An Aura based Experience Cloud, if misconfigured, can be used to mass download all data that the Public Guest Site User can access. If you know how to ask, the Experience Site will also tell you which Apex methods are available and what their properties are – even if the Apex method is not actually used on the site. You can execute the Apex method, too, and get all its response data. Put on your black hat for this session and learn how a few lines of code are enough to scan any Aura Experiences Site for weaknesses, extract all the data, and call Apex.

1. Black Hat Session
Exploring and Exploiting Aura based Experiences

2. OUR SPONSORS

3. Thank you
for being awesome
and responsible

4. #CD2023 @CzechDreamin
Principal Technical Evangelist Salesforce
DIA die.interaktiven GmbH & Co KG
- Munich Salesforce Developer Group Co/Leader
- Community Events & Dreamforce Speaker
- Avid Release Notes & Framework Reader
- Follow me on Twitter: @ch_sz_knapp
Christian Szandor Knapp

5. #CD2023 @CzechDreamin
Agenda

6. #CD2023 @CzechDreamin
- News but no news
Despite Salesforce restricting things
- Demo
The experience
The exploit(s)
- How does it work?
- Q&A
Agenda

7. #CD2023 @CzechDreamin
Krebs On Security
“Until being contacted by this reporter on Monday, the state of
Vermont had at least five separate Salesforce Community sites that
allowed guest access to sensitive data, including a Pandemic
Unemployment Assistance program that exposed the applicant’s full
name, Social Security number, address, phone number, email, and
bank account number.”
https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-
are-leaking-private-data/
https://arstechnica.com/information-technology/2023/04/misconfigured-
servers-running-salesforce-software-are-leaking-sensitive-data/

8. #CD2023 @CzechDreamin
https://www.enumerate
d.de/index/salesforce
(404)
https://www.enumerated.de/index/salesforce (404)

9. #CD2023 @CzechDreamin
- Introduced External Sharing Model
Since Summer ‘20 nerfing Guest User Profile
- reduced CRUD to READ, CREATE
- Guest User cannot own records anymore
- Secure Guest Site User Record Access Option [cannot be turned off]
- Private Sharing Model for Guest Site Users
- No Manual Sharing
- No Public Group Membership
- No Queue Membership
- No View All / Modify All for Guest Users
- Summer 23: Restrict sending of Emails without Org Wide Email
- All Guest User details: https://help.salesforce.com/s/articleView?id=sf.networks_guest_policies_timelines.htm&type=5
Working on it
- Removing /s/ from experience urls
What’s Salesforce doing about it?

10. #CD2023 @CzechDreamin
Demo

11. #CD2023 @CzechDreamin
Demo

12. #CD2023 @CzechDreamin
How does it work?

13. #CD2023 @CzechDreamin
Web Request and Redirects
fetch and bootstrap.js with session/experience specific details
bootstrap.js will boot and load the aura framework
aura framework will fetch more details on what to
display
For a public community, this must work unauthenticated
How does Aura know what to display?

14. #CD2023 @CzechDreamin
Burp Suite Community Edition

15. #CD2023 @CzechDreamin
Web Request and Redirects
fetch and bootstrap.js with session/experience specific details
call aura endpoint with “object list” payload
How does fetching all available sObjects work?

16. #CD2023 @CzechDreamin
Web Request and Redirects
fetch and bootstrap.js with session/experience specific details
extract “route” and “view” details
call aura endpoint with “component details” payload
return results
How does fetching Components work?

17. #CD2023 @CzechDreamin
Web Request and Redirects
fetch and bootstrap.js with session/experience specific details
extract “route” and “view” details
call aura endpoint with “component details” payload
call aura endpoint with “component definition”
payload
extract Apex Details for Aura and LWC
How does fetching Apex Methods work?

18. #CD2023 @CzechDreamin
Web Request and Redirects
fetch and bootstrap.js with session/experience specific details
call aura endpoint with “aura action” payload
How does calling Apex work?

19. #CD2023 @CzechDreamin
Can I use this at home?

20. #CD2023 @CzechDreamin
Q&A

21. #CD2023 @CzechDreamin
Repositories
https://github.com/forcedotcom/aura
https://github.com/Szandor72/czd23-aura-experience-to-exploit
https://github.com/Szandor72/poc_salesforce_lightning
Guest Site User Best Practices
https://help.salesforce.com/s/articleView?id=sf.networks_guest_profile_best_practices.htm&type=5
More details and many additional endpoints
https://www.varonis.com/blog/abusing-salesforce-communities
Guest User Record Access Report (AppExchange)
https://appexchange.salesforce.com/appxListingDetail?listingId=a0N3A00000FR6GaUAL
Resources

22. Thank you