supascan 4.0.3 → 4.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +101 -54
  2. package/package.json +1 -1
  3. package/supascan.js +48 -48
package/README.md CHANGED
@@ -1,96 +1,143 @@
1
1
  # supascan
2
2
 
3
- [![.github/workflows/tests.yml](https://github.com/abhishekg999/supascan/actions/workflows/tests.yml/badge.svg)](https://github.com/abhishekg999/supascan/actions/workflows/tests.yml) [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/abhishekg999/supascan/master/LICENCE)
3
+ [Tests](https://github.com/abhishekg999/supascan/actions/workflows/tests.yml) [License](https://raw.githubusercontent.com/abhishekg999/supascan/master/LICENCE) [npm](https://www.npmjs.com/package/supascan)
4
4
 
5
- **supascan** is an automated security scanner for Supabase databases. It detects exposed data, analyzes Row Level Security (RLS) policies, tests RPC functions, and generates comprehensive security reports.
5
+ Security scanner for Supabase. Point it at any site using Supabase and it extracts credentials, discovers schemas, tests RLS policies, and dumps exposed data.
6
6
 
7
- ## Features
7
+ ## Install
8
8
 
9
- - Automated schema and table discovery
10
- - RLS policy effectiveness testing
11
- - Exposed data detection with row count estimation
12
- - RPC function parameter analysis and testing
13
- - JWT token decoding and validation
14
- - Multiple output formats (Console, JSON, HTML)
15
- - Interactive HTML reports with live query interface
16
- - Credential extraction from JavaScript files (experimental)
9
+ ```bash
10
+ bun install -g supascan
11
+ ```
17
12
 
18
- ## Installation
13
+ or
14
+
15
+ ```bash
16
+ npm install -g supascan
17
+ ```
19
18
 
20
- **Note:**
19
+ ## Usage
21
20
 
22
- - Primarily tested with [Bun](https://bun.sh) runtime (Node.js support is experimental)
21
+ ### Auto-detect from any URL
23
22
 
24
- **Bun:**
23
+ Point supascan at a site and it automatically extracts Supabase credentials from HTML/JS:
25
24
 
26
25
  ```bash
27
- bun install -g supascan
26
+ supascan -x https://example.com --html
28
27
  ```
29
28
 
30
- **NPM:**
29
+ This fetches the page, parses inline scripts and external JS bundles, tries to extract the Supabase URL and anon key, runs a full security scan, and opens an interactive HTML report.
30
+
31
+ ### Manual credentials
31
32
 
32
33
  ```bash
33
- npm install -g supascan
34
+ supascan --url https://xyz.supabase.co --key eyJhbG... --html
34
35
  ```
35
36
 
36
- **From source:**
37
+ ### Console output
38
+
39
+ Skip `--html` for terminal output:
37
40
 
38
41
  ```bash
39
- git clone https://github.com/abhishekg999/supascan.git
40
- cd supascan
41
- bun install
42
- bun run build
42
+ supascan --extract https://example.com
43
43
  ```
44
44
 
45
- ## Usage
45
+ ```
46
+ ============================================================
47
+ SUPABASE DATABASE ANALYSIS
48
+ ============================================================
49
+
50
+ TARGET SUMMARY
51
+ --------------------
52
+ Domain: xyz.supabase.co
53
+ Project ID: xyz
54
+
55
+ JWT TOKEN INFO
56
+ --------------------
57
+ Issuer: https://xyz.supabase.co/auth/v1
58
+ Role: anon
59
+ Expires: 2030-01-01T00:00:00.000Z
60
+
61
+ DATABASE ANALYSIS
62
+ --------------------
63
+ Schemas discovered: 2
64
+
65
+ Schema: public
66
+
67
+ Tables: 8
68
+ 3 exposed | 2 empty/protected | 3 denied
69
+
70
+ [+] users (~1420 rows exposed)
71
+ [+] posts (~892 rows exposed)
72
+ [+] comments (~3201 rows exposed)
73
+ [-] sessions (0 rows - empty or RLS)
74
+ [-] audit_logs (0 rows - empty or RLS)
75
+ [X] admin_users (access denied)
76
+ [X] secrets (access denied)
77
+ [X] internal_config (access denied)
78
+
79
+ RPCs: 2
80
+ * get_public_stats
81
+ No parameters
82
+ * search_users
83
+ - query: string (required)
84
+ - limit: integer (optional)
85
+ ```
46
86
 
