Presented at
DEF CON 32 (2024),
Aug. 10, 2024, 9 a.m.
(240 minutes).
This training will cover how to discover vulnerabilities in custom Salesforce applications hosted on the Salesforce PaaS platform. This is not hacking Salesforce itself, but instead custom applications deployed by customers of Salesforce. You should already know OWASP Top 10 fundamentals such as how XSS or injection attacks work. You will learn how to find vulnerabilities specific to Salesforce apps such as SOQL injection, SOSL, cross-site scripting filter bypasses, and bypassing access controls of hidden functions to exfiltrate data.
A new open-source tool “PaaS Cloud Goat” will be used to provide a simulated vulnerable Salesforce application for testing. Students will be expected to use a MitM proxy tool (Burp Suite) to craft malicious attacks to exploit the application. This training will provide a lab manual and live walk-through of the attack process and methods. We will also cover source code review and practice how to find vulnerabilities in code and translate them to working exploits of the simulator app.
Takeaways:
1. Hands-on learning opportunity of pen testing custom Salesforce applications
2. Detailed training documentation material about the underlying flaws
3. Consolidated list of common Salesforce application vulnerabilities
Presenters:
-
Rodney David Beede
- Principal Consultant
Rodney is a principal consultant and has specialized in web and cloud security for over 10 years. He has spoken at multiple conferences on topics from cloud security engineering to IoT device hacking. He has multiple CVEs for discovered web application security vulnerabilities. He started his career in enterprise web application software development but shifted to the security industry with his master's thesis research project "A Framework for Benevolent Computer Worms" 2012.
Similar Presentations: