Unauthorised Use of SessionID

This lab explains how session-token exposure can lead to account compromise in Salesforce ecosystems and how to implement robust session handling patterns across UI and integration layers.

Executive Summary

Session IDs are high-impact authentication artifacts. Exposure through URLs, logs, client-side scripts, or weak handling patterns can enable session hijacking and unauthorized access to business-critical Salesforce data and operations.

Salesforce Attack Surface

  • Session tokens embedded in URLs or front-end markup
  • Debug logs and telemetry leaking session identifiers
  • Client-side storage with weak controls
  • Custom integrations forwarding SessionID beyond trust boundaries
  • Long-lived sessions without rotation or contextual controls

Business Impact

  • Account impersonation: attacker actions under victim identity
  • Unauthorized record access: exposure of sensitive CRM data
  • Privilege abuse: admin-session compromise and environment takeover
  • Incident complexity: forensic and containment challenges

PoC Use Cases

// Vulnerable pattern: token in URL
String sid = UserInfo.getSessionId();
String callback = 'https://api.example.com/sync?sid=' + sid;

// Vulnerable pattern: token in logs
System.debug('Session ID => ' + UserInfo.getSessionId());

Validate exploitability by demonstrating replay or unauthorized action with captured session artifacts.

Testing Methodology

  • Trace all SessionID handling points across code and network paths
  • Inspect URLs, logs, headers, and browser storage for token leakage
  • Assess token scope, expiry, rotation, and revocation behavior
  • Attempt controlled replay from secondary client context
  • Document exploit path and mitigation effectiveness

Secure Engineering Patterns

  • Never expose SessionID in URLs, markup, or client-side variables
  • Prevent logging of authentication tokens and secrets
  • Use secure session cookie and transport controls
  • Enforce short lifetimes and token rotation at key boundaries
  • Use Named Credentials and server-side trust channels for integrations
// Safer integration approach
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:MyNamedCredential/api/endpoint');
req.setMethod('GET');
HttpResponse res = new Http().send(req);

Verification Checklist

  • No SessionID exposure in URLs, logs, or page source
  • Replay attempts are blocked by session controls
  • Session expiry and rotation function as documented
  • Integration flows avoid direct SessionID propagation
  • Monitoring detects suspicious session anomalies

Lab Exercises

This lab includes hands-on exercises to practice identifying and remediating SessionID exposure and misuse patterns:

  • Exercise 1: Enumerate all SessionID handling paths
  • Exercise 2: Demonstrate controlled session replay risk
  • Exercise 3: Remove exposure vectors from code and logs
  • Exercise 4: Implement robust session-control settings
  • Exercise 5: Re-test with verification checklist
Start Lab Back to Labs