AuraInspector: Open-source tool to audit Salesforce Aura access control misconfigurations
Google and its Mandiant threat intelligence unit have released AuraInspector, an open-source tool aimed at auditing data access paths in Salesforce Experience Cloud applications. The tool focuses on the Aura framework, which underpins many Salesforce user interfaces and plays a central role in how data is retrieved and displayed.
Focus on Aura endpoints in Experience Cloud
AuraInspector is designed to examine how Salesforce Aura endpoints expose data through standard application functions. Experience Cloud sites rely on Aura components to deliver records to users, including unauthenticated or external users in some deployments.
Mandiant said the structure of Salesforce permissions makes these environments difficult to audit at scale.
“To date, a real challenge for Salesforce administrators is that Salesforce objects sharing rules can be configured at multiple levels, complexifying the identification of potential misconfigurations. Consequently, the Aura endpoint is one of the most commonly targeted endpoints in Salesforce Experience Cloud applications,” Mandiant Cyber Security Consultants said.
How the tool evaluates data access
AuraInspector operates as a command line tool that queries Aura endpoints and analyzes responses for signs of excessive data exposure. It checks record list components, object permissions, and self registration configurations that can affect what data is returned to users.
Aura methods are designed to return limited sets of records under defined permission models. Certain query patterns, including sorting and pagination techniques, can retrieve larger datasets when permissions allow it. AuraInspector automates these checks and surfaces the results for review.
AuraInspector is available for free on GitHub.
Must read:
- 40 open-source tools redefining how security teams secure the stack
- OpenGuardrails: A new open-source model aims to make AI safer for real-world use
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!