Mandiant has released AuraInspector, an open-source command-line tool that helps security defenders identify and audit access-control misconfigurations in the Salesforce Aura framework.
The tool addresses a critical security gap in Salesforce Experience Cloud deployments, where misconfigurations frequently expose sensitive data, including credit card numbers, identity documents, and health information.
The Aura endpoint, a fundamental component of Salesforce’s Lightning Experience interface, is one of the most commonly targeted attack surfaces in Experience Cloud applications.
Salesforce’s object sharing rules span multiple configuration levels, making it challenging for administrators to identify potential access-control misconfigurations from an external perspective.
AuraInspector automates the detection of these exposures and provides actionable remediation insights.
The tool leverages several attack techniques previously documented by Mandiant’s Offensive Security Services team.
| Feature | Description |
|---|---|
| Automatic Aura Detection | Finds the Aura endpoint automatically |
| Object Access Scan | Checks which objects and records are accessible |
| Record List Discovery | Finds exposed record lists and their URLs |
| Self-Registration Check | Checks if self-signup is enabled and gets signup links |
| URL Discovery | Finds home and admin URLs automatically |
| GraphQL Bypass | Uses a GraphQL method to fetch more than 2,000 records |
| Action Bulking | Sends multiple actions in one request |
| Read-Only Mode | Only reads data, makes no changes |
| Command-Line Tool | Simple CLI for scanning and reports |
| Open Source | Available on GitHub |
It identifies accessible objects via Aura methods such as getItems and getConfigData, which can expose sensitive records when access controls are improperly configured.
AuraInspector also checks for exposed Record Lists, which are Salesforce components that provide direct access to object records when permissions are misconfigured.
A significant feature is the tool’s ability to detect enabled self-registration endpoints.
Mandiant observed instances in which self-registration links were removed from login pages. Yet, the functionality remained enabled, allowing unauthorized account creation.
Breakthrough: GraphQL Integration
AuraInspector introduces a previously undocumented technique using Salesforce’s GraphQL Aura controller to bypass the standard 2,000-record retrieval limit.
This allows a comprehensive assessment of misconfiguration impact without manual sorting workarounds.
The tool automates the construction of GraphQL queries to retrieve complete datasets when access controls fail.
The tool automatically discovers critical contextual information, including Aura endpoints, home and record list URLs, self-registration status, and accessible administration panels.
It performs strictly read-only operations, ensuring tested instances remain unmodified. Mandiant recommends administrators audit guest user permissions using the principle of least privilege.
Review sharing rules and organization-wide defaults, turn off unnecessary self-registration, and implement Salesforce security best practices.
The Security Health Check tool and the comprehensive Salesforce Security Guide provide additional guidance for hardening.
AuraInspector is available now on GitHub, enabling security teams to identify and remediate Aura-related exposures before adversaries exploit them proactively.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
