Salesforce Testing
Testing Write-ups
- Pen-Testing Salesforce Apps: Part 1 (Concepts) | by Praveen Kanniah | InfoSec Write-ups (infosecwriteups.com)
- Pen-Testing Salesforce Apps: Part 2 (Fuzz & Exploit) | by Praveen Kanniah | InfoSec Write-ups (infosecwriteups.com)
- Hacking Salesforce-backed WebApps - Hypn.za.net
- Abusing Privilege Escalation in Salesforce Using APEX (cloudsecurityalliance.org)
- Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community - Enumerated - gigminds
Code analysis Checklist
- Search for SOQL Injection using the following regex
- Search for unsanitized rendered output, look for Reference: apex:outputText escape="falseβ keyword by passing Security ? - Salesforce Developer Community
-
Check if developer console is accessible
- Abuse
search in files
functionality to leak source code, passwords, tokens, etc. - SOQL Queries to leak data that might not be accessible and protected by Apex classes sharing permissions.
- Abuse
Tools
- Ophion-Security/sret: Salesforce Recon and Exploitation Toolkit (github.com)
- moniik/poc_salesforce_lightning: Academic purposes only. Attack against Salesforce lightning with guest privilege. (github.com)
VSCode
- Salesforce Extension Pack (Expanded) - Visual Studio Marketplace
- Set Up Visual Studio Code Unit | Salesforce Trailhead
Learning Resources
- Access Modifiers | Apex Developer Guide | Salesforce Developers
- Using the with sharing, without sharing, and inherited sharing Keywords | Apex Developer Guide | Salesforce Developers
- Understanding With Sharing and Without Sharing In Salesforce - Brian Cline (brcline.com)
- Salesforce DX - App Cloud for Developers - Salesforce India