{"id":17993626,"url":"https://github.com/cosad3s/salsa","last_synced_at":"2025-07-14T10:34:49.533Z","repository":{"id":250159153,"uuid":"832339431","full_name":"cosad3s/salsa","owner":"cosad3s","description":"SALSA 💃⚡ - SALesforce Scanner for Aura (and beyond). Enumeration of vulnerabilities and misconfigurations against Salesforce endpoint.","archived":false,"fork":false,"pushed_at":"2025-01-26T21:58:37.000Z","size":397,"stargazers_count":21,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-07-08T00:12:05.776Z","etag":null,"topics":["bugbounty","hacking","salesforce","security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cosad3s.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-07-22T20:26:02.000Z","updated_at":"2025-03-28T01:01:34.000Z","dependencies_parsed_at":"2024-08-02T21:11:44.396Z","dependency_job_id":"8de91607-710c-43eb-ac09-0b696b523424","html_url":"https://github.com/cosad3s/salsa","commit_stats":null,"previous_names":["cosad3s/salsa"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/cosad3s/salsa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cosad3s%2Fsalsa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cosad3s%2Fsalsa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cosad3s%2Fsalsa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cosad3s%2Fsalsa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cosad3s","download_url":"https://codeload.github.com/cosad3s/salsa/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cosad3s%2Fsalsa/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265281025,"owners_count":23739859,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","hacking","salesforce","security"],"created_at":"2024-10-29T20:12:21.376Z","updated_at":"2025-07-14T10:34:49.478Z","avatar_url":"https://github.com/cosad3s.png","language":"Java","funding_links":["https://www.buymeacoffee.com/cosades"],"categories":[],"sub_categories":[],"readme":"# SALSA - *SALesforce Scanner for Aura (and beyond)*\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"./assets/logo.jpeg\" width=\"150\"\u003e\n\n**SALSA** has been developped on a lot of my personal free time, to help me on pentesting and bug hunting activites against Salesforce Lightning (Aura) and API assets. Please note it is fully experimental.\n\nI decided to share it for free, to help the community.  \n*If you would ever like to buy me a coffee or a beer* 😇 :\n\n[![\"Buy Me A Coffee\"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/cosades)  \n\n\u003c/p\u003e\n\n## Features\n\n- Enumeration and/or dump data records (*and sub-records*) from:\n  - Aura controllers\n  - Services API (Direct sObjects `/services/data/v60.0/sobjects` or SOQL `/services/data/v60.0/query/`)\n  - SOAP (`/services/Soap/c/`)\n- Works as unauthenticated or authenticated user (*username / password or `sid` or `aura.token`*).\n- Enumeration records entities types (with or without custom entities `*__c` filtering) from:  \n  - Target APIs harvesting\n  - And/or Salesforce packages reflections\n  - And/or encountered entities in the wild\n- Test for targetted record identifier.\n- Bruteforcing record identifiers.\n- ⚠️ Automatized test for arbitrary records creation.\n- ⚠️ Automatized test for arbitrary records fields edition.\n- *And more: routing to HTTP proxy for investigation, custom User-Agent, automatized finding of entities fields, auto-detect FWUID, etc.*\n\n⚠️: *dangerous \u0026 experimental*\n\n## Usage\n\n### Help\n\n```bash\nusage: SALSA 💃⚡ - SALesforce Scanner for Aura (and beyond)\n       [-h] -t TARGET [-u USERNAME] [-p PASSWORD] [--sid SID] [--token TOKEN] [--path PATH] [--id ID] [--bruteforce] [--types TYPES] [--update] [--create] [--ua UA] [--proxy PROXY] [--dump]\n       [--output OUTPUT] [--typesintrospection] [--typeswordlist] [--typesapi] [--custom] [--app APP] [--force] [--debug] [--trace]\n\nEnumeration of vulnerabilities and misconfiguration against Salesforce endpoint.