Module 10: API Surface Risk Map (v7.2.0)

Client: DemoCompany | Date: March 24, 2026

Executive Summary

This report identifies risks at the API Gateway and Edge Function layers of the architecture. While Row-Level Security (RLS) provides the final line of defense, vulnerabilities at the API surface can lead to BOLA/IDOR attacks, JWT tampering, and unauthorized access to Edge Functions.

Mapped API Surface (Supabase REST)

GET /rest/v1/profiles Verified (RLS Active)
PATCH /rest/v1/orders?id=eq.123 BOLA Vulnerability
POST /functions/v1/auth-webhook Service Role Exposure
GET /rest/v1/internal_analytics JWT Bypass Possible
[CRITICAL] Broken Object Level Authorization (BOLA) Endpoint: /orders

The PATCH /orders endpoint accepts a UUID via query param. Our engine successfully modified an order belonging to tenant_b using a tenant_a JWT token.

Strategic Impact: Unauthorized modification of orders across tenant boundaries. Potential for financial fraud and data corruption.
-- REMEDIATION: Wrap update in a secure function or use RLS with subqueries ALTER POLICY "Users can update their own orders" ON orders FOR UPDATE USING (auth.uid() = user_id);
[CRITICAL] Edge Function Service-Role Exposure Function: process-payment

Edge function process-payment logs include unmasked service_role keys. Our engine intercepted these keys during simulation, allowing full database bypass.

Strategic Impact: Complete database takeover. An attacker with this key can bypass all RLS policies.
// REMEDIATION: Mask sensitive keys in logs const supabase = createClient( Deno.env.get('SUPABASE_URL')!, Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')! // DO NOT LOG THIS )
[WARNING] JWT Claim Tampering (Alg: None) Infrastructure

The application accepts JWTs with "alg": "none" in certain staging configurations. This allows an attacker to forge identity claims.

Strategic Impact: Identity spoofing. Attackers can masquerade as any user by removing the signature.
-- REMEDIATION: Ensure GoTrue/Auth is configured to reject 'none' algorithm -- Verify JWT Secret rotation and strength.
[INFO] Verbose API Error Responses Endpoint: /rest/v1/*

API returns detailed PostgREST error messages including table column names and hints. This facilitates schema mapping for attackers.

Strategic Impact: Low-risk information disclosure that aids in more targeted attacks.
-- REMEDIATION: Use a custom middleware or proxy to sanitize API error responses.

Proprietary assessment generated by Otobrix Security Engine v7.2.0 — Confidential