FOCUS MODE
EXTRACT IOC
Threat Research

A Not So Comprehensive Guide to Securing Your Salesforce Organization

Netspi
A Not So Comprehensive Guide to Securing Your Salesforce Organization
This article highlights the critical security oversights in Salesforce, particularly focusing on the vulnerabilities associated with unsecured SOQL queries in Apex code and the dangers of storing sensitive credentials in cleartext. It sets the stage for further exploration of exploitation scenarios in the next installment. Affected: Salesforce Organizations, Apex Developers

Keypoints :

  • Salesforce security is often neglected by organization owners and security professionals.
  • Improperly secured SOQL queries in Apex code can lead to data exposure.
  • The use of ‘with sharing’ in Apex does not fully enforce object- and field-level security.
  • SOQL queries issued in Apex can bypass the sharing model, leading to unauthorized data access.
  • Storing sensitive information in cleartext in Custom Metadata Types, Custom Settings, and Custom Objects poses serious security risks.
  • Using cleartext credentials in Apex code comments can expose sensitive data.
  • Developers should never store credentials in cleartext and should use secure alternatives instead.
  • Managed packages utilize namespaces and OAuth for secure application distribution and data access.
  • The Salesforce REST API allows for interaction with Salesforce data, and the ‘API Enabled’ permission is crucial for security.
  • Apex Actions allow exposing Apex logic securely via the REST API while requiring caution in data handling.

MITRE Techniques :

  • T1171 – Application Layer Protocol: Leveraging Apex code to manipulate and access Salesforce data while bypassing security measures.
  • T1070 – Indicator Removal on Host: Storing sensitive credentials in various locations, including Custom Metadata Types and Apex comments, that can be easily accessed unauthorizedly.
  • T1071 – Application Layer Protocol: Utilizing the Salesforce REST API and Managed Packages to interact with data and credentials without direct access to underlying code.

Indicator of Compromise :

  • [Domain] example.com
  • [Domain] myCompany_Integration_Creds__mdt
  • [Domain] myCompany_CustomSetting__c
  • [Domain] myCompany_CustomObject__c
  • [Apex Class] DataRetriever

Full Story: https://www.netspi.com/blog/technical-blog/web-application-pentesting/securing-your-salesforce-organization/

Tags: EXPLOIT, VULNERABILITY, BROWSER, PASSWORD, PATCH