Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Abusing Misconfigured Salesforce Communities for Recon and Data Theft

Data Security, Threat Research

Executive Summary

A misconfigured Salesforce Community may lead to sensitive Salesforce data being exposed to anyone on the internet. Anonymous users can query objects that contain sensitive information such as customer lists, support cases, and employee email addresses.

This isn’t the first, nor the last time a SaaS configuration will create a potential security incident, underscoring the need for security teams to continually assess their SaaS exposure.

This guide explains how to check if your site is misconfigured and gives Salesforce admins detailed steps to:

  1. Ensure your guest profile permissions don’t expose things you don’t want to be exposed (account records, employee calendars, etc.)
  2. Disable API access for your guest profile
  3. Set the default owner for records created by guest users
  4. Enable secure guest user access

Impact

At a minimum, a malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign. At worst, they could steal sensitive information about the business, its operations, clients, and partners.

In some cases, a sophisticated attacker may be able to move laterally and retrieve information from other services that are integrated with a Salesforce account.

What are Salesforce Communities?

A Salesforce Community site lets your customers and partners interface with your Salesforce instance from outside your organization —they can open support tickets, ask questions, manage their subscriptions, and much more.

Communities are public-facing and, by default, indexed by Google. While this is useful for customers and partners, it makes it easy for attackers to discover public communities.

As you will see, Salesforce is highly customizable and can be difficult to administer. No two Salesforce instances are the same, with hundreds of third-party apps, custom objects, and configurations.

Technical Background

Salesforce communities run on Salesforce’s Lightning framework. Lightning is a rapid development framework for mobile and desktop sites.

Salesforce Lightning is a component-oriented framework. Those components, called aura components, are self-contained objects that a developer can assemble to create custom web pages.

Aura components can be used to perform actions on Salesforce objects—such as viewing or updating records. Components have controllers that export different methods to perform certain tasks.

Browsing a community site with a proxy service, such as Burp suite, shows us Lightning in action. The front-end web UI of a community uses the HTTP endpoint /s/sfsites/aura.

The browser uses the aura endpoint to retrieve information about the site and perform server-side actions as the user interacts with the community site. Naturally, the user’s permissions apply to these actions.

Browsing Salesforce with Burp Suite

Calling the aura endpoint is simply an HTTP request, either GET or POST, which consists of the following parameters:

  • pageURI – the path to the site, without the host. For example: “/s/”.
  • token – the current user’s token. The value of “undefined” indicates a guest user.
  • context – the current session’s context, provided by the site.
  • message – describes the desired action. It is possible to execute numerous methods in the same aura call. This structure contains a list of actions, which contain the method’s descriptor (a unique identifier of the method) and the call parameters.

The message structure is a URL-encoded JSON. Here is an example:

{
  "actions": [
    {
      "id": "222;a",
      "descriptor": "serviceComponent://ui.force.components.controllers.hostConfig.HostConfigController/ACTION$getConfigData ",
      "callingDescriptor": "UNKNOWN",
      "params": {}
    }
  ]
}
  • id – a random string that can be used when sending more than one action in a single request. That way the browser can match actions and responses.
  • descriptor – the specific method to call.
  • callingDescriptor – Usually “UNKNOWN,” as this parameter is often ignored
  • params – Used to provide parameters to the method

There are many different methods an unauthenticated user can execute to perform actions, such as:

  • Get information about the site
  • Get information about the Salesforce subscription
  • View default and custom objects and their fields
  • Retrieve data and records

Some of the objects you can query are Account, User, Case, Employee, Attachment, Contact, and Lead if access has been granted to the guest user.

How to check if your community is misconfigured

Below are steps you can use to validate whether your Salesforce data is unintentionally exposed to the guest users. In our research, we found a variety of exposed info about organizations, like users, objects, and fields that expose names and email addresses.

First, check if your community is discoverable in Google. In most cases, this is desired behavior–you want customers and partners to easily find your community. But, be aware, it also means attackers can discover your site.

