// Test for user enumeration vulnerabilities through various authentication endpoints.
Orchestrate a complete Supabase security audit with guided step-by-step execution and ownership confirmation.
Test Row Level Security (RLS) policies for common bypass vulnerabilities and misconfigurations.
List and test exposed PostgreSQL RPC functions for security issues and potential RLS bypass.
List all tables exposed via the Supabase PostgREST API to identify the attack surface.
Attempt to read data from exposed tables to verify actual data exposure and RLS effectiveness.
Analyze Supabase authentication configuration for security weaknesses and misconfigurations.
| name | supabase-audit-auth-users |
| description | Test for user enumeration vulnerabilities through various authentication endpoints. |
š“ CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
- Write to
.sb-pentest-context.jsonIMMEDIATELY after each endpoint tested- Log to
.sb-pentest-audit.logBEFORE and AFTER each test- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill tests for user enumeration vulnerabilities in authentication flows.
User enumeration occurs when an application reveals whether a user account exists through:
| Vector | Indicator |
|---|---|
| Different error messages | "User not found" vs "Wrong password" |
| Response timing | Fast for non-existent, slow for existing |
| Response codes | 404 vs 401 |
| Signup response | "Email already registered" |
| Risk | Impact |
|---|---|
| Targeted attacks | Attackers know valid accounts |
| Phishing | Confirm targets have accounts |
| Credential stuffing | Reduce attack scope |
| Privacy | Reveal user presence |
| Endpoint | Test Method |
|---|---|
/auth/v1/signup | Try registering existing email |
/auth/v1/token | Try login with various emails |
/auth/v1/recover | Try password reset |
/auth/v1/otp | Try OTP for various emails |
Test for user enumeration vulnerabilities
Test login endpoint for user enumeration
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
USER ENUMERATION AUDIT
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Project: abc123def.supabase.co
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Signup Endpoint (/auth/v1/signup)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Test: POST with known existing email
Response for existing: "User already registered"
Response for new email: User object returned
Status: š P2 - ENUMERABLE
The response clearly indicates if an email is registered.
Exploitation:
```bash
curl -X POST https://abc123def.supabase.co/auth/v1/signup \
-H "apikey: [anon-key]" \
-H "Content-Type: application/json" \
-d '{"email": "target@example.com", "password": "test123"}'
# If user exists: {"msg": "User already registered"}
# If new user: User created or confirmation needed
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā Login Endpoint (/auth/v1/token) āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Test: POST with different email scenarios
Existing email, wrong password: āāā Response: {"error": "Invalid login credentials"} āāā Time: 245ms āāā Code: 400
Non-existing email: āāā Response: {"error": "Invalid login credentials"} āāā Time: 52ms ā Significantly faster! āāā Code: 400
Status: š P2 - ENUMERABLE VIA TIMING
Although the error message is the same, the response time is noticeably different: āāā Existing user: ~200-300ms (password hashing) āāā Non-existing: ~50-100ms (no hash check)
Timing Attack PoC:
import requests
import time
def check_user(email):
start = time.time()
requests.post(
'https://abc123def.supabase.co/auth/v1/token',
params={'grant_type': 'password'},
json={'email': email, 'password': 'wrong'},
headers={'apikey': '[anon-key]'}
)
elapsed = time.time() - start
return elapsed > 0.15 # Threshold
exists = check_user('target@example.com')
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā Password Recovery (/auth/v1/recover) āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Test: POST recovery request for different emails
Existing email: āāā Response: {"message": "Password recovery email sent"} āāā Time: 1250ms (email actually sent) āāā Code: 200
Non-existing email: āāā Response: {"message": "Password recovery email sent"} āāā Time: 85ms ā Much faster (no email sent) āāā Code: 200
Status: š P2 - ENUMERABLE VIA TIMING
Same message, but timing reveals existence. Existing users trigger actual email sending (~1s+).
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā Magic Link / OTP (/auth/v1/otp) āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Test: Request OTP for different emails
Existing email: āāā Response: {"message": "OTP sent"} āāā Time: 1180ms āāā Code: 200
Non-existing email: āāā Response: {"error": "User not found"} āāā Time: 95ms āāā Code: 400
Status: š“ P1 - DIRECTLY ENUMERABLE
The error message explicitly states user doesn't exist.
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā Summary āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Endpoints Tested: 4 Enumerable: 4 (100%)
Vulnerability Severity: āāā š“ P1: OTP endpoint (explicit message) āāā š P2: Signup endpoint (explicit message) āāā š P2: Login endpoint (timing attack) āāā š P2: Recovery endpoint (timing attack)
Overall User Enumeration Risk: HIGH
An attacker can determine if any email address has an account in your application.
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā Mitigation Recommendations āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
CONSISTENT RESPONSES Return identical messages for all scenarios: "If an account exists, you will receive an email"
CONSISTENT TIMING Add artificial delay to normalize response times:
const MIN_RESPONSE_TIME = 1000; // 1 second
const start = Date.now();
// ... perform auth operation ...
const elapsed = Date.now() - start;
await new Promise(r => setTimeout(r,
Math.max(0, MIN_RESPONSE_TIME - elapsed)
));
return response;
RATE LIMITING Already enabled: 3/hour per IP Consider per-email rate limiting too.
