Salesforce Testing

Testing Write-ups

• Pen-Testing Salesforce Apps: Part 1 (Concepts) | by Praveen Kanniah | InfoSec Write-ups (infosecwriteups.com)
• Pen-Testing Salesforce Apps: Part 2 (Fuzz & Exploit) | by Praveen Kanniah | InfoSec Write-ups (infosecwriteups.com)
• Hacking Salesforce-backed WebApps - Hypn.za.net
• Abusing Privilege Escalation in Salesforce Using APEX (cloudsecurityalliance.org)
• Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community - Enumerated - gigminds

Code analysis Checklist

• Search for SOQL Injection using the following regex

  \[.*SELECT.**[+] .*
  

• Search for unsanitized rendered output, look for

  escape="false"
  

  Reference: apex:outputText escape="false“ keyword by passing Security ? - Salesforce Developer Community

• Check if developer console is accessible

  https://<domain>.my.salesforce.com/_ui/common/apex/debug/ApexCSIPage
  

• Abuse search in files functionality to leak source code, passwords, tokens, etc.

  • SOQL Queries to leak data that might not be accessible and protected by Apex classes sharing permissions.

Tools

• Ophion-Security/sret: Salesforce Recon and Exploitation Toolkit (github.com)
• moniik/poc_salesforce_lightning: Academic purposes only. Attack against Salesforce lightning with guest privilege. (github.com)

VSCode

• Salesforce Extension Pack (Expanded) - Visual Studio Marketplace
• Set Up Visual Studio Code Unit | Salesforce Trailhead

Learning Resources

• Access Modifiers | Apex Developer Guide | Salesforce Developers
• Using the with sharing, without sharing, and inherited sharing Keywords | Apex Developer Guide | Salesforce Developers
• Understanding With Sharing and Without Sharing In Salesforce - Brian Cline (brcline.com)
• Salesforce DX - App Cloud for Developers - Salesforce India

Interesting reads

VF Remoting Exploit - Salesforce Developer Community

Burp Extensions

• GitHub - akenofu/lightning-burp

Tips and tricks

• Look at the security settings page