Some Google magic will do the trick. There are common URL “fingerprints” that will indicate a website is powered by Salesforce Communities:

  • /s/topic
  • /s/article
  • /s/contactsupport

Let me Google that for you

Using operators such as “inurl:” together with the name of the target, for example, one can often find the desired community site:

Google search with inurl parameter

The next step is to retrieve information about the site. You can do that by calling the following method:

serviceComponent://ui.force.components.controllers.hostConfig.HostConfigController/ACTION$getConfigData

This method returns the domain of the organization, some security settings (e.g., allowed content security policy (CSP) domains), and available objects.

You can call different methods to perform different actions such as:

  • Listing Salesforce objects
  • Listing records
  • Searching for records
  • Retrieving an object
  • Fetching information about the salesforce instance

Fetching sensitive data

Next, see which data can be accessed directly and assess whether it should be exposed to guest users or not. Our security team has found a number of exposed sensitive records in our research.

You can query specific objects and examine them by calling the method:

aura://RecordUiController/ACTION$getObjectInfo

Which returns information about an object. This method supports all kinds of objects including custom ones.

The information includes the different fields, how they are configured, and the child relationships of the object.

The next step would be listing the records using the method:

serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems.

Here’s an example of listing Account records using this method:

You can then fetch even more information using methods such as:

serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord

or

aura://RecordUiController/ACTION$getRecordWithFields

To fetch interesting records with more fields and related objects.

Viewing third-party components

An adversary can view which 3rd party components are installed and try to take advantage of any vulnerable plugins.

When browsing the site, we can see that the browser loads several different JavaScript files with weird URLs, which begin with /l/ and then an encoded JSON object.

In these JavaScript files, we can find the definitions for the most accessible endpoints, including custom ones and/or third-party applications. The definitions are encoded in JSON:

{
  "descriptor": "compound://my_app.Component",
  "ac": [
    {
      "n": "doAction",
      "descriptor": "apex://my_app.ComponentController/ACTION$doAction",
      "at": "SERVER",
      "rt": "apex://String",
      "pa": [],
      "st": true
    }
  ],
  "pa": [
    {
      "name": "paramName",
      "type": "apex://String"
    }
  ]
}

By scanning the response for similarly formed JSON strings, one can learn about the custom methods and how to call them.

What can you do about it?

Managing a community site is a tough job. It is important to make sure that anonymous guest users and community users can only access intended and required records. There is info that you may want to share with the world and others that you don’t.

To secure your Salesforce environment, it is very important to adhere to the principle of least privilege and ensure that guest profiles only allow the minimum required permissions.

Step 1 – Audit your guest profile permissions

Navigate to your Site Builder (search for “All Sites” in the setup) and click on Settings or the gear icon on the left.

You will find your guest user profile under General. Click on it to modify the guest user’s permissions.

Here you can control field-level security to control access at a very granular level. This is where you will need to make decisions about access that are specific to your business needs.

Step 2 – Disable API access

It’s important to ensure that API enabled is unchecked. It’s recommended to disable Access Activities as well.

It is important to continuously monitor guest and community user permissions and sharing roles and to keep an eye on the records they own (and their related objects) to ensure sensitive information does not become publicly accessible.

Step 3 – Set a default owner for records created by guest users

Either go directly to your site’s workspaces, or use the site builder to navigate to the Administration workspace:

Under preferences, make sure that you set up a default owner for records created by guest users and, in most cases, you’ll want to turn off Let guest users see members of this site.

Step 4 – Enable secure guest user record access

Verify that the default access setting for guest users is secure: go to setup, and search for Sharing Settings. There look for the option Secure guest user record access and verify that it’s checked.

Salesforce is trying to help you make smart decisions about guest access. As of the Summer ’20 release, Salesforce has made it impossible to disable this setting. They’ve also now prevented you from granting guest users the View All Users permissions and you can’t give them access to view all data.

It’s still of utmost importance, however, to review configuration settings. Salesforce cannot disable them all for you because different users have different requirements.

Wrapping up

As you can see, with SaaS applications as complex and customizable as Salesforce there are countless configuration settings and permissions to worry about.

Most organizations deploy dozens of sanctioned SaaS applications, each with its own objects, permissions models, APIs, and sharing features.

