Salesforce Recon and Exploitation Toolkit (SRET)

Background

Over the last two months, I spent some time and effort learning about Salesforce vulnerabilities, specifically misconfiguration and code issues that can drastically affect companies. There are already a couple of blogs published on different things you can test on a Salesforce instance; however, I wanted to go down the rabbit hole further and cover more test cases and automate finding these issues. As a result, I am now publishing a security script that makes testing, identifying, and exploiting security issues in Salesforce easier.

The script is available at https://github.com/reconstation/sret

About

SRET is a simple python script designed to perform a series of testing to identify misconfigurations in a given Salesforce instance. It covers varying edge cases and weird misconfigurations that could lead to sensitive data exposure.

Coverage

After researching various exploitation techniques available via different blogs and resources (check references), I did additional digging into the general aura and service calls. As a result of the already known issues and the new findings, this tool now covers other edge cases. 

Previous blogs, articles, and disclosed vulnerabilities covered the following cases:

Getting all objects available

• Getting items of all objects (getItems)

• Downloading documents of specific type

• Some CRUD operations

• Search Functionalities

The tool now covers (in addition to what is already known):

• For certain feeds like CollaborationGroup it will attempt to access and return all feeds for each individual Group identified.

• createRecord operation that:

  • Identifies all Objects which potentially allow Guest user to create records

  • For custom objects (ending in __c) it will use the disclosed information and attempt to create valid records.

• joinGroup

  • Similar to accessing records, it will also attempt to join groups such as CollaborationGroup when possible. Doing so can sometimes lead to additional information disclosure.

What’s next

In the future, the script will support custom controllers and apex functions that companies have written for their use cases. These functions have a higher chance of introducing vulnerabilities than the default aura functions.

Usage

The script takes one parameter as command-line argument: URL. For example, python3 main.py https://google.com will be a valid command line request. The return response is a python dictionary format that can further be leveraged to export vulnerability details into your bug bounty storage/pipelines.

Statistics

This tool has identified multiple vulnerabilities ranging from Critical to High severity. Most of the vulnerabilities gave sensitive information ranging from user data to sensitive documents and metrics.

Report summaries

• Access to more than 100000+ records holistically of companies’ user PII. Some information included PII such as Address, Email, and Phone numbers.

  • For one specific company, it was possible to read all email correspondence which included password reset URLs sent by the portal.

References

• Aaron Costello (@ConspiracyProof) - https://github.com/projectdiscovery/nuclei-templates/blob/master/misconfiguration/salesforce-aura.yaml

• https://infosecwriteups.com/in-simple-words-pen-testing-salesforce-saas-application-part-2-fuzz-exploit-eefae11ba5ae

Want more?

Be on the lookout for upcoming blog posts and features from Recon Station. In the coming months we will slowly release APIs that can be used to get all recon information of multiple programs in HackerOne :)