47
- To get basic options and usage:
87
+ ### Dump exposed data
48
88
 
49
89
  ```bash
50
- supascan --help
90
+ supascan --extract https://example.com --dump public.users --limit 100
51
91
  ```
52
92
 
53
- ### Quick Start
93
+ ### Call RPC functions
54
94
 
55
95
  ```bash
56
- # Basic security scan
57
- supascan --url https://your-project.supabase.co --key your-anon-key
96
+ supascan --extract https://example.com --rpc public.search_users --args '{"query": "admin"}'
97
+ ```
58
98
 
59
- # Generate HTML report
60
- supascan --url https://your-project.supabase.co --key your-anon-key --html
99
+ Environment variables in args:
61
100
 
62
- # Analyze specific schema
63
- supascan --url https://your-project.supabase.co --key your-anon-key --schema public
101
+ ```bash
102
+ supascan --url $URL --key $KEY --rpc public.lookup --args '{"id": "$USER_ID"}'
103
+ ```
64
104
 
65
- # Dump table data
66
- supascan --url https://your-project.supabase.co --key your-anon-key --dump public.users --limit 100
105
+ ### JSON output
67
106
 
68
- # Test RPC function
69
- supascan --url https://your-project.supabase.co --key your-anon-key --rpc public.my_function --args '{"param": "value"}'
107
+ ```bash
108
+ supascan --extract https://example.com --json > report.json
70
109
  ```
71
110
 
72
- ## Development
111
+ ## HTML Report
73
112
 
74
- ```bash
75
- # Install dependencies
76
- bun install
113
+ The `--html` flag generates an interactive report with:
77
114
 
78
- # Run locally
79
- bun run start
115
+ - Schema browser
116
+ - Table explorer with pagination
117
+ - RPC tester with parameter forms
118
+ - Live query interface against the target
80
119
 
81
- # Run tests
82
- bun test
120
+ ## Options
83
121
 
84
- # Build
85
- bun run build
122
+ ```
123
+ -V, --version output the version number
124
+ -u, --url <url> Supabase URL
125
+ -k, --key <key> Supabase anon key
126
+ -s, --schema <schema> Schema to analyze (default: all schemas)
127
+ -x, --extract <url> Extract credentials from JS file URL (experimental)
128
+ --dump <schema.table|schema> Dump data from specific table or swagger JSON from schema
129
+ --limit <number> Limit rows for dump or RPC results (default: "10")
130
+ --rpc <schema.rpc_name> Call an RPC function (read-only operations only)
131
+ --args <json> JSON arguments for RPC call (use $VAR for environment variables)
132
+ -H, --header <header> Add custom HTTP header (can be used multiple times)
133
+ --json Output as JSON
134
+ --html Generate HTML report
135
+ -d, --debug Enable debug mode
136
+ --explain Show query execution plan
137
+ --suppress-experimental-warnings Suppress experimental warnings
138
+ -h, --help display help for command
86
139
  ```
87
140
 
88
141
  ## License
89
142
 
90
- supascan is distributed under the [MIT License](LICENCE).
91
-
92
- ## Links
93
-
94
- - **Homepage**: https://github.com/abhishekg999/supascan
95
- - **Issues**: https://github.com/abhishekg999/supascan/issues
96
- - **NPM**: https://www.npmjs.com/package/supascan
143
+ MIT
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "supascan",
3
- "version": "4.0.3",
3
+ "version": "4.0.5",
4
4
  "description": "Automated security scanner for Supabase databases - detect exposed data, analyze RLS policies, and test RPC functions",
5
5
  "license": "MIT",
6
6
  "author": "Abhishek Govindarasu",