• Stars
    star
    104
  • Rank 330,604 (Top 7 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created over 3 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Salesforce object access auditor

Raccoon: Salesforce object access auditor

Released as open source by NCC Group Plc - https://www.nccgroup.com/

Developed by Jerome Smith @exploresecurity (with thanks to Viktor Gazdag @wucpi)

https://www.github.com/nccgroup/raccoon

Released under AGPL - refer to LICENSE for more information.

Description

This tool establishes which Profiles and Permissions Sets (with active users) have some combination of read/edit/delete permissions to ALL records for a given set of objects, based on their effective sharing and objects settings. From this output, misconfigurations that potentially allow excessive access to objects that hold sensitive data can be investigated. Refer to the accompanying blog post for background at https://research.nccgroup.com/2021/06/28/are-you-oversharing-in-salesforce.

It is recommended that results are verified manually with direct reference to the Salesforce configuration and/or testing of the affected Profiles and Permission Sets. Should discrepancies be found, please file an issue with as much detail as possible.

Usage

Requirements:

  • Python 3
  • The Python requests module (covered by requirements.txt)
  • An account with the following minimum permissions:
    • 'API Enabled'
    • 'View Setup and Configuration'
    • 'Modify Metadata Through Metadata API Functions' (see note on 'Account permissions')
    • Read permission on all the objects to be audited (or grant 'View All Data')
  • For authentication, supply EITHER username + password + (optional) token OR sessionId (more details in the Authentication section).

Create a JSON config file (or use config.json as a template) and populate as required:

{
	"hostname": "somewhere.my.salesforce.com",
	"username": "",
	"password": "",
	"token": "<optional token>",
	"sessionId": "",
	"objects": ["Account", "Contact"],
	"checkLimits": true,
	"debug": <optional debug level (0, 1 or 2)>
}

objects is a list of Salesforce objects of interest (i.e. the data you care about most). Using the formal API names is the most reliable method but, should a match not be found, Raccoon will try some simple matches based, for example, on the display label. If Raccoon still fails to find a match, the program will carry on but flag this up in the output.

checkLimits allows you to check the allowance of API calls remaining for the instance under investigation within the 24-hour rolling period. Raccoon makes relatively few calls per object (in addition to a fixed number per run) but, as a courtesy, this parameter allows you to check your limits before proceeding. The default value is true. The total number of possible remaining requests at the checkpoint is not certain because the number of calls will depend on how many objects have a 'Controlled by Parent' sharing model. The stated number assumes that they all do and is thus a maximum.

Run:

git clone https://github.com/nccgroup/raccoon
pip3 install -r requirements.txt
python3 raccoon.py <config_file>

Authentication

When a username and password are used, note that a security token may also be required (if coming from an IP address outside any defined Network Access ranges). Refer to this article for more information.

Using the session ID alternative is useful in many cases:

  • Single sign-on i.e. no direct login to Salesforce possible
  • MFA is enforced
  • Trouble getting an API token (when needed)
  • Stops credentials accidentally being left in a file

To get the session ID:

  • Log in to Salesforce and switch to Classic mode if need be
  • Use the browser's Inspect tool to display the cookies
  • Sometimes there are multiple sid cookies: ensure you grab the one whose Domain attribute includes my.salesforce.com or cloudforce.com

Output

Sample (abridged and anonymised) output:

Raccoon - Salesforce object access auditor
- version 1.0
- https://www.github.com/nccgroup/raccoon
* Refer to README for usage notes including important limitations *

Target instance: somewhere.my.salesforce.com
- Login successful

4,969,529 API requests can be sent to this instance from a 24-hour limit of 5,000,000
- Up to 33 further requests are required to complete (3 requests sent so far)
- Do you want to continue? Enter 'y' to proceed: y

Validating objects
- Found object 'Accounts' with API name 'Account'
- Found object 'Contact' with API name 'Contact'
- Found object 'Quotes' with API name 'Quote__c'
- Found object 'Quote Lines' with API name 'QuoteLine__c'

