Building Hacker Communities Bug Bounty Village, getDisclosed...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://youtu.be/NI-eXMlXma4
• Blog Title: Building Hacker Communities: Bug Bounty Village, getDisclosed’s Supabase Misconfig, and the LHE Squad (Ep. 133)
• Suggested Section: Pentesting CI/CD > Supabase Security (add subsections: 'Auth: Server-side signup enforcement', 'RLS and Views: Write bypass via PostgREST', 'OpenAPI-driven CRUD probing from anon/auth roles')

🎯 Content Summary

Context: This episode/video features Harley Kimball and Ariel Garcia discussing realistic bug‑bounty training environments (Bug Bounty Village at DEF CON) and a concrete Supabase misconfiguration incident in the getDisclosed project, plus related tooling and large‑scale target hunting. (Source: criticalthinkingpodcast.io episode linked from the video)

Stack and data flow (getDisclosed):
• Automations: n8n workflows populate a Supabase Postgres database.
• Frontend:...

🔧 Technical Details

Abusing server‑side Auth when UI blocks signup: If a frontend hides the signup path but the backend (e.g., Supabase Auth) still permits /auth/v1/signup, attackers can directly create accounts via API using the public anon key. Always disable signup server‑side if you intend invite‑only flows.

Bypassing intended RLS via exposed Postgres views: Exposing a view to hide sensitive columns can change privilege evaluation. If the view’s exposure effectively runs with elevated owner/admin context, API clients may perform writes that RLS should block. Treat each exposed view as a first‑class surface: verify anon/auth roles cannot write unless explicitly intended.

Salesforce Aura reconnaissance at scale: Programmatically enumerate Aura endpoints, list custom objects, query records, and fetch attachments across large scopes (e.g., Chaos datasets). This yields repeatable data‑exposure bugs when access controls are misconfigured.

CSP/HTML sa...

🤖 Agent Actions

I explored the repository and found an existing, relevant page: src/pentesting-ci-cd/supabase-security.md. It already covered basic Supabase API usage and default signup behavior but was missing the key hardening and testing guidance described in the blog/video.

What I changed

• Updated src/pentesting-ci-cd/supabase-security.md to add three technical subsections:

  • Auth: Server-side signup enforcement
    • Clarifies that hiding signup in the frontend is insufficient and shows a direct API curl to test if signups are still enabled on the backend.
    • Adds defensive steps to disable signups in Supabase Auth (dashboard/goTrue) and verify the API refuses signups.
  • RLS and Views: Write bypass via PostgREST
    • Explains why exposing updatable views may bypass intended RLS if run under view-owner privileges.
    • Provides practical hardening: deny DML on views for untrusted roles, set security_invoker=on, FORCE ROW LEVEL SECURITY on base tables, and use WITH CHECK OPTION if allowing writes via views.
    • Includes an illustrative PostgREST PATCH example showing how an attacker could mass-edit profile fields through a misconfigured view.
  • OpenAPI-driven CRUD probing from anon/auth roles
    • Shows how to fetch the PostgREST OpenAPI document with anon key and systematically probe read/write/insert/delete on each exposed table/view.
    • Provides example curl commands for read, update, insert, and delete probes.
    • Recommends integrating these probes into CI to catch misconfiguration regressions.

• Added a References section at the end with:

  • YouTube episode link
  • Critical Thinking Podcast episode page
  • Supabase RLS docs
  • PostgreSQL RLS and CREATE VIEW docs (security_invoker/check option)
  • PostgREST OpenAPI docs

Why here and not elsewhere

• The Supabase misconfiguration content directly belongs under Pentesting CI/CD > Supabase Security. The page already existed; I enhanced it with the auth/rls/views/OpenAPI probing content from the blog.
• The other mentions (Salesforce Aura hunting, GMSGadget, Grafana SSRF) were either high-level or out of scope for this section and no detailed, existing pages matched in this repo snapshot. I did not create new pages due to lack of step-by-step technical content and to avoid misplacing content.

Files read (to align style and placement)

• src/pentesting-ci-cd/supabase-security.md
• src/pentesting-ci-cd/github-security/README.md
• src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
• src/pentesting-ci-cd/jenkins-security/README.md
• src/pentesting-ci-cd/concourse-security/README.md

Changes implemented

• Modified: src/pentesting-ci-cd/supabase-security.md (added detailed technical sections with code and a new References section)

If you want me to also add a dedicated Salesforce Aura reconnaissance page or CSP gadget chain references in HackTricks, I can research and draft a highly technical update, but the podcast did not provide deep technical steps, so I kept this PR focused and accurate.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://youtu.be/NI-eXMlXma4

Content Categories: Based on the analysis, this content was categorized under "Pentesting CI/CD > Supabase Security (add subsections: 'Auth: Server-side signup enforcement', 'RLS and Views: Write bypass via PostgREST', 'OpenAPI-driven CRUD probing from anon/auth roles')".

Repository Maintenance:

• MD Files Formatting: 523 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0