Mandiant released AuraInspector, an open-source command-line tool to help defenders identify and audit access control misconfigurations in the Salesforce Aura framework and Experience Cloud. The post documents techniques attackers can use—including abusing Aura methods, action-bulking, Record Lists, Home URLs, self-registration discovery, and a GraphQL Aura controller that bypasses the 2,000-record limit—and provides remediation guidance. #AuraInspector #Salesforce
Keypoints
- Mandiant released AuraInspector to automate detection of Aura-framework access control misconfigurations in Salesforce Experience Cloud.
- Common misconfigurations allow guest or low-privilege users to access sensitive object records (e.g., Account) and associated Record Lists or admin pages.
- Aura methods like getItems, getConfigData, getInitialListViews, and getAppBootstrapData can reveal accessible objects, record lists, and home URLs when permissions are overly permissive.
- Action bulking (“boxcar’ing”) lets attackers bundle up to hundreds of Aura actions in a single request to retrieve many object records efficiently; Mandiant recommends limiting to ~100 actions to avoid Content-Length issues.
- A previously undocumented GraphQL Aura controller enables pagination and consistent retrieval beyond the 2,000-record limit for UIAPI-supported objects, allowing attackers to enumerate large datasets when misconfigurations exist.
- Recommended remediation steps include auditing Guest User permissions, securing sharing rules and org-wide defaults, disabling self-registration if unnecessary, and following Salesforce security best practices and Health Check.
MITRE Techniques
- [NotApplicable ] No MITRE ATT&CK techniques were explicitly mentioned in the article.
Indicators of Compromise
- [Domain ] Experience Cloud / Salesforce domain patterns used to detect hidden Salesforce integrations – *.vf.force.com, *.my.salesforce.com, and *.my.salesforce-sites.com
- [URL path ] Endpoints referenced for Aura and GraphQL interactions – /aura, /services/data/v64.0/graphql
- [Aura Controller/Descriptor ] Example Aura controller descriptors used in requests – serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems, aura://RecordUiController/ACTION$executeGraphQL
- [Aura Method ] Aura methods that expose configuration or registration details – getConfigData, getInitialListViews (and other methods such as getAppBootstrapData, getIsSelfRegistrationEnabled)
- [Record List URL pattern ] Direct record list browsing pattern – /s/recordlist/
Read more: https://cloud.google.com/blog/topics/threat-intelligence/auditing-salesforce-aura-data-exposure/