FixVibe

// docs / baas security / umbrella scanner

Na'urar bincike na kuskuren saiti na BaaS: nemo hanyoyin bayanai na jama'a kafin masu amfani su yi

Masu samar da Backend-as-a-Service — Supabase, Firebase, Clerk, Auth0, Appwrite, Convex — duka suna gaza tsaro a sifa iri ɗaya: dandalin yana aika tsohuwar saiti mai hankali, mai haɓakawa (ko kayan aikin coding na AI) yana kaiwa ga gajeriyar hanya, kuma wata hanyar jama'a tana buɗewa tsakanin mai kai hari marar tabbatarwa da bayanan abokin ciniki. Na'urar bincike na kuskuren saiti na BaaS ita ce kawai kayan aiki da yake binciken wannan hanyar daga waje yadda mai kai hari zai yi. Wannan labarin yana taswirar ajin kuskuren saiti masu maimaitawa biyar, yana bayyana yadda binciken laima na FixVibe BaaS ke aiki, yana kwatanta manyan masu samar da huɗu, kuma yana kwatanta na'urar bincike mai-sanin-BaaS da kayan aikin DAST na gama-gari.

Me yasa kuskuren saitin BaaS suna da sifa mai maimaitawa

Kowane dandali na BaaS yana bin tsarin gini iri ɗaya: backend da aka sarrafa tare da ƙaramin client SDK da yake magana da shi daga burauza. Abokin ciniki mai fuskantar-burauza yana buƙatar wani shaida — maɓallin anon, maɓallin shawagi, Firebase project ID — don gano kansa ga backend. Wannan shaidar an niyya ta zama jama'a; tsaron tsarin gini ya dogara kan kula da damar matakin-dandali (RLS, dokoki, allowlists) suna yin aikinsu.

Kayan aikin coding na AI suna gini akan wannan tsarin gini ba tare da fahimtar layin kula-dandali ba. Suna haɗa client SDK daidai, suna karɓar tsohuwar dokokin masu izini na dandalin (waɗanda suke wanzu don abokantakar koyarwa), kuma suna aikawa. Sifar mai maimaitawa ita ce: shaida na jama'a + dokar tsohuwa mai izini + maye gurbi mai ɓacewa = fallasa bayanai. Ajin kuskuren saiti guda biyar a ƙasa duka nau'in wannan sifar ne.

Ajin kuskuren saiti guda biyar masu maimaitawa

Waɗannan suna bayyana a kowane mai samar da BaaS. Cikakken bincike yana rufe duka biyar akan kowane mai samar da yake amfani:

Aji 1: Maɓallin kuskure a haɗakar burauza

Burauza tana aika maɓallin asiri/admin (Supabase service_role, Firebase Admin SDK maɓallin sirri, Clerk sk_*, asirin abokin ciniki na Auth0) maimakon daidaitacce na jama'a/anon. Burauza ta zama abokin admin marar iyaka. An rufe ta Binciken bundle-secrets na FixVibe.

Aji 2: An kashe ko mai izini layin kula da dama

An kashe RLS, dokokin Firebase sune if true, jerin callback na Auth0 yana da wildcard. Shaidar a burauza ita ce daidaitacciya — amma iyakar matakin-dandali da aka niyyata don iyakance shi ba tana yin aiki.

Aji 3: Karatun marar suna na dukiya masu mahimmanci

Tarin Firestore da anon ke iya karantawa, buhunan ajiya na Supabase da anon ke iya jera, Auth0 management API da anon ke iya kaiwa. Binciken yana tambaya: "ba tare da shaida ba, me zan iya karantawa?"

Aji 4: Sakamako na yanayin-gwaji a samarwa

Maɓallan gwaji (pk_test_*, sb_test_*) a cikin aikawa na samarwa; manhajojin Firebase na yanayin-dev ana iya kaiwa daga dama mai rai; manhajojin tenant na gwaji na Auth0 da saitin masu rauni fiye da samarwa. Binciken yana kwatanta maɓallan lokacin gudanarwa akan gabatarwar samarwa da aka tsammani.

Aji 5: Tabbatar da sa hannun webhook ya ɓace

Webhooks na Clerk, Stripe, Supabase duka suna sa hannun nauyinsu. Mai sarrafa wanda baya tabbatar da sa hannu shine mai aikatawa na rubuta-bayanai ga kowane mai kai hari da ya yi hasashen URL ɗin. An gano ta sifar amsa — buƙata mara sa hannu da ke samun 200 yana nufin tsallake tabbatarwa.

