Insecure Loading of Static Resources

This lab covers supply-chain and script-loading risks in Salesforce front ends and teaches how to enforce trusted sourcing, integrity controls, and platform-safe resource delivery.

Executive Summary

Insecure static resource loading happens when scripts or styles are pulled from untrusted or weakly controlled sources. In Salesforce applications, this can lead to browser-side compromise, data theft, and persistent trust breakdown in authenticated sessions.

Salesforce Attack Surface

  • External third-party scripts without integrity verification
  • User-influenced resource URLs in Visualforce or component templates
  • Mixed-content loading over insecure transport
  • Weak CSP policies allowing broad script origins
  • Outdated or unvetted front-end dependencies

Business Impact

  • Supply-chain compromise: trusted UI executes attacker-controlled code
  • Data exfiltration: browser-accessible data leaked to external endpoints
  • Session abuse: token and context theft from active users
  • Integrity loss: unauthorized UI and workflow manipulation

PoC Use Cases

<!-- Vulnerable external script loading -->
<script src="https://untrusted-cdn.example/library.js"></script>

<!-- Vulnerable user-controlled source -->
<script src="{!$CurrentPage.parameters.scriptUrl}"></script>

Exploitability is demonstrated when modified upstream code executes in the application's trusted context.

Testing Methodology

  • Inventory all script/style/resource include points
  • Validate source trust model and change-control ownership
  • Check CSP strictness and bypass opportunities
  • Verify integrity and transport protections for external assets
  • Reproduce impact with controlled malicious-resource substitution

Secure Engineering Patterns

  • Prefer Salesforce Static Resources for critical client code
  • Use strict allowlists for external domains when required
  • Apply Subresource Integrity for approved external scripts
  • Enforce HTTPS-only loading and strong CSP directives
  • Continuously monitor dependency freshness and provenance
<!-- Safer local resource include -->
<apex:includeScript value="{!$Resource.MyJavaScriptLibrary}"/>

Verification Checklist

  • No user-controlled resource URLs in executable include points
  • External resource usage is minimal, justified, and integrity-protected
  • CSP blocks unauthorized script origins and inline execution vectors
  • All resources load over secure transport only
  • Dependency review process is documented and enforced

Lab Exercises

This lab includes hands-on exercises to practice identifying and fixing insecure static-resource loading in Salesforce UIs:

  • Exercise 1: Enumerate all resource include paths
  • Exercise 2: Demonstrate impact of untrusted external script loading
  • Exercise 3: Migrate critical assets to trusted delivery paths
  • Exercise 4: Harden CSP and integrity controls
  • Exercise 5: Validate remediation with replay testing
Start Lab Back to Labs