CAPTCHA Add CAPTCHA for repeated attempts:
MONITORING Alert on enumeration patterns:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
## Timing Analysis
The skill measures response times to detect timing-based enumeration:
Existing user: āāā Password hash verification: ~200-300ms āāā Email sending: ~1000-2000ms āāā Database lookup: ~5-20ms
Non-existing user: āāā No hash verification: 0ms āāā No email sending: 0ms āāā Database lookup: ~5-20ms (not found)
Threshold detection:
- Difference > 100ms: Possible timing leak
- Difference > 500ms: Definite timing leak
## Context Output
```json
{
"user_enumeration": {
"timestamp": "2025-01-31T13:30:00Z",
"endpoints_tested": 4,
"vulnerabilities": [
{
"endpoint": "/auth/v1/otp",
"severity": "P1",
"type": "explicit_message",
"existing_response": "OTP sent",
"missing_response": "User not found"
},
{
"endpoint": "/auth/v1/signup",
"severity": "P2",
"type": "explicit_message",
"existing_response": "User already registered",
"missing_response": "User created"
},
{
"endpoint": "/auth/v1/token",
"severity": "P2",
"type": "timing_attack",
"existing_time_ms": 245,
"missing_time_ms": 52
},
{
"endpoint": "/auth/v1/recover",
"severity": "P2",
"type": "timing_attack",
"existing_time_ms": 1250,
"missing_time_ms": 85
}
]
}
}
// Edge Function with normalized timing
const MIN_RESPONSE_TIME = 1500; // 1.5 seconds
Deno.serve(async (req) => {
const start = Date.now();
try {
// Perform actual auth operation
const result = await handleAuth(req);
// Normalize response time
const elapsed = Date.now() - start;
await new Promise(r => setTimeout(r,
Math.max(0, MIN_RESPONSE_TIME - elapsed)
));
return new Response(JSON.stringify(result));
} catch (error) {
// Same timing for errors
const elapsed = Date.now() - start;
await new Promise(r => setTimeout(r,
Math.max(0, MIN_RESPONSE_TIME - elapsed)
));
// Generic error message
return new Response(JSON.stringify({
message: "Check your email if you have an account"
}));
}
});
// Don't reveal user existence
async function requestPasswordReset(email: string) {
// Always return success message
const response = {
message: "If an account with that email exists, " +
"you will receive a password reset link."
};
// Perform actual reset in background (don't await)
supabase.auth.resetPasswordForEmail(email).catch(() => {});
return response;
}
ā ļø This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
DO NOT batch all writes at the end. Instead:
.sb-pentest-audit.log.sb-pentest-context.jsonThis ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
Update .sb-pentest-context.json with results:
{
"user_enumeration": {
"timestamp": "...",
"endpoints_tested": 4,
"vulnerabilities": [ ... ]
}
}
Log to .sb-pentest-audit.log:
[TIMESTAMP] [supabase-audit-auth-users] [START] Testing user enumeration
[TIMESTAMP] [supabase-audit-auth-users] [FINDING] P1: OTP endpoint enumerable
[TIMESTAMP] [supabase-audit-auth-users] [CONTEXT_UPDATED] .sb-pentest-context.json updated
If files don't exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
š Evidence Directory: .sb-pentest-evidence/05-auth-audit/enumeration-tests/
| File | Content |
|---|---|
enumeration-tests/login-timing.json | Login endpoint timing analysis |
enumeration-tests/recovery-timing.json | Recovery endpoint timing |
enumeration-tests/otp-enumeration.json | OTP endpoint message analysis |
{
"evidence_id": "AUTH-ENUM-001",
"timestamp": "2025-01-31T11:00:00Z",
"category": "auth-audit",
"type": "user_enumeration",
"tests": [
{
"endpoint": "/auth/v1/token",
"test_type": "timing_attack",
"severity": "P2",
"existing_user_test": {
"email": "[KNOWN_EXISTING]@example.com",
"response_time_ms": 245,
"response": {"error": "Invalid login credentials"}
},
"nonexisting_user_test": {
"email": "definitely-not-exists@example.com",
"response_time_ms": 52,
"response": {"error": "Invalid login credentials"}
},
"timing_difference_ms": 193,
"result": "ENUMERABLE",
"impact": "Can determine if email has account via timing"
},
{
"endpoint": "/auth/v1/otp",
"test_type": "explicit_message",
"severity": "P1",
"existing_user_response": {"message": "OTP sent"},
"nonexisting_user_response": {"error": "User not found"},
"result": "ENUMERABLE",
"impact": "Error message explicitly reveals user existence"
}
],
"curl_commands": [
"# Timing test - existing user\ntime curl -X POST '$URL/auth/v1/token?grant_type=password' -H 'apikey: $ANON_KEY' -d '{\"email\": \"existing@example.com\", \"password\": \"wrong\"}'",
"# Timing test - non-existing user\ntime curl -X POST '$URL/auth/v1/token?grant_type=password' -H 'apikey: $ANON_KEY' -d '{\"email\": \"nonexistent@example.com\", \"password\": \"wrong\"}'"
]
}
supabase-audit-auth-config ā Full auth configurationsupabase-audit-auth-signup ā Signup flow testingsupabase-report ā Include in final report