This is why we built DatAdvantage Cloud-to provide a unified way to find exposures, right-size privileges, and perform investigations across all your sanctioned SaaS applications.

Appendix: Aura descriptors and how to use them

serviceComponent://ui.force.components.controllers.hostConfig.HostConfigController/ACTION$getConfigData
  • No parameters

Gets the app data, including a list of objects which often includes custom objects, and the Salesforce login domain.

serviceComponent://ui.global.components.one.one.controller.OneController/ACTION$getCurrentApp
  • No parameters

Gets more information about the app including an extended list of objects

aura://RecordUiController/ACTION$getObjectInfo
  • ObjectApiName (String) – the name of the object

This function returns the definition of the object: its fields, its relationships, and configuration.

serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems
  • entityNameOrId (String) – the name of the object to list. For example: “Account” or “User”
  • pageSize (Int) – Number of records to retrieve. Up to 1000
  • currentPage(int) – If there are more than pageSize records, use this to get the next pages.
  • getCount (Boolean) – whether the total number of records should be retrieved.
  • layoutType (String) – The layout. Provide “FULL” to get more data
  • enableRowActions(Boolean) – true
  • useTimeout (Boolean) – false

Lists records of the specified objects.

serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord
  • recordDescriptor(string) – the record “descriptor” – use the following format:
{id}.undefined.null.null.null.Id.VIEW.false.null.{fields}.null
  • Id – the id of the record to retrieve, fields – a comma-separated of fields to return. Replace all dots “.” with “;2”. For example:
00500000000XxXXWXX.undefined.null.null.null.Id.VIEW.false.null.Name,CreateBy;2Name.null

