JS in Salesforce DOM

This lab focuses on client-side security failures in Salesforce UI implementations, especially DOM-based injection patterns and unsafe JavaScript rendering practices in custom components.

Executive Summary

DOM-layer vulnerabilities occur when untrusted input reaches executable browser contexts through unsafe JavaScript APIs. In Salesforce front ends, the most common issues include unsafe HTML insertion, URL-based sink abuse, and dynamic script execution.

Salesforce Attack Surface

  • Custom LWC/Aura rendering with unsafe HTML sinks
  • Visualforce JavaScript reading uncontrolled query/hash parameters
  • Legacy scripts using innerHTML, document.write, or eval()
  • Client-side template interpolation without sanitization
  • Third-party UI libraries handling untrusted rich content

Business Impact

  • Client-side code execution: malicious script in trusted session context
  • Session and data exposure: sensitive data theft via browser context
  • UI trust compromise: phishing and action spoofing in authenticated views
  • Cross-feature propagation: vulnerable widgets affecting broader pages

PoC Use Cases

// Vulnerable sink: unsanitized DOM write
const value = new URLSearchParams(location.search).get('q');
document.getElementById('output').innerHTML = value;

// Vulnerable sink: runtime code execution
const payload = location.hash.slice(1);
eval(payload);

Prove exploitability by showing controlled execution in a realistic user navigation flow.

Testing Methodology

  • Map untrusted sources (URL, storage, postMessage, API responses)
  • Map client-side sinks and classify by execution context risk
  • Replay payloads specific to HTML, attribute, and script contexts
  • Confirm execution with browser tooling and reproducible evidence
  • Retest fixes against original exploit chains

Secure Engineering Patterns

  • Prefer safe text rendering APIs over HTML sinks
  • Sanitize rich HTML with vetted libraries when unavoidable
  • Eliminate eval()-style dynamic execution patterns
  • Apply strict URL and message validation before DOM writes
  • Use platform security controls and CSP defense-in-depth
// Safer rendering pattern
const value = new URLSearchParams(location.search).get('q') || '';
document.getElementById('output').textContent = value;

Verification Checklist

  • No untrusted data reaches executable DOM sinks unsanitized
  • Unsafe APIs (eval, document.write) removed from sensitive flows
  • URL-driven rendering paths validated and encoded
  • Regression payloads fail across target browsers and devices
  • Evidence package includes exploit and remediation confirmation

Lab Exercises

This lab includes hands-on exercises to practice identifying and fixing DOM-layer vulnerabilities in Salesforce front-end implementations:

  • Exercise 1: Identify unsafe source-to-sink data flows
  • Exercise 2: Exploit and document DOM injection behavior
  • Exercise 3: Replace vulnerable sinks with safe rendering APIs
  • Exercise 4: Add sanitization and validation controls
  • Exercise 5: Re-run regression payload suite to confirm closure
Start Lab Back to Labs