Unauthorized Outbound Access via Remote Site Settings Misconfiguration

This lab explains how overly flexible endpoint selection combined with broad Remote Site Settings can allow unintended outbound callouts, data exfiltration, and SSRF-like abuse patterns in Salesforce integrations.

Executive Summary

Remote Site Settings are required for Apex callouts, but risk grows when package code lets users influence target hosts, paths, or protocols dynamically. If the allowlist is broad and endpoint assembly is weak, outbound channels become attacker-steerable.

In managed packages, this can expose customer data to unauthorized external systems and create high-severity review findings around trust-boundary enforcement.

Salesforce Attack Surface

  • Dynamic endpoint construction: host/path derived from user input, custom settings, or metadata
  • Over-broad Remote Site allowlists: wildcard-like endpoint governance by policy/process gaps
  • Integration proxy controllers: generic HTTP wrappers exposing method, URL, or header control
  • Credentialed callouts: sensitive headers/tokens sent to attacker-controlled domains
  • Diagnostic utilities: test-callout features accidentally exposed in production contexts

Business Impact

  • Data exfiltration: outbound requests send records or tokens to unauthorized endpoints
  • Backend abuse: package functionality used as an outbound relay/proxy
  • Credential exposure: API keys and auth headers leak via malicious endpoint selection
  • Compliance and trust risk: uncontrolled integrations violate customer boundary expectations
  • Security review failures: endpoint validation gaps are common AppExchange blockers

PoC Use Cases

@AuraEnabled
public static String sendRequest(String host, String route, String payload) {
    HttpRequest req = new HttpRequest();
    req.setEndpoint('https://' + host + '/' + route); // User-influenced host
    req.setMethod('POST');
    req.setHeader('Authorization', 'Bearer ' + getApiToken());
    req.setBody(payload);
    return new Http().send(req).getBody();
}
  • Attacker supplies controlled host that matches overly permissive configuration assumptions.
  • Application sends sensitive headers/body to attacker endpoint.
  • Outbound channel is abused for data theft or unauthorized request relaying.

Testing Methodology

  • Callout inventory: locate all Apex callouts and endpoint composition logic
  • Input influence tracing: identify every parameter that can modify destination URL
  • Allowlist validation: test strict host pinning and rejection of unapproved endpoints
  • Leakage testing: verify whether auth headers/payloads reach attacker-controlled hosts
  • Evidence generation: collect request traces proving unauthorized outbound behavior

Secure Engineering Patterns

  • Hard endpoint allowlists: map business actions to fixed approved endpoint keys
  • No user-controlled hosts: accept route identifiers, not full or partial destination URLs
  • Named Credentials first: centralize auth and endpoint governance in platform controls
  • Header/payload minimization: send least sensitive data required per integration action
  • Outbound monitoring: alert on anomalous host usage and unexpected callout destinations
private static final Map<String, String> ENDPOINTS = new Map<String, String>{
    'syncCustomer' => 'callout:Customer_API/sync',
    'createOrder'  => 'callout:Order_API/create'
};

@AuraEnabled
public static String sendRequest(String actionKey, String payload) {
    if (!ENDPOINTS.containsKey(actionKey)) {
        throw new SecurityException('Action not allowed');
    }
    HttpRequest req = new HttpRequest();
    req.setEndpoint(ENDPOINTS.get(actionKey));
    req.setMethod('POST');
    req.setBody(payload);
    return new Http().send(req).getBody();
}

Verification Checklist

  • No callout path accepts user-supplied hosts or full destination URLs
  • Remote endpoint usage is tied to strict action-to-endpoint mappings
  • Named Credentials enforce controlled authentication and endpoint governance
  • Sensitive headers/tokens are never sent to dynamic or untrusted destinations
  • Regression tests cover endpoint tampering and outbound data leakage scenarios

Lab Exercises

  • Exercise 1: Enumerate all callout endpoints and destination construction paths
  • Exercise 2: Reproduce endpoint tampering in a dynamic-callout controller
  • Exercise 3: Demonstrate sensitive header/body leakage to unauthorized host
  • Exercise 4: Implement strict endpoint key allowlisting and Named Credential usage
  • Exercise 5: Re-test and produce AppExchange security review evidence
Start Lab Back to Labs