Other undocumented endpoints

  • aura://ActionsController/ACTION$getActionLayout
    aura://ActionsController/ACTION$getGlobalActions
    aura://ActionsController/ACTION$getListViewActions
    aura://ActionsController/ACTION$getLookupActions
    aura://ActionsController/ACTION$getMRUListActions
    aura://ActionsController/ACTION$getObjectCreateActions
    aura://ActionsController/ACTION$getQuickActionDefaults
    aura://ActionsController/ACTION$getRecordActions
    aura://ActionsController/ACTION$getRecordEditActions
    aura://ActionsController/ACTION$getRelatedListActions
    aura://ActionsController/ACTION$getRelatedListRecordActions
    aura://ActionsController/ACTION$getRelatedListsActions
    aura://ApexActionController/ACTION$execute
    aura://AppsController/ACTION$getNavItems
    aura://CanvasController/ACTION$getCanvasData
    aura://CommerceCatalogController/ACTION$getProduct
    aura://CommerceCatalogController/ACTION$getProductCategoryPath
    aura://CommerceImporterController/ACTION$importProducts
    aura://CommerceSearchController/ACTION$searchProducts
    aura://CommerceStorePricingController/ACTION$getProductPrice
    aura://ComponentController/ACTION$getApplication
    aura://ComponentController/ACTION$getApplicationDef
    aura://ComponentController/ACTION$getComponent
    aura://ComponentController/ACTION$getComponentDef
    aura://ComponentController/ACTION$getComponents
    aura://ComponentController/ACTION$getDefinitions
    aura://ComponentController/ACTION$getEventDef
    aura://ComponentController/ACTION$loadLabels
    aura://ComponentController/ACTION$reportDeprecationUsages
    aura://ComponentController/ACTION$reportFailedAction
    aura://ComponentController/ACTION$reportUsages
    aura://ConversationController/ACTION$getConversationCallStructureAndInsights
    aura://DynamicComponentController/ACTION$getTemplateDescriptorWithExpansionBundle
    aura://HostConfigController/ACTION$getConfigData
    aura://LabelController/ACTION$getLabel
    aura://LightningExperienceAssistantPlatformController/ACTION$getActiveQuestionnaires
    aura://LightningExperienceAssistantPlatformController/ACTION$getActiveScenarios
    aura://LightningExperienceAssistantPlatformController/ACTION$getAssistant
    aura://LightningExperienceAssistantPlatformController/ACTION$getQuestionnaire
    aura://LightningExperienceAssistantPlatformController/ACTION$saveAssistant
    aura://LightningExperienceAssistantPlatformController/ACTION$saveQuestionnaire
    aura://LinkedInSalesNavigatorController/ACTION$getSalesAccessToken
    aura://LinkedInSalesNavigatorController/ACTION$getSignupUrl
    aura://ListUiController/ACTION$getListInfoById
    aura://ListUiController/ACTION$getListInfoByName
    aura://ListUiController/ACTION$getListRecordsById
    aura://ListUiController/ACTION$getListRecordsByName
    aura://ListUiController/ACTION$getListUiById
    aura://ListUiController/ACTION$getListUiByName
    aura://ListUiController/ACTION$getListsByObjectName
    aura://LookupController/ACTION$getLookupRecords
    aura://ManagedContentController/ACTION$getManagedContentByTopicsAndContentKeys
    aura://ManagedContentController/ACTION$getPublishedManagedContentListByContentKey
    aura://MruListUiController/ACTION$getMruListInfo
    aura://MruListUiController/ACTION$getMruListRecords
    aura://MruListUiController/ACTION$getMruListUi
    aura://NavEventManagerController/ACTION$getClassicNonSetupPageReferenceMappings
    aura://NavEventManagerController/ACTION$getClassicSetupPageReferenceMappings
    aura://NavEventManagerController/ACTION$getResolvedIntegrationUrl
    aura://NavigationMenuController/ACTION$getCommunityNavigationMenu
    aura://OrchestrationController/ACTION$getOrchestrationInstance
    aura://OrchestrationController/ACTION$getOrchestrationInstanceCollection
    aura://OrchestrationController/ACTION$publishOrchestrationEvent
    aura://RecordMruController/ACTION$updateMru
    aura://RecordUiController/ACTION$createRecord
    aura://RecordUiController/ACTION$deleteRecord
    aura://RecordUiController/ACTION$executeAggregateUi
    aura://RecordUiController/ACTION$executeGraphQL
    aura://RecordUiController/ACTION$findDuplicates
    aura://RecordUiController/ACTION$getAggregateUi
    aura://RecordUiController/ACTION$getDedupeConfig
    aura://RecordUiController/ACTION$getDuplicateConfig
    aura://RecordUiController/ACTION$getFormByName
    aura://RecordUiController/ACTION$getLayout
    aura://RecordUiController/ACTION$getLayoutUserState
    aura://RecordUiController/ACTION$getObjectInfo
    aura://RecordUiController/ACTION$getObjectInfos
    aura://RecordUiController/ACTION$getPicklistValues
    aura://RecordUiController/ACTION$getPicklistValuesByRecordType
    aura://RecordUiController/ACTION$getRecordAvatars
    aura://RecordUiController/ACTION$getRecordCloneDefaults
    aura://RecordUiController/ACTION$getRecordCreateDefaults
    aura://RecordUiController/ACTION$getRecordDefaultsTemplateClone
    aura://RecordUiController/ACTION$getRecordDefaultsTemplateForCreate
    aura://RecordUiController/ACTION$getRecordUis
    aura://RecordUiController/ACTION$getRecordWithFields
    aura://RecordUiController/ACTION$getRecordWithLayouts
    aura://RecordUiController/ACTION$getRecordsWithFields
    aura://RecordUiController/ACTION$getRecordsWithLayouts
    aura://RecordUiController/ACTION$getValidationRulesInfo
    aura://RecordUiController/ACTION$postRecordAvatarAssociation
    aura://RecordUiController/ACTION$updateLayoutUserState
    aura://RecordUiController/ACTION$updateRecord
    aura://RelatedListUiController/ACTION$getRelatedListInfo
    aura://RelatedListUiController/ACTION$getRelatedListInfoBatch
    aura://RelatedListUiController/ACTION$getRelatedListInfoByApiName
    aura://RelatedListUiController/ACTION$getRelatedListInfoCollection
    aura://RelatedListUiController/ACTION$getRelatedListRecordCount
    aura://RelatedListUiController/ACTION$getRelatedListRecords
    aura://RelatedListUiController/ACTION$getRelatedListRecordsBatch
    aura://RelatedListUiController/ACTION$getRelatedListsRecordCount
    aura://RelatedListUiController/ACTION$updateRelatedListInfoByApiName
    aura://SearchGridLWCController/ACTION$updateUserColumnWidthPref
    aura://SeoPropertiesController/ACTION$getRecordSeoProperties
    aura://SitesController/ACTION$searchSite
    aura://StyleController/ACTION$applyTokens
    aura://WaveController/ACTION$deleteDataset
    aura://WaveController/ACTION$deleteRecipe
    aura://WaveController/ACTION$executeQueryByInputRep
    aura://WaveController/ACTION$getAnalyticsLimits
    aura://WaveController/ACTION$getDataflowJob
    aura://WaveController/ACTION$getDataflowJobNode
    aura://WaveController/ACTION$getDataflowJobNodes
    aura://WaveController/ACTION$getDataflowJobs
    aura://WaveController/ACTION$getDataflowJobsByDataflowId
    aura://WaveController/ACTION$getDataset
    aura://WaveController/ACTION$getDatasets
    aura://WaveController/ACTION$getRecipe
    aura://WaveController/ACTION$getRecipes
    aura://WaveController/ACTION$getReplicatedDatasets
    aura://WaveController/ACTION$getSchedule
    aura://WaveController/ACTION$getWaveFolders
    aura://WaveController/ACTION$getXmd
    aura://WaveController/ACTION$startDataflow
    aura://WaveController/ACTION$updateDataflowJob
    aura://WaveController/ACTION$updateSchedule
    serviceComponent://ui.chatter.components.aura.components.forceChatter.groups.actions.EditGroupNotificationSettingsController/ACTION$getNotificationSettings
    serviceComponent://ui.chatter.components.aura.components.forceChatter.groups.actions.EditGroupNotificationSettingsController/ACTION$setNotificationSettings
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$addParticipants
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$createMessage
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$getMessagesDetail
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$getMessagesListData
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$getMessagingPermAndPref
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$getMoreReplies
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$getRichTextConfig
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$getUserDetails
    serviceComponent://ui.chatter.components.messages.MessagesController/ACTION$removeParticipants
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.controller.PubliclyCacheableAttributeLoaderController/ACTION$getComponentAttributes
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.controller.PubliclyCacheableComponentLoaderController/ACTION$getAudienceTargetedPageComponent
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.controller.PubliclyCacheableComponentLoaderController/ACTION$getPageComponent
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.network.tracking.NetworkTrackingController/ACTION$createLogRecord
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.qb.QuarterbackController/ACTION$getBootstrapCacheExpiration
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.qb.QuarterbackController/ACTION$getTopicDescription
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.qb.QuarterbackController/ACTION$isValidSObjectId
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.qb.QuarterbackController/ACTION$setCurrentApp
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.qb.QuarterbackController/ACTION$validateRoute
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getActionOverrides
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getArticleUrlNameAndVersionId
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getArticleVersionId
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getCMSContentTypeAndURLName
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getCMSContentTypeUrlnameAndId
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getCategoryPath
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getNameFieldValue
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$getPersonAccountIdFromContactId
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.recordservicecomponent.RecordServiceComponentController/ACTION$isAllowViewEditConvertedLeadsOn
    serviceComponent://ui.comm.runtime.components.aura.components.siteforce.service.ServiceBodyController/ACTION$getTopicImageUrlFromContextId
    serviceComponent://ui.communities.components.aura.components.forceCommunity.baseSearch.BaseSearchController/ACTION$getCrossObjectDeflection
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.DeflectionDataProviderController/ACTION$getArticleDeflection