Evaluating 28 Profiles and 104 Permission Sets
- Profiles with active users: 15
- Permission Sets with active users: 67
- Ignoring 50 unused Profiles and Permission Sets

Global Sharing Overrides (ALL records for ALL objects)
------------------------------------------------------

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - System Administrator                              61/91                    [I]

  READ
  Profiles
  - Integration User                         [C]      1/1                      [I]
  - Analytics Cloud Integration User                  1/1                      [I]

Object Sharing (ALL records for EACH object)
--------------------------------------------

Account:
  Organization-wide default sharing
  - Internal: Public Read Only
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Integration User                         [C]      1/1                      [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

  READ
  Profiles
  - Read Only                                [C]      192/199                  [I]
  - Sales User                               [C]      192/248                  [I]
  - Finance User                             [C]      16/20                    [I]
  - Standard User                                     6/3075                   [I]
  Permission Sets (* Groups)
  * Accounts PS Group                        [C]      36/39                    [I]
  - Sales Operations                         [C]      24/26                    [I]
  - SharePoint User                          [C]      3/4                      [I]

  Sharing Rules (manual check required):
  - Criteria-based rules configured
  - Ownership-based rules configured

Contact:
  Organization-wide default sharing
  - Internal: Controlled by Parent
  - External: <Undefined>
  Parent object: 'Account'
  - Internal: Public Read Only
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Integration User                                  1/1                      [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

  READ
  Profiles
  - Read Only                                [C]      192/199                  [I]
  - Sales User                               [C]      192/248                  [I]
  - Finance User                             [C]      16/20                    [I]
  - Standard User                                     6/3075                   [I]
  Permission Sets (* Groups)
  - Sales Operations                         [C]      24/26                    [I]

Quote__c:
  Organization-wide default sharing
  - Internal: Public Read/Write
  - External: <Undefined>

  READ/EDIT                                  [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Sales User                               [C]      192/248                  [I]

  READ
  Profiles
  - Finance User                             [C]      16/20                    [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

QuoteLine__c:
  Organization-wide default sharing
  - Internal: Controlled by Parent
  - External: <Undefined>
  Parent object: 'Quote__c'
  - Internal: Public Read/Write
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Sales User                               [C]      192/248                  [I]

  READ
  Profiles
  - Finance User                             [C]      16/20                    [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

Total API requests sent: 31

Raccoon only examines Profiles and Permission Sets with active users to reduce the verbosity of its output. Information about this is displayed, after which:

  • Global Sharing Overrides are displayed first since Profiles and Permission Sets that are allowed to 'View All Data' and 'Modify All Data' have rights over ALL objects.
  • Each object is then audited in turn with read+edit+delete privileges considered first, then read+edit, and lastly just read. A Profile or Permission Set is only listed once within the output (in the section containing the highest set of effective permissions). This is to avoid repetition - for example, it is implicit that a Profile with 'Modify All Data' has read+edit+delete on all the objects specified; thus, it is only shown under "Global Sharing Overrides", it is not also listed under each object's results. The only exception is when Profiles or Permission Sets with the global 'View All Data' privilege have further edit/delete permissions enabled at the object level.
  • For each object, the existence of Sharing Rules is highlighted but not qualified further.

If assignment of privileges has been granted through a Permission Set Group, as opposed to a single Permission Set, an asterisk appears as an indentation marker to the left of the name instead of the usual hyphen (Accounts PS Group in the above sample output). In addition, whether the Profile or Permission Set is custom is also shown (for Permission Sets custom means "created by an admin" otherwise it "is standard and related to a specific permission set license" [ref]).

For both global and object sharing, Profiles and Permission Sets are ordered to reflect the likely interest. The first level of ordering concerns which type of user is assigned - 'guest' (unauthenticated) first, followed by 'external' (various types of portal user) then 'internal' (anything else). It is important to note that 'external' here is related to the definition used in the context of the 'external sharing model' [ref]. The idea here is to highlight potentially excessive sharing for unauthenticated or portal users. However, it is somewhat experimental because the Salesforce documentation is not comprehensive in its list of valid 'UserType' values for the 'User' object [ref]. As a result, it is possible that misclassification could occur - please file an issue in such a case. The second level of ordering is based on the number of active users - highest first (the total number of assigned users is also displayed for information).

