Salesforce Experience Cloud
Security Audit
Experience Cloud portals are often the most exposed surface in a Salesforce org—internet-facing, publicly accessible, and frequently misconfigured. Our assessment identifies guest user over-exposure, broken access control on Apex and LWC endpoints, IDOR vectors, and data leakage paths that standard internal reviews miss.
Did your team cover these critical blindspots?
The most commonly overlooked attack vectors in Salesforce environments—validated through hundreds of enterprise engagements.
Guest User Over-Exposure
Are your community guest users truly limited to public content—or do they have implicit access to internal records, Apex methods, and file downloads through misconfigured profiles and sharing rules?
Aura / LWC Endpoint Abuse
Have every @AuraEnabled Apex method and Lightning Web Component endpoint been reviewed for broken object-level authorization? Unauthenticated or under-scoped API paths are a recurring finding in Experience Cloud environments.
IDOR Across Record Boundaries
Can an authenticated community user manipulate record IDs in community pages or API calls to access records belonging to other accounts or contacts—bypassing Salesforce sharing model enforcement?
What We Test
Security Checklist
33 automated + manual checks organized across 6 security domains. Every item is evaluated and reported with evidence.
Guest User Exposure
- Enumerate all public-facing community pages and accessible APIs
- Audit Guest User profile permissions (Object, FLS, Apex class access)
- Test unauthenticated REST endpoint discovery via WSDL/metadata
- Review Lightning App Builder components exposed to guest context
- Validate Site.com guest access restrictions and page visibility
- Enumerate public groups and queues accessible by guest users
Access Control & Authorization
- Test IDOR vulnerabilities on Record IDs across community pages
- Enumerate @AuraEnabled Apex methods accessible without full auth
- Audit Apex REST class endpoint authorization enforcement
- Review sharing rules and OWD for community-accessible objects
- Test public sharing link generation scope and expiration
- Validate LWC wire adapter data access against user context
Authentication & Session Security
- Review SSO configuration and AuthProvider setup
- Audit session timeout and concurrent session policies
- Test CAPTCHA enforcement on registration and login flows
- Review brute force protection (login attempt limits)
- Validate SAML assertion validation and audience restriction
- Test login page enumeration and account discovery vectors
Data Exposure & Leakage
- Enumerate accessible objects via community search and list views
- Test file/document download permissions for guest vs. authenticated users
- Review Knowledge Article visibility and category access controls
- Audit Chatter post visibility across community membership tiers
- Test community API endpoints for PII leakage in responses
Network & Infrastructure
- Review Content Security Policy headers on community pages
- Audit CORS configuration for community API endpoints
- Test clickjacking protection (X-Frame-Options / frame-ancestors)
- Review SSL/TLS certificate chain and cipher suite configuration
- Validate custom domain DNS configuration and certificate management
Compliance Mapping
- Map findings to CIS Controls v8 (Controls 4, 6, 12)
- Align to SOC2 CC6 (Logical and Physical Access) criteria
- Review Shield Event Monitoring for community access events
- Generate MITRE ATT&CK mapping (T1190, T1078.004, T1530)
- Produce access control evidence for compliance attestation
Main Assessment Coverage
- Guest User Profile & Exposure Review
- Apex REST & LWC Endpoint Enumeration
- Broken Object-Level Authorization (IDOR) Testing
- Sharing Model & Record Visibility Audit
- Authentication & Session Security Review
- Compliance Posture Mapping (CIS, SOC2)
Flexible Network Execution
Community assessments execute from internet-accessible paths to simulate real-world attacker positioning. Customer IP sourcing available for admin-path testing.
Route assessment engines through your designated corporate IPs to simplify allowlisting, avoid WAF alarms, and maintain a clean audit trail satisfying internal security policies.
Transparent Licensing
One-time execution license. No subscriptions. No hidden fees.
Complete Assessment
/ one-time license
- Full Automated + Manual Assessment Engine
- Executive PDF Report with Risk Scoring
- IDOR & Attack Path Visualization
- Customer IP Sourcing Available
- 30-Day Platform Access
- Compliance Matrix (CIS, SOC2)
- Prioritized Remediation Roadmap