Skip to content

Salesforce Testing

Testing Write-ups

Code analysis Checklist

  • Search for SOQL Injection using the following regex
    \[.*SELECT.**[+] .*
  • Search for unsanitized rendered output, look for
    Reference: apex:outputText escape="falseβ€œ keyword by passing Security ? - Salesforce Developer Community
  • Check if developer console is accessible


  • Abuse search in files functionality to leak source code, passwords, tokens, etc.

    • SOQL Queries to leak data that might not be accessible and protected by Apex classes sharing permissions.



Learning Resources

Interesting reads

VF Remoting Exploit - Salesforce Developer Community

Burp Extensions

Tips and tricks

  • Look at the security settings page