SOQL Injection

This lab focuses on identifying and remediating SOQL injection vulnerabilities in Apex and Visualforce patterns by replacing unsafe query construction with enforceable, parameterized logic.

Executive Summary

SOQL injection occurs when untrusted input is concatenated into dynamic SOQL. Attackers can alter query logic, bypass filter intent, and extract unauthorized records. In Salesforce, this often appears in search, filtering, sorting, and report-like custom endpoints.

Salesforce Attack Surface

  • Dynamic Database.query() construction from request parameters
  • Filter and sort builders assembled from UI-controlled input
  • Admin-style endpoints that expose flexible query options
  • Apex REST controllers that translate query-string options to SOQL
  • Visualforce controllers with direct concatenation patterns
// Vulnerable dynamic SOQL pattern
String term = ApexPages.currentPage().getParameters().get('q');
String q = 'SELECT Id, Name FROM Account WHERE Name LIKE \\'%' + term + '%\\'';
List<Account> rows = Database.query(q);

Business Impact

  • Unauthorized record exposure: broadened predicates return unintended datasets
  • Sensitive data leakage: expanded queries expose confidential attributes
  • Workflow abuse: attacker-influenced query results trigger unsafe downstream actions
  • Compliance risk: privacy and sector-control violations from excess data access
  • Operational instability: malformed or expensive payloads increase query cost

PoC Injection Patterns

Assess multiple payload families to validate realistic exploitability:

  • Boolean expansion payloads that neutralize original conditions
  • Quote-breaking payloads that alter clause structure
  • Sort/filter manipulation to retrieve unintended records
  • Error-based probing for query shape and parser behavior
// Example test payload family
// q = test' OR Name != null OR Name LIKE '%
// Validate whether dataset scope expands beyond intended filter.

Testing Methodology

  • Inventory every dynamic SOQL sink and its input source
  • Replay with payload sets for quote, boolean, and logic manipulation
  • Compare baseline vs manipulated result cardinality
  • Review exception messages for parser disclosure and control weakness
  • Capture reproducible evidence with request, query behavior, and impact

Secure Engineering Patterns

  • Use bind variables for all user-controlled values
  • Constrain sort/filter keys through strict allowlists
  • Use typed parameters and canonical validation before query assembly
  • Apply least-privilege and secure field access controls in data layer
  • Eliminate free-form query fragments from user-controlled channels
// Safer pattern: bind variables + constrained filter keys
String term = ApexPages.currentPage().getParameters().get('q');
String safeTerm = '%' + term + '%';
List<Account> rows = [
    SELECT Id, Name
    FROM Account
    WHERE Name LIKE :safeTerm
];

Verification Checklist

  • No user input directly concatenated into executable SOQL fragments
  • All dynamic query values bound as parameters
  • Filter/sort controls enforced via allowlisted keys
  • Regression tests confirm payloads no longer broaden result scope
  • Security review evidence includes before/after exploit validation

Lab Exercises

This lab includes hands-on exercises to practice identifying and fixing SOQL injection in Salesforce query flows:

  • Exercise 1: Identify injection sinks in dynamic SOQL construction
  • Exercise 2: Execute PoC payload families and assess impact
  • Exercise 3: Refactor vulnerable code with bind variables
  • Exercise 4: Enforce allowlisted filter and sort controls
  • Exercise 5: Validate remediation with regression payload tests
Start Lab Back to Labs