\n\nnamed arguments:\n  -h, --help             show this help message and exit\n  -t TARGET, --target TARGET\n                         Target URL\n  -u USERNAME, --username USERNAME\n                         Username (for authenticated mode)\n  -p PASSWORD, --password PASSWORD\n                         Password (for authenticated mode)\n  --sid SID              The SID cookie value (for authenticated mode - instead of username/password)\n  --token TOKEN          The aura token (for authenticated mode - instead of username/password)\n  --path PATH            Set specific base path.\n  --id ID                Find a specific record from its id.\n  --bruteforce           Enable bruteforce of Salesforce identifiers from a specific record id (from --recordid). (default: false)\n  --types TYPES          Target record(s) only from following type(s) (should be comma-separated).\n  --update               Test for record fields update permissions (WARNING: will inject data in the app!). (default: false)\n  --create               Test for record creation permissions (WARNING: will inject data in the app!). (default: false)\n  --ua UA                Set specific User-Agent.\n  --proxy PROXY          Use following HTTP proxy (ex: 127.0.0.1:8080).\n  --dump                 Dump records as Json files. (default: false)\n  --output OUTPUT        Output folder for dumping records as Json files.\n  --typesintrospection   Use record types from Salesforce package introspection. (default: false)\n  --typeswordlist        Use record types from internal wordlist. (default: false)\n  --typesapi             Use record types from APIs on the target. (default: false)\n  --custom               Only target custom record types (*__c). (default: false)\n  --app APP              Custom AURA App Name.\n  --force                Continue the scanning actions even if in case of incoherent or incorrect results. (default: false)\n  --debug                Increase the log level to DEBUG mode. (default: false)\n  --trace                Increase the log level to TRACE mode. (default: false)\n```\n\n### Examples\n\n\u003cdetails\u003e\n    \u003csummary\u003eSimple scan - Unauthenticated\u003c/summary\u003e\n\n```bash\njava -jar target/salsa-jar-with-dependencies.jar -t https://www.target.com --typesapi\n\n[*] Searching for Salesforce Aura instance on https://www.target.com ...\n[!] Found Salesforce Aura instance on path: /aura\n[!] Scan will continue as unauthenticated (guest) user ...\n[*] Looking for all objects with standard or custom types.\n[*] Will retrieve all sObjects types known by the target from Aura service.\n[*] Found 2111 object types from Salesforce Aura service!\n[*] Will retrieve all sObjects types known by the target from REST sObject API.\n[*] Aura: looking for records for type AINaturalLangProcessRslt\n[*] Aura: looking for records for type AINtrlLangProcChunkRslt\n[*] Aura: looking for records for type AIPredictionScore\n(...)\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n    \u003csummary\u003eSimple scan - Unauthenticated - Custom types only\u003c/summary\u003e\n\n```bash\n❯ java -jar target/salsa-jar-with-dependencies.jar -t https://www.target.com --typesapi --custom\n\n[*] Searching for Salesforce Aura instance on https://www.target.com ...\n[!] Found Salesforce Aura instance on path: /aura\n[!] Scan will continue as unauthenticated (guest) user ...\n[*] Looking for all objects with standard or custom types.\n[*] Will retrieve all sObjects types known by the target from Aura service.\n[*] Found 2111 object types from Salesforce Aura service!\n[*] Will retrieve all sObjects types known by the target from REST sObject API.\n[*] Reducing to 4 custom object types.\n[*] Aura: looking for records for type CountryLanguage__c\n[*] Looking for sObject with recordId 00B0H000007t1qlUAA and type(s) [ListView].\n[!] The recordId 00B0H000007t1qlUAA cannot be found through descriptor serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord (error: We couldn't find the record you're trying to access. It may have been deleted by another user, or there may have been a system error. Ask your administrator for help.).