Skip to content

hutomosaktikartiko/security-scripts

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

security-scripts

Recon & security testing scripts.

Setup

python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt

supabase/ — Supabase recon & access testing

Config

Create a .env file per project inside the supabase/ folder:

cp supabase/.env.example supabase/.env.yourproject
PROJECT_NAME=yourproject
SUPABASE_URL=https://xxxx.supabase.co
SUPABASE_ANON_KEY=eyJ...
SO_FILE_PATH=./resources/yourproject/lib/x86_64/libapp.so  # optional, for APK extraction

Flow

table_extract_candidates  ──►  table_enumerate  ──►  table_dump
    (APK binary)                     │                table_write_poc
                                     ▼
                             storage_enumerate  ──►  storage_dump

rpc_extract_candidates    ──►  rpc_enumerate    ──►  rpc_dump
  (binary + sources)

Scripts

Script What it does Input Output
table_extract_candidates.py Extract table name candidates from APK binary SO_FILE_PATH (binary), input/table_keywords.txt, input/{project}/table_keywords.txt (optional, gitignored) output/{project}/table_candidates.txt
table_enumerate.py Probe candidates → find open tables + schema input/table_candidates.txt (global wordlist), output/{project}/table_candidates.txt (optional, from prev step) output/{project}/open_tables.txt, output/{project}/table_schemas.json
table_dump.py Dump all open tables to JSON output/{project}/open_tables.txt output/{project}/table_dump_YYYYMMDD/{table}.json
table_write_poc.py Test INSERT / UPDATE / DELETE access per table output/{project}/open_tables.txt, output/{project}/table_schemas.json, output/{project}/table_dump_*/ (for UPDATE fallback) output/{project}/write_poc_YYYYMMDD.txt
storage_enumerate.py Find accessible storage buckets input/storage_buckets.txt (global wordlist), input/{project}/storage_buckets.txt (optional, gitignored), output/{project}/open_tables.txt (DB hint) output/{project}/buckets.txt
storage_dump.py Download files from discovered buckets output/{project}/buckets.txt output/{project}/storage_YYYYMMDD/{bucket}/
rpc_extract_candidates.py Extract RPC function name candidates from APK binary and decompiled source SO_FILE_PATH (binary), SOURCES_PATH (decompiled source dir) output/{project}/rpc_candidates.txt
rpc_enumerate.py Discover exposed RPC functions via OpenAPI spec + wordlist + candidates input/rpc_functions.txt, input/{project}/rpc_functions.txt (optional, gitignored), output/{project}/rpc_candidates.txt (optional, from prev step) output/{project}/rpc_functions.json
rpc_dump.py Call discovered functions, capture output, flag SECURITY DEFINER bypass output/{project}/rpc_functions.json output/{project}/rpc_dump_YYYYMMDD/{fn}.json
auth_enum.py Detect auth misconfigurations output/{project}/auth_enum_YYYYMMDD.txt

Usage

All scripts follow the same pattern:

python3 supabase/<script>.py --env supabase/.env.yourproject

secrets/ — Secret scanning per app type

Config

Reuses the same .env file from supabase/ or create a dedicated one in secrets/:

PROJECT_NAME=yourproject
SO_FILE_PATH=./resources/yourproject/lib/x86_64/libapp.so
SOURCES_PATH=./sources/yourproject

Scripts

Script What it does Input Output
apk.py Scan APK binary (.so) for hardcoded secrets SO_FILE_PATH (binary) secrets/output/{project}/apk_scan_YYYYMMDD.txt

Usage

python3 secrets/<script>.py --env supabase/.env.yourproject

Patterns detected

Category Patterns
Auth JWT, Private Key, Basic Auth URL, Auth0, Clerk
Cloud AWS, GCP, Azure, DigitalOcean, Heroku, Firebase, Supabase
Payment (global) Stripe, PayPal, Braintree, Square
Payment (Indonesia) MidTrans, Xendit, Doku
Comms Slack, SendGrid, Twilio, Mailgun, Postmark, OneSignal, Pusher, Intercom
Mobile / analytics AdMob, GA, AppsFlyer, Branch, Mixpanel, Amplitude, Segment, RevenueCat
Dev tools GitHub, GitLab, OpenAI, Anthropic, Sentry, Mapbox, Cloudinary, Algolia
Database PostgreSQL, MySQL, MongoDB, Redis, AMQP, Cassandra, CouchDB

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages