Information Disclosure via Dynamic Object and Field Enumeration
This lab focuses on schema intelligence leaks caused by dynamic metadata and describe-query patterns that reveal object names, sensitive field maps, and internal data model structure to unauthorized users.
Executive Summary
Dynamic object and field discovery is useful for generic frameworks, but dangerous when exposed directly through AuraEnabled, REST, or Visualforce endpoints without strict authorization and purpose limitation.
Attackers can use leaked schema details to accelerate SOQL injection tuning, privilege escalation, and high-value record targeting in managed package environments.
Salesforce Attack Surface
Dynamic describe endpoints: methods returning object/field dictionaries to client consumers
Generic query builders: APIs accepting object and field names as runtime input
Tooling-style wrappers: helper methods exposing schema metadata beyond user need
Debug-oriented admin utilities: package diagnostics accidentally exposed in production
Cross-feature chaining: metadata leak used to optimize follow-on exploitation attempts
Business Impact
Reconnaissance acceleration: attackers quickly map sensitive business objects and fields
Targeted abuse: leaked field names enable precise injection and enumeration attacks
Data governance risk: hidden/internal schema details exposed to low-privilege users
Security review findings: excessive metadata disclosure often flagged during AppExchange testing
Compounded exploit paths: schema leaks increase success of other vulnerabilities
PoC Use Cases
@AuraEnabled(cacheable=true)
public static Map<String, List<String>> getSchemaMap() {
Map<String, List<String>> result = new Map<String, List<String>>();
for (String objName : Schema.getGlobalDescribe().keySet()) {
Map<String, Schema.SObjectField> fMap =
Schema.getGlobalDescribe().get(objName).getDescribe().fields.getMap();
result.put(objName, new List<String>(fMap.keySet()));
}
return result;
}
Low-privilege caller retrieves full object and field inventory.
Attacker identifies sensitive targets like token, key, or PII fields.
Leaked schema is used to craft higher-impact payloads against other endpoints.
Testing Methodology
Endpoint inventory: locate all metadata-returning methods and UI handlers
Role-based testing: verify output differences for admin vs constrained users
Data minimization checks: confirm only necessary object/field info is returned
Abuse chaining: test whether leaked schema materially improves exploitability elsewhere
Evidence quality: document unauthorized visibility and practical abuse consequence
Secure Engineering Patterns
Need-to-know schema exposure: return only allowlisted objects/fields required by use case
Authorization gates: enforce feature/permission checks before metadata retrieval
Server-side filtering: apply object and field access checks before response composition
No global describe dumps: avoid exposing full tenant schema maps in package APIs
@AuraEnabled(cacheable=true)
public static List<String> getAllowedFields(String objectName) {
if (!ALLOWED_OBJECTS.contains(objectName)) {
throw new SecurityException('Object not allowed');
}
// Return only fields required by UI contract, not full describe output.
return ALLOWED_FIELD_MAP.get(objectName);
}
Verification Checklist
No endpoint returns unrestricted Schema.getGlobalDescribe() output
Object and field metadata responses are allowlisted and use-case bound
Metadata APIs enforce explicit authZ checks and least-privilege output