storage/v1/", "realtime": "wss://abc123def.supabase.co/realtime/v1/", "functions": "https://abc123def.supabase.co/functions/v1/" }, "sources": [ { "file": "/static/js/main.abc123.js", "line": 1247, "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'" } ] } }

Multiple URLs

If multiple Supabase URLs are found:

═══════════════════════════════════════════════════════════ MULTIPLE SUPABASE URLS FOUND ═══════════════════════════════════════════════════════════

⚠️ Multiple Supabase projects detected

1. https://abc123.supabase.co (primary - most references) └── Found in: main.js, config.js

2. https://xyz789.supabase.co (secondary) └── Found in: analytics.js

Using primary URL for further analysis. To use a different URL, specify it manually. ═══════════════════════════════════════════════════════════

Validation

The skill validates extracted URLs by:

• Format check — Matches expected Supabase URL patterns

• Reachability check — Attempts to reach the REST API endpoint

• Response validation — Confirms Supabase-like response

Validation: ├── Format: ✅ Valid Supabase URL format ├── Reachable: ✅ REST API responds (200 OK) └── Confirmed: ✅ Response matches Supabase pattern

Common Issues

❌ Problem: URL not found despite Supabase detection ✅ Solution: The URL may be in a dynamically loaded chunk. Try:

Extract URL with deep scan from https://myapp.example.com

❌ Problem: URL found but validation fails ✅ Solution: The project may be paused or the region may have connectivity issues. The URL is still recorded.

❌ Problem: Only custom domain found ✅ Solution: Custom domains are valid. The skill will note it as a custom domain and attempt to identify the underlying project.

Security Notes

• This skill only reads publicly available code

• No authentication is attempted

• The URL alone does not grant access (key is also required)

Next Steps

After extracting the URL:

• Run supabase-extract-anon-key to find the API key

• Run supabase-extract-service-key to check for leaked service keys

• Proceed to API auditing skills

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

• Before starting any action → Log the action to .sb-pentest-audit.log

• After each discovery → Immediately update .sb-pentest-context.json

• After each significant step → Log completion to .sb-pentest-audit.log

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Update .sb-pentest-context.json with extracted data:

{ "supabase": { "project_url": "https://[ref].supabase.co", "project_ref": "[ref]", "endpoints": { ... } } }

Log to .sb-pentest-audit.log :

[TIMESTAMP] [supabase-extract-url] [START] Beginning URL extraction [TIMESTAMP] [supabase-extract-url] [SUCCESS] URL extracted: https://[ref].supabase.co [TIMESTAMP] [supabase-extract-url] [CONTEXT_UPDATED] .sb-pentest-context.json updated

If files don't exist, create them before writing.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory: .sb-pentest-evidence/02-extraction/

Evidence Files to Create

File Content

extracted-url.json

URL extraction details with source locations

Evidence Format

{ "evidence_id": "EXT-URL-001", "timestamp": "2025-01-31T10:05:00Z", "category": "extraction", "type": "url_extraction",

"extracted_data": { "project_url": "https://abc123def.supabase.co", "project_ref": "abc123def", "region": "us-east-1" },

"sources": [ { "file": "/static/js/main.js", "line": 1247, "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'" } ],

"endpoints_discovered": { "rest": "https://abc123def.supabase.co/rest/v1/", "auth": "https://abc123def.supabase.co/auth/v1/", "storage": "https://abc123def.supabase.co/storage/v1/", "realtime": "wss://abc123def.supabase.co/realtime/v1/" } }

Related Skills

• supabase-detect — Detect Supabase usage first

• supabase-extract-anon-key — Extract the anon key

• supabase-extract-service-key — Check for service key leaks