Arp Spoofing on Supabase

Arp Spoofing in Supabase environments typically exploits the platform's reliance on PostgreSQL's row-level security (RLS) and API routing. When Supabase applications improperly configure their auth policies or expose internal API endpoints, attackers can intercept and manipulate requests between clients and the Supabase backend.

The most common Supabase-specific Arp Spoofing scenario occurs when applications use Supabase's supabase-js client library without proper authentication checks. Consider this vulnerable pattern:

// Vulnerable: No auth check before data access
const { data, error } = await supabase
  .from('users')
  .select('*')
  .order('id', { ascending: false });

An attacker positioned between the client and Supabase's edge network can intercept these requests and modify the Authorization header or JWT claims, effectively escalating privileges. This works because Supabase's RLS policies might grant broader access than intended when authentication tokens are manipulated.

Another manifestation involves Supabase's Row Level Security policies that use auth.uid() without proper validation. Attackers can craft requests that exploit policy logic:

-- Vulnerable RLS policy
CREATE POLICY "Users can view own profile" ON profiles
  FOR SELECT USING (auth.uid() = id);

If the application doesn't validate that auth.uid() corresponds to the requested resource ID, an attacker can manipulate the request to access other users' data. Supabase's edge functions can also be targets when they expose internal service endpoints without proper authentication.

Real-world Supabase deployments have shown vulnerabilities where API routes like /rest/v1/ or /realtime/v1/ are accessible without proper rate limiting or authentication, allowing attackers to enumerate database schemas and user data.

Detecting Arp Spoofing in Supabase environments requires examining both the client-side code and the server-side RLS policies. middleBrick's API security scanner can identify these vulnerabilities by testing authentication bypasses and policy misconfigurations.

Key detection patterns for Supabase include:

• Unauthenticated API endpoint exposure: middleBrick tests /rest/v1/*, /realtime/v1/*, and /rpc/v1/* endpoints without credentials
• RLS policy analysis: The scanner examines SQL policies for privilege escalation patterns
• Client library usage patterns: middleBrick flags direct database access without proper auth checks
• Edge function exposure: Testing for unauthenticated access to serverless functions

Here's how middleBrick detects a common Supabase vulnerability:

# Scan a Supabase project for Arp Spoofing vulnerabilities
middlebrick scan https://your-project.supabase.co

The scanner tests for BOLA (Broken Object Level Authorization) by manipulating request parameters and headers to access resources outside the authenticated user's scope. For Supabase specifically, it checks:

{
  "checks": [
    "Authentication bypass on /rest/v1/ endpoints",
    "RLS policy privilege escalation",
    "Client library auth bypass",
    "Edge function exposure",
    "Rate limiting bypass"
  ]
}

middleBrick's LLM security module also detects if your Supabase project uses AI features that might expose system prompts or allow prompt injection attacks through database functions or edge functions.

Remediating Arp Spoofing vulnerabilities in Supabase requires a defense-in-depth approach using the platform's built-in security features. Start with proper RLS policy configuration:

-- Secure RLS policy with proper validation
CREATE POLICY "Users can view own profile" ON profiles
  FOR SELECT USING (
    auth.uid() IS NOT NULL AND
    auth.uid() = id AND
    current_setting('request.jwt.claims', true)::json->>'role' = 'authenticated'
  );

-- Add row-level access control for sensitive data
CREATE POLICY "Users can only view own financial data" ON financial_records
  FOR SELECT USING (
    auth.uid() = user_id AND
    EXTRACT(YEAR FROM created_at) = EXTRACT(YEAR FROM CURRENT_DATE)
  );

Implement proper authentication in your Supabase client code:

// Secure pattern: Always check auth state
const { data: authData, error: authError } = await supabase.auth.getUser();

if (authError || !authData.user) {
  console.error('Authentication required');
  return;
}

// Only access data after successful auth
const { data, error } = await supabase
  .from('profiles')
  .select('*')
  .eq('id', authData.user.id)
  .single();

Configure Supabase's API settings to disable unnecessary endpoints:

// Disable unused API endpoints
const { data, error } = await supabase
  .rpc('set_config', {
    key: 'postgrest.openapi_server',
    value: 'false'
  });

Implement rate limiting and request validation at the edge:

// Supabase Edge Function with validation
export async function onRequest({ request, supabase }) {
  const ip = request.headers.get('x-forwarded-for') || 
            request.socket.remoteAddress;
  
  // Rate limiting check
  const rateLimitKey = `rate_limit:${ip}`;
  const currentRequests = await supabase.storage
    .from('cache')
    .getPublicUrl(rateLimitKey);
  
  if (currentRequests && currentRequests.requests > 100) {
    return new Response('Rate limit exceeded', { status: 429 });
  }
  
  // Validate JWT claims
  const authHeader = request.headers.get('Authorization');
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return new Response('Missing auth', { status: 401 });
  }
  
  return await fetch(request);
}

Enable Supabase's audit logging to detect suspicious access patterns:

-- Enable audit logging for security monitoring
ALTER SYSTEM SET log_statement = 'all';
ALTER SYSTEM SET log_min_duration_statement = 0;
SELECT pg_reload_conf();