Skip to content

Salesforce Testing

Testing Write-ups

Code analysis Checklist

  • Search for SOQL Injection using the following regex
    \[.*SELECT.**[+] .*
    
  • Search for unsanitized rendered output, look for
    escape="false"
    
    Reference: apex:outputText escape="falseβ€œ keyword by passing Security ? - Salesforce Developer Community
  • Check if developer console is accessible

    https://<domain>.my.salesforce.com/_ui/common/apex/debug/ApexCSIPage
    

  • Abuse search in files functionality to leak source code, passwords, tokens, etc.

    • SOQL Queries to leak data that might not be accessible and protected by Apex classes sharing permissions.

Tools

VSCode

Learning Resources

Interesting reads

VF Remoting Exploit - Salesforce Developer Community

Burp Extensions

Tips and tricks

  • Look at the security settings page