Notes

Raccoon's primary objective is to highlight instances of widespread access to all records, and it covers:

  • Master-Detail relationships where sharing is 'Controlled by Parent' (but only if there is a single Master-Detail relationship and the parent is directly above the child i.e. the parent's sharing model cannot also be 'Controlled by Parent').
  • Special 'Controlled by Parent' relationships between Contact/Order/Asset and the parent Account (which work slightly differently to the normal Master-Detail relationship).
  • To reiterate, only Profiles and Permission Sets with active users are considered.

The following factors, which affect only a subset of records, are not evaluated:

  • Sharing Rules (although their existence for an object is flagged)
  • Sharing Sets
  • Share Groups
  • Sharing based on Role hierarchy
  • Manual sharing configured by users on individual records
  • 'Implicit' (or 'built-in') sharing for certain children of Account when its sharing model is Private
  • The 'private' field for an Opportunity record (and consequent effect on related Quotes)

Certain objects, such as 'User' and 'File', do not fit the standard sharing model and/or other system permissions come into play. Known instances are flagged in the output if they are specified in the objects list.

Instances with over 2,000 combined Profiles and Permission Sets are not supported due to platform limitations on the use of 'GROUP BY' in SOQL statements. This is a generous allowance and should only be a blocker in the most extreme cases.

Account permissions

This tool only performs read operations. It might therefore be surprising to see 'Modify Metadata Through Metadata API Functions' as a requirement for the account used to run the tool. However, at the time of writing, it does not appear possible to configure an account with read-only permissions to the Metadata API. From the documentation:

Identify a user that has the API Enabled permission and the Modify Metadata Through Metadata API Functions permission or Modify All Data permission. These permissions are required to access Metadata API calls. If a user requires access to metadata but not to data, enable the Modify Metadata Through Metadata API Functions permission. Otherwise, enable the Modify All Data permission.

It is therefore suggested that 'Modify Metadata Through Metadata API Functions' is used over 'Modify All Data'.

Reporting bugs

If the problem is with login then please first double-check the hostname, username, password and security token (if required). Also consider if the password needs resetting (try the usual Salesforce web login) because this condition returns an error that is indistinguishable from an invalid login. If using a session ID, ensure it is valid for the correct domain.

Run the tool with debug set to 2, as the verbose output may help to identify the cause. This level also outputs a stack trace to a file named in the output. If reporting an issue, please include both the console output and stack trace (anonymise as needed).

Why 'Raccoon'?

Known for rummaging around objects.

More Repositories

1

ScoutSuite

Multi-Cloud Security Auditing Tool
Python
6,664
star
2

Scout2

Security auditing tool for AWS environments
Python
1,728
star
3

sobelow

Security-focused static analysis for the Phoenix Framework
Elixir
1,671
star
4

Winpayloads

Undetectable Windows Payload Generation
Python
1,519
star
5

demiguise

HTA encryption tool for RedTeams
Python
1,326
star
6

house

A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.
JavaScript
1,321
star
7

PMapper

A tool for quickly evaluating IAM permissions in AWS.
Python
1,279
star
8

redsnarf

RedSnarf is a pen-testing / red-teaming tool for Windows environments
PowerShell
1,182
star
9

featherduster

An automated, modular cryptanalysis tool; i.e., a Weapon of Math Destruction
Python
1,087
star
10

SocksOverRDP

Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop
C++
1,067
star
11

singularity

A DNS rebinding attack framework.
JavaScript
1,018
star
12

exploit_mitigations

Knowledge base of exploit mitigations available across numerous operating systems, architectures and applications and versions.
865
star
13