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.DeflectionDataProviderController/ACTION$getCombinedDeflection
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.DeflectionDataProviderController/ACTION$getCrossObjectDeflection
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.DeflectionDataProviderController/ACTION$getQuestionDeflection
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.LWCRecordDetailController/ACTION$getInitData
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.OmniBoxController/ACTION$getTopic
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.OmniBoxController/ACTION$getTopicFromEntityId
    serviceComponent://ui.communities.components.aura.components.forceCommunity.controller.OmniBoxController/ACTION$getTopicFromUrl
    serviceComponent://ui.communities.components.aura.components.forceCommunity.navigationMenu.NavigationMenuDataProviderController/ACTION$getNavigationMenu
    serviceComponent://ui.communities.components.aura.components.forceCommunity.signalCollector.SignalCollectorController/ACTION$sendSignals
    serviceComponent://ui.force.components.controllers.action.ActionController/ACTION$getServerSideComponent
    serviceComponent://ui.force.components.controllers.dedupe.DedupeManagerController/ACTION$findMatches
    serviceComponent://ui.force.components.controllers.dedupe.DedupeManagerController/ACTION$getConfig
    serviceComponent://ui.force.components.controllers.dedupe.DedupeManagerController/ACTION$loadObjectApiInfo
    serviceComponent://ui.force.components.controllers.dedupe.DedupeManagerController/ACTION$loadRecords
    serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$cloneRecordWithRelatedEntities
    serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getDetailComponent
    serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getEntityConfig
    serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getNextRecordLayout
    serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getPostSaveNavigationEvent
    serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord
    serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$saveSectionState
    serviceComponent://ui.force.components.controllers.dynamicLabel.UiDynamicLabelProviderController/ACTION$getLabel
    serviceComponent://ui.force.components.controllers.hostConfig.HostConfigController/ACTION$getConfigData
    serviceComponent://ui.force.components.controllers.inlineEdit.InlineEditController/ACTION$getNameField
    serviceComponent://ui.force.components.controllers.inlineEdit.InlineEditController/ACTION$getPostSaveNavigationEvent
    serviceComponent://ui.force.components.controllers.logoutHandler.LogoutHandlerController/ACTION$getLogoutURL
    serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$createQuickActionRecords
    serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$createRecord
    serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$deleteRecord
    serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$getRecord
    serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$saveQuickActionRecords
    serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$saveRecord
    serviceComponent://ui.force.components.controllers.recordGlobalValueProvider.RecordGvpController/ACTION$saveRecords
    serviceComponent://ui.force.components.controllers.recordLayoutBroker.RecordLayoutBrokerController/ACTION$getLayout
    serviceComponent://ui.force.components.controllers.recordLayoutBroker.RecordLayoutBrokerController/ACTION$getRecordAndLayout
    serviceComponent://ui.force.impl.aura.components.force.recordEditActions.RecordEditActionsController/ACTION$getEditActions
    serviceComponent://ui.global.components.one.actionsManager.ActionsManagerController/ACTION$handleAction
    serviceComponent://ui.identity.components.sessiontimeoutwarn.SessionTimeoutWarnController/ACTION$getSessionRefreshAction
    serviceComponent://ui.identity.components.sessiontimeoutwarn.SessionTimeoutWarnController/ACTION$getSessionTimeoutConfig
    serviceComponent://ui.instrumentation.components.beacon.InstrumentationBeaconController/ACTION$getLocators
    serviceComponent://ui.instrumentation.components.beacon.InstrumentationBeaconController/ACTION$sendData
    serviceComponent://ui.search.components.forcesearch.sgdp.MRUCacheController/ACTION$getGlobalMrus
    serviceComponent://ui.search.components.forcesearch.sgdp.PermsAndPrefsCacheController/ACTION$getPermsAndPrefs
    serviceComponent://ui.search.components.forcesearch.sgdp.ResultsFiltersCacheController/ACTION$getResultsFilterMetadata
    serviceComponent://ui.search.components.forcesearch.sgdp.ScopesCacheController/ACTION$getEntityLabels
    serviceComponent://ui.search.components.forcesearch.sgdp.ScopesCacheController/ACTION$getEntityNames
    serviceComponent://ui.search.components.forcesearch.sgdp.ScopesCacheController/ACTION$getScopeMaps
    serviceComponent://ui.self.service.components.profileMenu.ProfileMenuController/ACTION$getContextUserPhotoUrlAndUpdatedName
    serviceComponent://ui.self.service.components.profileMenu.ProfileMenuController/ACTION$getProfileMenuResponse
    serviceComponent://ui.sfa.components.nativeimport.ImportButtonController/ACTION$getConfig

     

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.