Mandiant has released an open source tool to help Salesforce admins detect misconfigurations that could expose sensitive data.
Launched on Monday, AuraInspector targets access control issues in Salesforce Aura, the UI framework for Experience Cloud sites. While Aura components aren't inherently insecure, their complexity often leads to dangerous misconfigurations.
An example? If unauthenticated users gain access to all records in a Salesforce Account object, attackers can exploit the getItems method to steal data.
"This is a common misconfiguration encountered during real-world engagements," Mandiant said in its announcement.
Though typically limited to 2,000-records per request, attackers can bypass this by changing sort orders. It's an inconsistent method, and one that may yield duplicate records for attackers.
Another way to bypass this limit is to abuse the functionality of the GraphQL API, which is made available by default to all guest accounts.
Salesforce maintains the API isn't a vulnerability if object access is properly configured, but misconfigurations can expose broad swaths of sensitive information.
Mandiant said AuraInspector can also help prevent attackers from gaining access to Record Lists and admin panels via Home URLs, while also supporting other use cases.
The tool, available now for free, automates potential abuse techniques and recommended remediation strategies to help defenders identify damaging misconfigurations.
Mandiant says all of AuraInspector's operations are read-only and the tool will not make any modifications to Salesforce instances on its own.
Despite many customers switching to Lightning Web Components for new sites, Aura is still widely used for legacy functionality, and security companies continue to issue alerts about the dangers of Aura misconfigurations.
Varonis, for example, warned in July it is trivial to locate Salesforce Experience Cloud sites, and its own researchers were able to retrieve "troves of exposed sensitive records" by abusing Aura methods.
Infosec blogger Brian Krebs also drew attention to widespread issues with Salesforce Community sites in 2023 after discovering that banks and healthcare providers were leaking sensitive data through similar means. ®
Source: The register