AutoRepeater

Automated HTTP Request Repeating With Burp Suite
Java
742
star
14

fuzzowski

the Network Protocol Fuzzer that we will want to use.
Python
719
star
15

aws-inventory

Discover resources created in an AWS account.
Python
703
star
16

BurpSuiteHTTPSmuggler

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
Java
654
star
17

Sniffle

A sniffer for Bluetooth 5 and 4.x LE
C
648
star
18

sadcloud

A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
HCL
636
star
19

TriforceAFL

AFL/QEMU fuzzing with full-system emulation.
C
624
star
20

nmap-nse-vulnerability-scripts

NMAP Vulnerability Scanning Scripts
Lua
618
star
21

LoggerPlusPlus

Advanced Burp Suite Logging Extension
Java
608
star
22

nccfsas

Information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team.
C
598
star
23

freddy

Automatically identify deserialisation issues in Java and .NET applications by using active and passive scans
Java
572
star
24

phantap

Phantom Tap (PhanTap) - an β€˜invisible’ network tap aimed at red teams
C
560
star
25

azucar

Security auditing tool for Azure environments
PowerShell
559
star
26

tracy

A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
JavaScript
553
star
27

VCG

VisualCodeGrepper - Code security scanning tool.
Visual Basic .NET
523
star
28

Cyber-Defence

Information released publicly by NCC Group's Cyber Incident Response Team
Python
474
star
29

scrying

A tool for collecting RDP, web and VNC screenshots all in one place
Rust
450
star
30

autochrome

This tool downloads, installs, and configures a shiny new copy of Chromium.
HTML
431
star
31

wssip

Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
JavaScript
425
star
32

blackboxprotobuf

Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
Python
380
star
33

idahunt

idahunt is a framework to analyze binaries with IDA Pro and hunt for things in IDA Pro
Python
376
star
34

autopwn

Specify targets and run sets of tools against them
Python
376
star
35

CrossSiteContentHijacking

Content hijacking proof-of-concept using Flash, PDF and Silverlight
HTML
372
star
36

Solitude

Solitude is a privacy analysis tool that enables anyone to conduct their own privacy investigations. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating user privacy within an app accessible for everyone.
CSS
370
star
37

vlan-hopping---frogger

Easy 802.1Q VLAN Hopping
Shell
346
star
38

shocker

A tool to find and exploit servers vulnerable to Shellshock
Python
333
star
39

DriverBuddy

DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers.
Python
331
star
40

WMIcmd

A command shell wrapper using only WMI for Microsoft Windows
C#
319
star
41

acCOMplice

Tools for discovery and abuse of COM hijacks
PowerShell
272
star
42

SusanRTTI

Another RTTI Parsing IDA plugin
Python
269
star
43

umap

The USB host security assessment tool
Python
265
star
44

metasploitavevasion

Metasploit AV Evasion Tool
Shell
257
star
45

keimpx

Check for valid credentials across a network over SMB
Python
256
star
46

umap2

Umap2 is the second revision of NCC Group's python based USB host security assessment tool.
Python
250
star
47

depthcharge

A U-Boot hacking toolkit for security researchers and tinkerers
Python
245
star
48

UPnP-Pentest-Toolkit

UPnP Pentest Toolkit for Windows
C#
244
star
49

GTFOBLookup

Offline command line lookup utility for GTFOBins (https://github.com/GTFOBins/GTFOBins.github.io), LOLBAS (https://github.com/LOLBAS-Project/LOLBAS), WADComs (https://wadcoms.github.io), and HijackLibs (https://hijacklibs.net/).
Python
238
star
50

G-Scout

Google Cloud Platform Security Tool
Python
232
star
51

asatools

Main repository to pull all NCC Group Cisco ASA-related tool projects.
Shell
224
star
52

cisco-SNMP-enumeration

Automated Cisco SNMP Enumeration, Brute Force, Configuration Download and Password Cracking
Shell
216
star
53

thetick

A simple embedded Linux backdoor.
Python
195
star
54

AWS-recipes

A number of Recipes for AWS
Python
195
star
55

kube-auto-analyzer

Kubernetes Auto Analyzer
HTML
192
star
56

TPMGenie

TPM Genie is an I2C bus interposer for discrete Trusted Platform Modules
C++
189
star
57