\n[!] No records found from recordId 00B0H000007t1qlUAA and descriptor serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord: {objectMetadata={ListView={_nameField=Name, _entityLabel=List View, _keyPrefix=00B}}, quickActionRecordTemplates={}, recordErrors={00B0H000007t1qlUAA={message=We couldn't find the record you're trying to access. It may have been deleted by another user, or there may have been a system error. Ask your administrator for help.}}, records={}, recordTemplates={}, resolvedDraftIds=[], quickActionMetadata={}, refreshErrors=[], requestIds={00B0H000007t1qlUAA=[00B0H000007t1qlUAA.null.null.null.Id.VIEW]}, purgedRecordIds=[], layouts={}}\n[*] Aura: looking for records for type Country__c\n[*] Looking for sObject with recordId 00B0H000007t1qgUAA and type(s) [ListView].\n(...)\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n    \u003csummary\u003eSimple scan - Unauthenticated - Targetted record type and bruteforce\u003c/summary\u003e\n\n```bash\n❯ java -jar target/salsa-jar-with-dependencies.jar -t https://www.target.com --types Store__History --id 0176S0001GvGwvEQQS --bruteforce\nPicked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true\n[*] Searching for Salesforce Aura instance on https://www.target.com ...\n[!] Found Salesforce Aura instance on path: /aura\n[!] Scan will continue as unauthenticated (guest) user ...\n[*] Looking for sObject with recordId 0176S0001GvGwvMQQS and type(s) [Store__History].\n[!] Cannot find fields for object type Store__History through descriptor aura://RecordUiController/ACTION$getObjectInfo.\n[!] Cannot find record with fields for ID 0176S0001GvGwvMQQS and type Store__History.\n[!] The recordId 0176S0001GvGwvMQQS cannot be found through descriptor serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord (error: You don't have access to this record. Ask your administrator for help or to request access.).\n[!] No records found from recordId 0176S0001GvGwvMQQS and descriptor serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord: {objectMetadata={}, quickActionRecordTemplates={}, recordErrors={0176S0001GvGwvMQQS={message=You don't have access to this record. Ask your administrator for help or to request access., inaccessible=true}}, records={}, recordTemplates={}, resolvedDraftIds=[], quickActionMetadata={}, refreshErrors=[], requestIds={0176S0001GvGwvMQQS=[0176S0001GvGwvMQQS.null.null.null.Id.VIEW]}, purgedRecordIds=[], layouts={}}\n[*] Looking for sObject with recordId 0176S0001GvGwvNQQS and type(s) [Store__History].\n[!] Cannot find record with fields for ID 0176S0001GvGwvNQQS and type Store__History.\n[!] The recordId 0176S0001GvGwvNQQS cannot be found through descriptor serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord (error: You don't have access to this record. Ask your administrator for help or to request access.).\n[!] No records found from recordId 0176S0001GvGwvNQQS and descriptor serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord: {objectMetadata={}, quickActionRecordTemplates={}, recordErrors={0176S0001GvGwvNQQS={message=You don't have access to this record. Ask your administrator for help or to request access., inaccessible=true}}, records={}, recordTemplates={}, resolvedDraftIds=[], quickActionMetadata={}, refreshErrors=[], requestIds={0176S0001GvGwvNQQS=[0176S0001GvGwvNQQS.null.null.null.Id.VIEW]}, purgedRecordIds=[], layouts={}}\n[*] Looking for sObject with recordId 0176S0001GvGwvLQQS and type(s) [Store__History].\n[!] Cannot find record with fields for ID 0176S0001GvGwvLQQS and type Store__History.\n[!] The recordId 0176S0001GvGwvLQQS cannot be found through descriptor serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord (error: You don't have access to this record. Ask your administrator for help or to request access.).\n[!] No records found from recordId 0176S0001GvGwvLQQS and descriptor serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord: {objectMetadata={}, quickActionRecordTemplates={}, recordErrors={0176S0001GvGwvLQQS={message=You don't have access to this record. Ask your administrator for help or to request access., inaccessible=true}}, records={}, recordTemplates={}, resolvedDraftIds=[], quickActionMetadata={}, refreshErrors=[], requestIds={0176S0001GvGwvLQQS=[0176S0001GvGwvLQQS.null.null.null.Id.VIEW]}, purgedRecordIds=[], layouts={}}\n[*] Looking for sObject with recordId 0176S0001GvGwvKQQS and type(s) [Store__History].\n(...)\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n    \u003csummary\u003eSimple scan - Authenticated - Targetted record type\u003c/summary\u003e\n\n```bash\n❯ java -jar target/salsa-jar-with-dependencies.jar -t https://www.target.com --types User --sid '00Di000.REDACTED' --token \"eyJ2ZXIiOi.REDACTED\"\nPicked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true\n[*] Searching for Salesforce Aura instance on https://www.target.com ...\n[!] Found Salesforce Aura instance on path: /aura\n[!] Will try with explicitly provided credentials {username=''}\n[*] Looking for all objects with type(s) [User].\n[*] Aura: looking for records for type User\n[!] Client is out-of-sync. Will retry with new FWUID: WFIwUmVJdm.REDACTED\n[*] Looking for sObject with recordId 005ixxxxx and type(s) [User].\n[*] Found 190 fields for sObject type User from Aura service.\n[*] Found record 005ixxxxxx with descriptor serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord!\n[*] 1 object(s) retrieved with descriptor serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems from object type User!\n[*] End of scanning of https://www.target.com\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n    \u003csummary\u003eSimple scan - Authenticated - Custom record types dump\u003c/summary\u003e\n\n```bash\n❯ java -jar target/salsa-jar-with-dependencies.jar -t https://www.target.com --typesapi --custom --sid '00Di000.REDACTED' --token \"eyJ2ZXIiOi.REDACTED\" --dump --proxy 127.0.0.1:8080\nPicked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true\n[*] Searching for Salesforce Aura instance on https://www.target.com ...\n[!] Found Salesforce Aura instance on path: /aura\n[!] Will try with explicitly provided credentials {username=''}\n[*] Looking for all objects with standard or custom types.\n[*] Will retrieve all sObjects types known by the target from Aura service.\n[!] Client is out-of-sync. Will retry with new FWUID: WFIwUmVJ...REDACTED\n[*] Found 2111 object types from Salesforce Aura service!\n[*] Will retrieve all sObjects types known by the target from REST sObject API.\n[*] Found 279 object types from Salesforce REST sObject API!\n[*] Reducing to 24 custom object types.\n[*] Aura: looking for records for type MyOtherType__c\n[*] SOAP: looking for records for type MyOtherType__c\n[*] Found 0 entities of types MyOtherType__c through SOAP API!\n[*] Query Data API: looking for records for type MyOtherType__c\n[*] SObject Data API: looking for records for type MyOtherType__c\n[*] Aura: looking for records for type Wonderful__c\n[*] SOAP: looking for records for type Wonderful__c\n[*] Found 0 entities of types Wonderful__c through SOAP API!\n[*] Query Data API: looking for records for type Wonderful__c\n[*] SObject Data API: looking for records for type Wonderful__c\n[*] Aura: looking for records for type MyOtherTypeAgain__c\n[*] SOAP: looking for records for type MyOtherTypeAgain__c\n[*] Found 0 entities of types MyOtherTypeAgain__c through SOAP API!\n[*] Query Data API: looking for records for type MyOtherTypeAgain__c\n[*] SObject Data API: looking for records for type MyOtherTypeAgain__c\n[*] Aura: looking for records for type MyType__c\n[*] SOAP: looking for records for type MyType__c\n[*] Found 10 entities of types MyType__c through SOAP API!\n[*] Looking for sObject with recordId a4AREDACTED and type(s) [MyType__c].\n[!] Cannot find fields for object type MyType__c through descriptor aura://RecordUiController/ACTION$getObjectInfo.\n[*] Found 29 fields for sObject type MyType__c from REST sObject API.\n[!] Cannot find record with fields for ID a4AREDACTED and type MyType__c.\n[!] The recordId a4AREDACTED cannot be found through descriptor serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord (error: You don't have access to this record. Ask your administrator for help or to request access.).\n[!] No records found from recordId a4AREDACTED and descriptor serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord: {objectMetadata={}, quickActionRecordTemplates={}, recordErrors={a4AREDACTED={message=You don't have access to this record. Ask your administrator for help or to request access., inaccessible=true}}, records={}, recordTemplates={}, resolvedDraftIds=[], quickActionMetadata={}, refreshErrors=[], requestIds={a4AREDACTED=[a4AREDACTED.null.null.null.Id.VIEW]}, purgedRecordIds=[], layouts={}}\n[*] Found sObject a4AREDACTED of type MyType__c from REST sObject API: [MyType__c]{[[StartDateTime__c=2023-12-05T18:00:00.000+0000], [CreatedDate=2023-11-28T14:07:00.000+0000],....]}\n[*] Looking for sObject with recordId a4A6REDACTED and type(s) [MyType__c].\n[!] Cannot find record with fields for ID a4A6REDACTED and type MyType__c.\n(...)\n[*] Query Data API: looking for records for type TR_MyLV_Diamond__c\n[*] SObject Data API: looking for records for type TR_MyLV_Diamond__c\n[*] Will dump merged object a4AREDACTED to ./output2024.07.22.21.57.00/MyType__c/a4AREDACTED.json\n[*] Will dump merged object a2RREDACTED to ./output2024.07.22.21.57.00/MyOtherType__c/a2RREDACTED.json\n[*] Will dump merged object a0NREDACTED to ./output2024.07.22.21.57.00/MyOtherTypeAgain__c/a0NREDACTED.json\n(...)\n```\n\n**Dumped records will be stored into a timestamped output folder**\n\n\u003c/details\u003e\n\n## Current limitations\n\n- SOAP `query` requests are limited to 10 items.\n- Bruteforcing IDs is limited to 10 items.\n\n## TODO\n\n*Release date: maybe one day*\n\n- [ ] Find \u0026 add alternatives authentications.\n- [ ] Detect `debug` mode arbitrary activation ([https://www.cosades.com/posts/sf_debug_mode](https://www.cosades.com/posts/sf_debug_mode)).  \n- [ ] Download item for *Document* type identifier (hit `https://ATTACHMENTS_DOMAIN/sfc/servlet.shepherd/version/download/\u003cid\u003e` - *URL can also be found in `Generic_DocumentDownloadPathUrl` attribute from descriptor `serviceComponent://ui.comm.runtime.components.aura.components.siteforce.controller.PubliclyCacheableComponentLoaderController/ACTION$getPageComponent`*)  \n- [ ] Data API - Composite: `/services/data/vXX.0/composite/batch` (POST, with examples parameters: `{\"batchRequests\": [{\"method\": \"PATCH\", \"url\": \"v38.0/sobjects/OpportunityLineItem/\u003cID\u003e\", \"richInput\": {\"End_Date__c\": \"2017-01-19\"}]}}`)  \n- [ ] Data API - Anonymous APEX execution: `/services/data/vXX.0/tooling/executeAnonymous/?anonymousBody=`\n- [ ] Async API - Job: `/services/async/xx.0/job` (POST and `\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003cjobInfo xmlns=\"http://www.force.com/2009/06/asyncapi/dataload\"\u003e\u003coperation\u003eupdate\u003c/operation\u003e\u003cobject\u003eOpportunityLineItem\u003c/object\u003e\u003ccontentType\u003eCSV\u003c/contentType\u003e\u003c/jobInfo\u003e` or `\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003cjobInfo xmlns=\"http://www.force.com/2009/06/asyncapi/dataload\"\u003e\u003cstate\u003eClosed\u003c/state\u003e\u003c/jobInfo\u003e`). Other related endpoints: `/services/data/v60.0/jobs/query`, `/services/async/xx.0/job/JOBID`,  `/services/async/xx.0/job/JOBID/batch`, `/services/async/xx.0/job/JOBID/batch/BATCHID/result`\n- [ ] Apex REST API: `/services/apexrest/SoapMessage`, `/services/apexrest/Cases`\n- [ ] Find the parameters for other classic Aura controllers 🥹\n\n## Troubleshooting\n\n\u003e **Disclaimer: \"spaghetti code\" here, due to Salesforce technical contexts discoveries, mixed between official documentations, write-ups, reverse engineering, empirical tests. Hence I could study for small new features proposals or major bug fixes, this tool is now hard to maintain.**\n\n***Then, before opening an issue, please consider the following points:***\n\n1. I strongly encourage you to **switch the logging level** to `DEBUG` or `TRACE` level (`--debug` / `--trace`).