Mandiant has released AuraInspector, an open-source tool for identifying security issues in Salesforce Experience Cloud. The platform helps administrators detect misconfigurations in the Aura framework that lead to unauthorized access to sensitive data.
Mandiant Offensive Security Services regularly identifies serious security issues in Salesforce Experience Cloud implementations. Unauthorized users gain access to credit card numbers, identity documents, and medical data due to incorrect access control settings. These misconfigurations often go unnoticed until it is too late. The new command-line tool, AuraInspector, is designed to help administrators and security teams detect these vulnerabilities early.
GraphQL technique to bypass limits
According to Mandiant, AuraInspector offers more than just detection of standard misconfigurations. The tool includes a previously undocumented technique that uses GraphQL to bypass standard record retrieval limits. This shows how attackers can empty databases, even when basic security is in place.
The Aura framework serves as the foundation for Salesforce Lightning Experience and Experience Cloud. It uses a single-page application model in which the front end retrieves information from the backend system via an Aura endpoint. That endpoint is central to many attacks on Salesforce environments.
External scanning without logging in
The tool allows administrators to scan their Salesforce environment without special access or login credentials. AuraInspector analyzes the Aura endpoint and calls the getConfigData method, which returns a list of objects in the backend database.
This functionality depends on the privileges of the authenticated context. The tool attempts to call various aura-enabled methods via the endpoint’s message parameter. In this way, the system identifies which objects and data are accessible to unauthorized users.
Mandiant publishes AuraInspector as an open-source tool, available to everyone. Security teams and administrators can use the tool immediately to audit their Salesforce Experience Cloud environments. The tool provides actionable insights for remediation, enabling organizations to close vulnerabilities before attackers exploit them.