BinProxy

BinProxy is a proxy for arbitrary TCP connections. You can define custom message formats using the BinData gem.
Ruby
172
star
58

TriforceLinuxSyscallFuzzer

A linux system call fuzzer using TriforceAFL
C
170
star
59

DetectWindowsCopyOnWriteForAPI

Enumerate various traits from Windows processes as an aid to threat hunting
C++
168
star
60

pybeacon

A collection of scripts for dealing with Cobalt Strike beacons in Python
Python
167
star
61

BKScan

BlueKeep scanner supporting NLA
Shell
167
star
62

typofinder

A finder of domain typos showing country of IP address
Python
166
star
63

BLESuite

BLESuite is a Python package that provides an easier way to test Bluetooth Low Energy (BLE) device
Python
165
star
64

SteppingStones

A Red Team Activity Hub
Python
162
star
65

libslub

Python
161
star
66

tcpprox

A small command-line TCP proxy utility written in Python
Python
156
star
67

requests-racer

Small Python library that makes it easy to exploit race conditions in web apps with Requests.
Python
152
star
68

LazyDroid

bash script to facilitate some aspects of an Android application assessment
Shell
151
star
69

chuckle

An automated SMB relay exploitation script.
Shell
151
star
70

whalescan

Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
Python
143
star
71

gitpwnd

GitPwnd is a network penetration tool that lets you use a git repo for command and control of compromised machines
Python
139
star
72

Carnivore

Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb
C#
139
star
73

CollaboratorPlusPlus

Java
139
star
74

Change-Lockscreen

Offensive tool to trigger network authentications as SYSTEM
C#
138
star
75

Decoder-Improved

Improved decoder for Burp Suite
Java
134
star
76

OutlookLeakTest

The Outlook HTML Leak Test Project
C#
131
star
77

Wubes

Qubes containerization on Windows
Python
130
star
78

port-scan-automation

Automate NMAP Scans and Generate Custom Nessus Policies Automatically
Shell
128
star
79

Hodor

Hodor! Fuzzer..
Python
126
star
80

Zulu

The Zulu fuzzer
Python
125
star
81

WinShareEnum

Windows Share Enumerator
C#
121
star
82

memscan

Searches for strings, regex, credit card numbers of magnetic stripe card tracks in a Windows process's memory space
C#
120
star
83

ebpf

eBPF - extended Berkeley Packet Filter tooling
Python
120
star
84

argumentinjectionhammer

A Burp Extension designed to identify argument injection vulnerabilities.
Python
118
star
85

cq

Python
115
star
86

DroppedConnection

Python
113
star
87

SCOMDecrypt

SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers
C#
112
star
88

GOATCasino

This is an intentionally vulnerable smart contract truffle deployment aimed at allowing those interested in smart contract security to exploit a wide variety of issues in a safe environment.
JavaScript
112
star
89

OneLogicalMyth_Shell

A HTA shell to assist with breakout assessments.
HTML
112
star
90

BLE-Replay

BLE-Replay is a Bluetooth Low Energy (BLE) peripheral assessment tool
Python
110
star
91

cloud_ip_ranges

Identify IP addresses owned by public cloud providers
Python
109
star
92

web3-decoder

Python
108
star
93

ccs

Python
107
star
94

WindowsDACLEnumProject

A collection of tools to enumerate and analyse Windows DACLs
C++
105
star
95

DIBF

Windows NT ioctl bruteforcer and modular fuzzer
C++
103
star
96

go-pillage-registries

Pentester-focused Docker registry tool to enumerate and pull images
Go
103
star
97

DatajackProxy

Datajack Proxy allows you to intercept TLS traffic in native x86 applications across platforms
JavaScript
100
star
98

pcap-burp

Pcap importer for Burp
Java
100
star
99

jwt-reauth

Java
100
star
100

Berserko

Burp Suite extension to perform Kerberos authentication
Java
99
star