Salesforce Snafus: Unveiling and Exploiting Security Misconfigurations Using Commonly Used Widgets
Jessa Riley Gegax
NorthSec 2025 · Day 1 · Ville-Marie
Jessa Riley Gegax, a penetration tester at a large US healthcare company, walks through a practical attack surface map of Salesforce's declarative development features — Flow Builder, page layouts, Chatter widgets, and Digital Experience sites — showing how individually minor misconfigurations chain together to produce broken access control and IDOR vulnerabilities that expose sensitive customer data to unauthenticated internet users. The talk is oriented toward practitioners encountering Salesforce for the first time in a pentest engagement and covers both attack paths and remediation. ---
AI review
Jessa Riley Gegax (Surescripts) maps the Salesforce attack surface for penetration testers: Flow Builder privilege misuse, Classic/Lightning configuration split (URL parameter switch to Classic rendering), Chatter widget BOLA via guest user profile misconfiguration, and IDOR through enumerable Salesforce object IDs against Digital Experience sites. Includes remediation per feature and notes absence of platform rate limiting.