Salesforce Aura Security Scanner — Automated Analysis
| Target URL | {{ scan.target_url }} |
| Scan Type | {% if scan.scan_type == 'auth' %}Authenticated (Cookie Session){% else %}Guest (Unauthenticated){% endif %} |
| Scan ID | #{{ scan.id }} |
| Scanners | {{ scanner_names | join(', ') }} |
| Started | {{ scan.created_at.strftime('%Y-%m-%d %H:%M UTC') }} |
| Completed | {{ scan.completed_at.strftime('%Y-%m-%d %H:%M UTC') }} |
| Analyst | {{ user.username }} |
| Total Findings | {{ findings | length }} |
{{ scan.ai_analysis.risk_summary }}
{% if scan.ai_analysis.critical_patterns %}Key Risk Patterns Identified
Automated security scan of {{ scan.target_url }} completed on {{ generated_at }}. {% if counts.critical > 0 or counts.high > 0 %} The scan identified {{ counts.critical + counts.high }} high-severity finding(s) requiring immediate remediation — {{ counts.critical }} Critical and {{ counts.high }} High. Unauthenticated access to sensitive Salesforce objects or API endpoints may expose consumer data and violate GDPR / CCPA / PDPA obligations. {% elif counts.medium > 0 %} The scan identified {{ counts.medium }} medium-severity finding(s) requiring timely remediation. {% else %} No high or medium-severity findings were detected. Review low/info findings for defence-in-depth improvements. {% endif %}
{% endif %}Permission removal alone is insufficient. Salesforce Aura exposes objects through multiple channels. Guest access remediation requires hardening across all five layers:
For Guest Access: All 5 layers must be hardened. Permission removal alone is incomplete.
{{ findings | length }} total finding(s) across {{ scanner_names | length }} scanner module(s). Computed risk score: {{ risk_score }}/100 ({{ risk_label }}). {% if scan.ai_analysis and scan.ai_analysis.risk_score %}AI-assessed: {{ scan.ai_analysis.risk_score }}/100.{% endif %}
Salesforce sObjects referenced in findings, sorted by maximum severity. Objects exposed to guest users without appropriate sharing rules may allow bulk data extraction.
| Salesforce Object | Max Severity | Associated Finding(s) |
|---|---|---|
{{ obj.name }} |
{{ obj.severity }} | {{ obj.finding_titles | join('; ') }} |
{{ finding.description }}
{% if finding.affected_objects %}Affected Objects
Technical Evidence
{{ finding.evidence }}
{% endif %}
{% if finding.remediation %}
Remediation Note
{{ finding.remediation }}
{% endif %} {% if rem %}Salesforce Setup Steps
Additional Hardening for Guest Access
Apex Code Fix
{{ rem.apex_example }}
{% endif %}
Post-Fix Verification (SOQL / Command)
{% set owasp_key = (rem.owasp or '').split(':')[0] %}
{% if owasp_key == 'API1' %}
Run in Developer Console:
SELECT SObjectType, PermissionsRead, PermissionsCreate FROM ObjectPermissions WHERE Parent.Name='[Guest Profile Name]' AND PermissionsRead=true
→ must return 0 rows for sensitive objects.
{% elif owasp_key == 'API3' %}
Run in Developer Console:
SELECT Field, PermissionsRead FROM FieldPermissions WHERE Parent.Name='[Guest Profile Name]' AND PermissionsRead=true AND SObjectType='[SObject API Name]'
→ sensitive fields must return 0 rows.
{% elif owasp_key == 'API5' %}
Test the Aura endpoint unauthenticated:
curl -X POST "{{ scan.target_url }}/s/sfsites/aura" -d 'message=...'
→ privileged controllers must return 403 or AuraHandledException.
{% elif owasp_key == 'API8' %}
Verify HTTPS enforcement:
curl -I http://{{ scan.target_url | replace('https://','') | replace('http://','') }}
→ must return HTTP 301 redirect to HTTPS.
{% else %}
Re-run this scan after applying the fix. The finding must no longer appear in results.
{% endif %}
No findings recorded for this scan.
{% endfor %}| Impact Area | Description | Risk Level |
|---|---|---|
| Data Exposure | {{ counts.critical }} critical finding(s) indicate unauthenticated read access to Salesforce objects via Aura/LWC endpoints. Consumer PII or sensitive business records may be accessible without login and extractable via the Salesforce REST/SOAP/GraphQL API. | CRITICAL |
| Regulatory Exposure | Unauthenticated PII access may constitute a personal data breach under GDPR Art. 33/34 (72-hour DPA notification), CCPA, PDPA (Thailand), LGPD (Brazil), or other applicable regulations. DPO assessment is mandatory. | CRITICAL |
| Access Control | {{ counts.high }} high-severity finding(s) indicate broken object-level or function-level authorization. Attackers may enumerate, read, or manipulate records beyond their intended scope, including via automated bulk API extraction. | HIGH |
| API Surface Exposure | {{ counts.medium }} medium-severity finding(s) relating to excessive data returned by Aura controllers, missing authentication guards on Apex endpoints, or exposed org metadata that aids reconnaissance. | MEDIUM |
| Security Posture | {{ counts.low + counts.info }} low/info finding(s) including missing HTTP security headers (HSTS, CSP, X-Frame-Options), insecure session cookie flags, or open redirect vectors that weaken defence-in-depth. | LOW |
Apply fixes in priority order (Critical → High → Medium → Low). Tick each item only after the post-fix verification query confirms the issue is resolved. All Apex / metadata changes should follow the standard DevSecOps pipeline: feature branch → SIT → UAT → Production.
| # | OWASP Category | Salesforce Setup Steps | Priority | ✅ |
|---|---|---|---|---|
| ST-{{ loop.index }} | {{ section.title }} {{ section.owasp }} |
► View Apex Fix{{ section.apex_example }}
Verify:
{% if owasp_key == 'API1' %}
SELECT SObjectType, PermissionsRead FROM ObjectPermissions WHERE Parent.Name='[Guest Profile]' AND PermissionsRead=true → 0 rows
{% elif owasp_key == 'API3' %}
SELECT Field, PermissionsRead FROM FieldPermissions WHERE Parent.Name='[Guest Profile]' AND PermissionsRead=true AND SObjectType='[Object]' → 0 rows
{% elif owasp_key == 'API5' %}
Unauthenticated call to privileged Apex controller must return AuraHandledException or HTTP 403.
{% elif owasp_key == 'API8' %}
curl -I http://[site-domain] → HTTP 301 redirect to HTTPS; security headers present.
{% else %}
Re-run scan — this finding must not reappear after fix is deployed.
{% endif %}
|
{% if owasp_key in ('API1', 'API2') %} P1 Immediate {% elif owasp_key in ('API3', 'API5') %} P2 0–7 days {% elif owasp_key in ('API4', 'API6') %} P3 7–14 days {% else %} P4 14–30 days {% endif %} | |
| No remediation items available. | ||||
| # | Action | Urgency | Type |
|---|---|---|---|
| {{ loop.index }} | {{ action.action }} | {{ action.urgency | upper }} | {{ action.type | title }} |
After applying all remediation steps above, follow this validation plan to confirm fixes are effective:
-d) to trace which Aura actions return sensitive objects. After fixes, those objects should not appear in the logs.