Yadda binciken laima na FixVibe BaaS ke aiki

Matakin BaaS na FixVibe yana gudana a matakai uku, kowannensu yana samar da ganowa daban:

  1. <strong>Stage 1 — provider fingerprinting.</strong> The scanner crawls the deployed app, parses every JavaScript chunk, and identifies which BaaS providers the app uses. Each provider has a distinctive runtime signature: Supabase uses <code>*.supabase.co</code>; Firebase uses <code>firebase.initializeApp({ projectId: ... })</code>; Clerk uses <code>pk_*</code> keys with a known prefix; Auth0 uses <code>clientId</code> and <code>domain</code>. The scanner records which providers are present and extracts the project identifiers.
  2. Mataki 2 — binciken takamaiman-mai samarwa. Don kowane mai samar da aka gano, na'urar bincike yana gudanar da binciken takamaiman-mai samarwa: baas.supabase-rls yana bincika PostgREST; baas.firebase-rules yana bincika Firestore + RTDB + Storage; baas.clerk-auth0 yana tabbatar da gabatarwar maɓallan da aka haɗa; binciken bundle-secrets yana tabbatar babu shaidun matakin-sabis da suka yoyo. Kowane bincike yana gudana cikin 'yancin kai — ganowar Supabase ba ya toshe binciken Firebase ba.
  3. Mataki 3 — daidaitawar ƙetare-mai samarwa. Na'urar bincike tana yin nuni ga ganowa. Maɓallin matsayin sabis na Supabase da aka yoyo tare da RLS da ya ɓace ya fi muni fiye da kowane ɗaya kawai — rahoton yana fitar da wannan. Masu bayar da shaida da yawa (Clerk + Auth0 + auth na al'ada) a cikin manhaja iri ɗaya shine ganowar tsari da aka yi wa alama don bita.

Kowane bincike mai shiru ne: matuƙar karatun marar suna ɗaya kowane dukiya, tare da rikodin sifar amsa amma abubuwan layi ba a yi shafi ko ajiyar su ba. Binciken rubutawa da gyaru yana ƙarƙashin tabbatar da mallakar dama — ba sa taɓa gudana akan manufa marar tabbatarwa.

Abin da na'urar bincike ke samu kowane mai samarwa

Kowane mai samar da BaaS yana da saman daban da dabarar bincike daban. Ga abin da ake rufewa:

  • Supabase: RLS da ya ɓace akan teburai, buhunan ajiya da anon ke iya jera, JWT service_role da aka yoyo ko maɓallin sb_secret_* a cikin haɗaka, an fallasa tsari ta jeren OpenAPI mara suna. Duba Na'urar bincike ta Supabase RLS da Jeren bincike na ajiya.
  • Firebase: dokokin if true akan Firestore, Realtime Database, da Cloud Storage; buhunan Ajiya da anon ke iya jera; aiwatarwar App Check da ya ɓace. Duba Na'urar bincike ta dokokin Firebase da Mai bayyana dokar If-true.
  • Clerk: maɓallan asiri sk_* da aka haɗa, pk_test_* a samarwa, tabbatar da sa hannun webhook da ya ɓace, tushen da aka yarda na wildcard. Duba Jeren bincike na Clerk.
  • Auth0: asirin abokin ciniki da aka haɗa, an kunna Implicit grant, callback / logout URLs na wildcard, PKCE da ya ɓace akan SPAs. Duba Jeren bincike na Auth0.

Yadda na'urar bincike na BaaS ke kwatanta zuwa kayan aikin DAST da SAST na gama-gari

Na'urar bincike mai-sanin-BaaS tana yin aikin takamaimai da sauran kayan aiki ba sa yi. Kwatanci:

YankiFixVibe (DAST mai-sanin-BaaS)DAST na gama-gari (Burp / ZAP)SAST / SCA (Snyk / Semgrep)
Coverage na BaaSBincike na asali don Supabase, Firebase, Clerk, Auth0, AppwriteCrawl yanar gizo na gama-gari; babu binciken takamaiman-mai samarwaNazarin static na ma'ajiya kawai; babu tabbatarwar samarwa
Lokacin saitinURL → gudana → sakamako a daƙiƙa 60Sa'o'i: saita spider, auth, iyakaRana: haɗa cikin CI na ma'ajiya
Abin da yake tabbatarwaFallasa lokacin-gudanarwa-samarwa tare da shaidar matakin-HTTPRaunin manhaja-yanar gizo (XSS, SQLi); BaaS ta hannun saitinTsarin lamba waɗanda zasu iya ko ba zasu iya aikawa
Bincike na haɗakar JavaScriptYana bayyana JWTs, yana dacewa da gabatarwar asirai, yana tafiya cikin guntuIyakancin — grep mai-tushen-zare kawaiEh, amma kawai gefen-ma'ajiya, ba a aika ba
Bincike na ci gabaKowane wata / akan-aikawa ta API + MCPHannu; saita jadawalin da kankuKowane commit (mai kyau ga lamba, makaho ga lokacin gudanarwa)
Farashi don kaɗai / ƙaramar ƙungiyaMatakin kyauta; biya daga $19/wataBurp Pro $499/shekara; ZAP kyauta amma babban kuskure-tabbasSnyk kyauta / Semgrep kyauta; matakai masu biya daga $25/dev

Iyakar gaskiya: abin da wannan na'urar bincike ba zai maye gurbinsa ba

Na'urar bincike ta DAST mai-sanin-BaaS kayan aiki ne da aka mai da hankali, ba cikakken shirin tsaro ba. Ba ya:

  • Maye gurbin SAST ko SCA. Nazarin static yana samun CVEs na dogaro (Snyk, Semgrep) da raunin matakin-lamba (SonarQube) wanda na'urar bincike na DAST ba zai iya ba. Gudanar da duka biyu.
  • Maye gurbin gwajin shiga na hannu. Mai bincike na ɗan adam yana samun lalacewar dabaru-kasuwanci, gefen lamarin na ba da iko, da raunin da aka haɗa wanda babu na'urar bincike za ta iya. Yi hayar mai bincike kafin babban ƙaddamarwa ko bincike na yarda.
  • Bincika lambar ku ko ma'ajiya don asirai a tarihin git. Binciken bundle-secrets yana rufe abin da a halin yanzu aka aika, ba abin da aka rubuta a tarihi ba. Yi amfani da git-secrets ko gitleaks don tsabtar ma'ajiya.
  • Rufe sabis na backend ba-BaaS. Idan manhajarku tana amfani da backend na al'ada (Express, Rails, Django, FastAPI), FixVibe yana bincika saman HTTP ɗinsa amma ba ya bincika bayanai ko kayan aiki a bayansa. Wancan yankin DAST + SAST na gama-gari ne.

Tambayoyin da ake yawan yi

Shin binciken laima yana aiki idan manhajata tana amfani da masu samar da BaaS biyu (misali, Supabase + Clerk)?

Eh — fingaprinta mai samarwa da binciken kowane-mai-samarwa masu zaman kansu ne. Na'urar bincike yana gane duka biyu, yana gudanar da rukunin bincike biyu, kuma yana ba da rahoton daidaitawar ƙetare-mai samarwa (misali, ƙayyadewar JWT na Supabase daga Clerk wanda ke aika email a matsayin ƙararrawa tare da RLS da ya ɓace).

Yaya wannan ya bambanta da gudanar da Burp Suite Pro akan manhajata?

Burp wurin aiki ne na DAST na gama-gari. A waje akwatin, Burp baya san abin da PostgREST, Firestore, ko hanyar callback ta Auth0 take — dole ne ku saita iyaka da hannu, rubuta extension, kuma kuyi fassarar amsoshi. FixVibe yana zuwa da binciken BaaS da aka gina cikin da shaidar siffa-BaaS. Burp yana nasara akan coverage na manhaja-yanar gizo na gama-gari (XSS, SQLi, dabaru kasuwanci); FixVibe yana nasara akan ganowa takamaiman-BaaS.

Yaya game da App Check (Firebase) ko shaida (Apple / Google)?

App Check yana sa binciken waje na lokaci mayar da 403 akan kowane bincike — sakamako daidai don bot mai mugunta. Binciken FixVibe daga abokin ciniki marar shaida yana yin haka. Idan kuna da App Check a kunne kuma FixVibe har yanzu ya ba da rahoton ganowa, yana nufin dokokinku suna budewa zuwa abokai masu shaida kuma, wanda shine ainihin haɗari. App Check + dokoki daidai shine sifar kariya-mai-zurfi.

Shin na'urar bincike na iya tabbatar da gyarana?

Eh — sake gudanar bayan amfani da gyara. ID na bincike (misali, baas.supabase-rls) tabbatattu ne a kan gudanarwa, don haka zaku iya yin diff na ganowa: ganowar da yake open a gudanarwa ta 1 kuma ba ya nan a gudanarwa ta 2 shine tabbacin gyara ya sauka.

Matakai na gaba

Gudanar da binciken FixVibe na kyauta akan URL ɗin samarwarku — binciken matakin BaaS yana aikawa akan kowane shiri, har da matakin kyauta. Don zurfafa takamaiman-mai-samarwa, kowanne labari a wannan sashe yana rufe kowane mai samarwa daki-daki: Supabase RLS, Fallasa maɓallin sabis na Supabase, Ajiyar Supabase, Dokokin Firebase, Firebase if-true, Clerk, da Auth0.

// yi bincike kan saman BaaS naka

Sami teburin bude kafin wani ya same shi.

Sakawa URL ɗin samarwa. FixVibe yana ƙidaya masu samar da BaaS da manhajarku ke magana da su, yana yi musu fingaprint na ƙarshen jama'a, kuma yana ba da rahoton abin da abokin ciniki marar tabbatarwa zai iya karantawa ko rubuta. Kyauta, ba shigarwa, ba kati.

  • Matakin kyauta — 3 bincike / wata, ba kati na sa hannu.
  • Fingaprinta BaaS mai shiru — babu buƙatar tabbatar da dama.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, da ƙarin.
  • Umarni na gyara AI a kan kowane gano — manna komawa zuwa Cursor / Claude Code.
Gudanar da binciken BaaS kyauta

ba buƙatar sa hannu

Na'urar bincike na kuskuren saiti na BaaS: nemo hanyoyin bayanai na jama'a kafin masu amfani su yi — Docs · FixVibe