\n2. The tool can send **thousand of requests** and **works for hours**. Two possible consequences:\n\n- **You can be banned** by the target.\n- **The authentication could have a short expiration time on your target**. *I do not know how to detect \u0026 manage that part, there is no real homogeneous behaviour for this.* I could only suggest you to reduce the record types to test.\n\n3. I think the tool is adapted to most of Salesforce contexts, **but not all of them**.\n4. Route the tool **an HTTP proxy** for further investigation (`--proxy 127.0.0.1:8080` for instance)\n\n## Q/A\n\n*Why is the authentication username/password does not work ?*\n\n\u003e Because the target is maybe not using the Aura Controller `apex://LightningLoginFormController/ACTION$login`: prefer using the `sid` (session id) or `token` (Aura token) after a manual authentication.  \n\n*What's is the difference between `sid` and `token` ?*\n\n\u003e The `token` is used for authenticated Aura controller interactions. The `sid` is used to interact with other APIs (and sometimes Aura controllers). The format are not the same though: for the `token` it is more like a JWT, for the `sid` it is prefixed by the organization identifier.\n\n*Why there are limitations regarding the amount of data dump in queries for example ?*\n\n\u003e Yes, it could be improved with new arguments. The initial reason was that the tool can launch thousand of requests and could last for hours (Entities count / fields cound / controllers count / services count / etc.). The limitations are present to reduce the duration. Feel free to change that.\n\n*How do I find targets ?*\n\n\u003e It is up to you, but it can be done with nuclei: `nuclei -rl 10 -t \"http/misconfiguration/salesforce-aura.yaml\" -l subdomains.txt`\n\n*Why the source code is so complex ? Why Java ?*\n\n\u003e In the beginning it was a clean set of small scripts. Discoveries after discoveries, I have added, modified, removed some parts. Without unit tests. And Salesforce contexts are very complex / customisable, targets behaviors can differ and code is adapted with some unelegant if/then/else. The last reason is that I wanted to have the most adaptable and automatized tool for this kind of assessment. I dig into complex workflows, but abandonned some steps. Why Java ? Because Salesforce APEX is very close to Java, and Salesforce have some libraries in Java which could be decompiled to be dynamically integrated into the tool. And I like Java (nobody is perfect).\n\n## Credits and ressources\n\nThanks for all these ressources (tools, write-ups, docs, ...), which help me a lot:\n\n- https://www.fishofprey.com/\n- https://developer.salesforce.com/\n- https://developer.salesforce.com/blogs/tech-pubs/2017/01/simplify-your-api-code-with-new-composite-resources\n- https://developer.salesforce.com/docs/atlas.en-us.api_tooling.meta/api_tooling/intro_rest_resources.htm\n- https://developer.salesforce.com/docs/atlas.en-us.api_tooling.meta/api_tooling/tooling_api_objects_traceflag.htm\n- https://www.varonis.com/blog/abusing-salesforce-communities\n- https://github.com/tedconn/lwr-mobify\n- https://github.com/Ophion-Security/sret\n- https://github.com/forcedotcom/aura\n- https://github.com/jeffzmartin/SalesforceSQLSchemaGenerator\n- https://github.com/LTiDi2000/SFMisCheck/blob/main/sf.py\n- https://github.com/pingidentity/AuraIntruder/\n- https://www.youtube.com/watch?v=wHqp6laTnio\n- https://web.archive.org/web/20201031233746/https://www.enumerated.de/index/salesforce\n- https://codefriar.wordpress.com/2014/10/30/eval-in-apex-secure-dynamic-code-evaluation-on-the-salesforce1-platform/\n- https://blog.intigriti.com/hacking-tools/hacking-salesforce-lightning-guide-for-bug-hunters\n\n## Licence\n\nReleased under [GPL-3.0 license](/LICENSE).  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcosad3s%2Fsalsa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcosad3s%2Fsalsa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcosad3s%2Fsalsa/lists"}