Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Salesforce bug hunting to Critical bug

Or how I learned that some bugs are truly rare

Vuk Ivanovic
InfoSec Write-ups
Published in
3 min readAug 15, 2022

--

Ah, yes, third party is 9 out of 10 times out of scope. But sometimes it's not. Sometimes it's very much in scope. Unlike Zendesk , Salesforce can be misconfigured by its clients or left in a default state which allows for access to interesting/not-meant-to-be-publicly-accessible data.

The Bug

It's really simple (for more complicated and indepth analysis check this article.

Low vs Critical

First you have to find a subdomain that is on Salesforce/aura, which is usually help.target.com, support.target.com or community.target.com, but it can also be some random thing like state.target.com etc. In case of widescope program it's best to use nuclei with Salesforce aura module to automate the process, but sometimes manual approach may be necessary.

Second, after finding Salesforce/aura site, using burp or even Firefox/chrome network inspector find any POST request to aura endpoint. You'll know what you're looking for when there's message parameter in the body:

Final step, this is where you learn if the target is vulnerable or not, edit the message parameter by replacing the value with this (you don't even have to encode it):

If the result shows Success and email address that is john@target.com or john@gmail.com or similar

Congrats, you have found highly likely Low bug/P4.

But, if it's either showing email address that's something@salesforce.com, or null, or Guest user isn't authorized, then they have properly configured that subdomain and you should move on.

The Low vs The Critical

There are plenty of Salesforce websites that have low/p4 type of bug that is quick and easy to test, but can be a process to get any bounty for it (but, so far in my experience bounty for this one is between $50 and $150).

But, then there's the medium to high to Critical, of which the critical is the rarest breed.

The Big Stuff

The small stuff is simply getting the User/UserProfile to give non default/null value, but the medium and the big stuff, those are truly interesting.

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 10 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Vuk Ivanovic
Vuk Ivanovic
Follow

Written by Vuk Ivanovic

783 Followers
40 Following

IT Security and bug bounty hunting, knowledge collector especially anything with word quantum, and sometimes writer of fiction.

Follow

Responses (2)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech