supabase-extract-url

Original🇺🇸 English
Translated

Extract the Supabase project URL from client-side JavaScript code, environment variables, and configuration files.

6installs
Sourceyoanbernabeu/supabase-pentest-skills
Added on

NPX Install

npx skill4agent add yoanbernabeu/supabase-pentest-skills supabase-extract-url

Tags

Translated version includes tags in frontmatter
supabase-url-extractionclient-side-jsenvironment-variablesconfiguration-filesapi-auditing

SKILL.md Content

View Translation Comparison →

Supabase URL Extraction

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
  • Write to 
    .sb-pentest-context.json
    IMMEDIATELY after each discovery
  • Log to 
    .sb-pentest-audit.log
    BEFORE and AFTER each action
  • DO NOT wait until the skill completes to update files
  • If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill extracts the Supabase project URL from a web application's client-side code.

When to Use This Skill

  • After detecting Supabase usage, to get the exact project URL
  • When you need the API base URL for further testing
  • To identify which Supabase project an application uses

Prerequisites

  • Target URL accessible
  • Supabase usage detected (or suspected)

How It Works

The skill scans for URL patterns in:

1. JavaScript Source Code

javascript
// Direct URL references
const SUPABASE_URL = 'https://abc123.supabase.co'
createClient('https://abc123.supabase.co', key)

// Environment variable patterns
process.env.SUPABASE_URL
process.env.NEXT_PUBLIC_SUPABASE_URL
import.meta.env.VITE_SUPABASE_URL

2. HTML Meta Tags and Scripts

html
<meta name="supabase-url" content="https://abc123.supabase.co">
<script>
  window.SUPABASE_URL = 'https://abc123.supabase.co'
</script>

3. Configuration Objects

javascript
const config = {
  supabase: {
    url: 'https://abc123.supabase.co'
  }
}

URL Pattern Matching

Recognized patterns:
PatternExample
Standard
https://abc123.supabase.co
With region
https://abc123.eu-central-1.supabase.co
Custom domainDetected via API endpoint patterns

Usage

Basic Extraction

Extract Supabase URL from https://myapp.example.com

From Local Files

If you have downloaded the source:
Extract Supabase URL from ./dist/assets/

Output Format

═══════════════════════════════════════════════════════════
 SUPABASE URL EXTRACTED
═══════════════════════════════════════════════════════════

 Project URL: https://abc123def.supabase.co
 Project Ref: abc123def
 Region: us-east-1 (inferred)

 Found in:
 ├── /static/js/main.abc123.js (line 1247)
 │   └── const SUPABASE_URL = 'https://abc123def.supabase.co'
 └── /static/js/chunk.def456.js (line 89)
     └── createClient('https://abc123def.supabase.co', ...)

 API Endpoints:
 ├── REST API: https://abc123def.supabase.co/rest/v1/
 ├── Auth API: https://abc123def.supabase.co/auth/v1/
 ├── Storage: https://abc123def.supabase.co/storage/v1/
 └── Realtime: wss://abc123def.supabase.co/realtime/v1/

 Context updated: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

Context Output

Saved to 
.sb-pentest-context.json
:
json
{
  "supabase": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def",
    "region": "us-east-1",
    "endpoints": {
      "rest": "https://abc123def.supabase.co/rest/v1/",
      "auth": "https://abc123def.supabase.co/auth/v1/",
      "storage": "https://abc123def.supabase.co/storage/v1/",
      "realtime": "wss://abc123def.supabase.co/realtime/v1/",
      "functions": "https://abc123def.supabase.co/functions/v1/"
    },
    "sources": [
      {
        "file": "/static/js/main.abc123.js",
        "line": 1247,
        "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
      }
    ]
  }
}

Multiple URLs

If multiple Supabase URLs are found:
═══════════════════════════════════════════════════════════
 MULTIPLE SUPABASE URLS FOUND
═══════════════════════════════════════════════════════════

 ⚠️  Multiple Supabase projects detected

 1. https://abc123.supabase.co (primary - most references)
    └── Found in: main.js, config.js

 2. https://xyz789.supabase.co (secondary)
    └── Found in: analytics.js

 Using primary URL for further analysis.
 To use a different URL, specify it manually.
═══════════════════════════════════════════════════════════

Validation

The skill validates extracted URLs by:
  1. Format check — Matches expected Supabase URL patterns
  2. Reachability check — Attempts to reach the REST API endpoint
  3. Response validation — Confirms Supabase-like response
Validation:
├── Format: ✅ Valid Supabase URL format
├── Reachable: ✅ REST API responds (200 OK)
└── Confirmed: ✅ Response matches Supabase pattern

Common Issues

Problem: URL not found despite Supabase detection ✅ Solution: The URL may be in a dynamically loaded chunk. Try:
Extract URL with deep scan from https://myapp.example.com
Problem: URL found but validation fails ✅ Solution: The project may be paused or the region may have connectivity issues. The URL is still recorded.
Problem: Only custom domain found ✅ Solution: Custom domains are valid. The skill will note it as a custom domain and attempt to identify the underlying project.

Security Notes

  • This skill only reads publicly available code
  • No authentication is attempted
  • The URL alone does not grant access (key is also required)

Next Steps

After extracting the URL:
  1. Run 
    supabase-extract-anon-key
    to find the API key
  2. Run 
    supabase-extract-service-key
    to check for leaked service keys
  3. Proceed to API auditing skills

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:
  1. Before starting any action → Log the action to 
    .sb-pentest-audit.log
  2. After each discovery → Immediately update 
    .sb-pentest-context.json
  3. After each significant step → Log completion to 
    .sb-pentest-audit.log
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

  1. Update 
    .sb-pentest-context.json
     with extracted data:
    json
    {
  "supabase": {
    "project_url": "https://[ref].supabase.co",
    "project_ref": "[ref]",
    "endpoints": { ... }
  }
}
  2. Log to 
    .sb-pentest-audit.log
    :
    [TIMESTAMP] [supabase-extract-url] [START] Beginning URL extraction
[TIMESTAMP] [supabase-extract-url] [SUCCESS] URL extracted: https://[ref].supabase.co
[TIMESTAMP] [supabase-extract-url] [CONTEXT_UPDATED] .sb-pentest-context.json updated
  3. If files don't exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory: 
.sb-pentest-evidence/02-extraction/

Evidence Files to Create

FileContent
extracted-url.json
URL extraction details with source locations

Evidence Format

json
{
  "evidence_id": "EXT-URL-001",
  "timestamp": "2025-01-31T10:05:00Z",
  "category": "extraction",
  "type": "url_extraction",

  "extracted_data": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def",
    "region": "us-east-1"
  },

  "sources": [
    {
      "file": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    }
  ],

  "endpoints_discovered": {
    "rest": "https://abc123def.supabase.co/rest/v1/",
    "auth": "https://abc123def.supabase.co/auth/v1/",
    "storage": "https://abc123def.supabase.co/storage/v1/",
    "realtime": "wss://abc123def.supabase.co/realtime/v1/"
  }
}

Related Skills

  • supabase-detect
    — Detect Supabase usage first
  • supabase-extract-anon-key
    — Extract the anon key
  • supabase-extract-service-key
    — Check for service key leaks