"Launched on Monday, AuraInspector targets access control issues in Salesforce Aura, the UI framework for Experience Cloud sites. While Aura components aren't inherently insecure, their complexity often leads to dangerous misconfigurations. An example? If unauthenticated users gain access to all records in a Salesforce Account object, attackers can exploit the getItems method to steal data. "This is a common misconfiguration encountered during real-world engagements," Mandiant said in its announcement."
"Though typically limited to 2,000-records per request, attackers can bypass this by changing sort orders. It's an inconsistent method, and one that may yield duplicate records for attackers. Another way to bypass this limit is to abuse the functionality of the GraphQL API, which is made available by default to all guest accounts. Salesforce maintains the API isn't a vulnerability if object access is properly configured, but misconfigurations can expose broad swaths of sensitive information."
AuraInspector is an open-source tool that detects access control misconfigurations in Salesforce Aura used by Experience Cloud sites. The tool automates potential abuse techniques and recommends remediation strategies while performing read-only operations that do not modify Salesforce instances. Common misconfigurations include unauthenticated access to Account records exploitable via the getItems method, and bypasses of the 2,000-record request limit through sort-order manipulation or GraphQL API abuse available to guest accounts. Aura components' complexity and legacy Aura usage increase exposure risk. AuraInspector also checks for exposure via Home URLs and supports other defensive use cases.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]