 Hello, everyone. I'm Sanjay Gupta. I welcome you on Sanjay Gupta Tech School. So this is day 12 of Salesforce Cyber Security Bootcamp. And today, Sumit will be explaining about whatever cybersecurity tools he has explained so far. So he will be relating those tools with Salesforce so that you can learn how you can protect Salesforce platform with the help of security tools. So welcome Sumit on the channel and please share all the information or knowledge so that folks can learn security around Salesforce. Over to you. Sumit. Am I lying down? Yes, yes. Now you are audible. Welcome again on the cybersecurity bootcamp. And today we are, I'm going to discuss about finding bugs in Salesforce CRM. So guys, my name is Sumit Jain and I'm an ethical hacker and cybersecurity expert. I'm working as a CNET red team and pent up a red team member. Apart from that, I'm working as a senior security specialist at GTOR Networks. I have 10 plus years in this cybersecurity domain. Previously, I'm working as a guest instructor at Central Detective Training School. Right now I'm helping students, pressure and professionals to build your career in cybersecurity. So guys, you can follow me on my YouTube channel where I'm regularly creating content related to cybersecurity. And you can follow, share and Sanjay Bhutka Tech School YouTube channel as well where I'm conducting this bootcamp live. Please share a review or feedback about this bootcamp. You can contact me on these below platforms. I'm available only in Twitter. You can join our Telegram group for further discussions. Important links are available in video description. So today we are going to talk about how to find bugs in Salesforce CRM. So basically, Salesforce is work as a software as a product or platform as a service. So Salesforce work in work and Salesforce also have a disclosure program in the website. So you can find it here like salesforce.com slash company slash disclosure. Here is the path where Salesforce bug bounty or responsible disclosure program is listed. So you can see here, so Salesforce listed vulnerability disclosure policy and testing for security vulnerabilities. So Salesforce, you can find bugs in Salesforce website as well as Salesforce CRM, Salesforce products as well. If you find a potential security vulnerability, you can report it at security at salesforce.com. And you can see Salesforce is mentioned that provide full details of the suspected vulnerability. So the Salesforce team may validate and reproduce the issue. Also, Salesforce does not permit the following types of security research. Performing actions that may negatively affect Salesforce, Salesforce users accessing or attempting access to data or information that do not belong to you. Destroying or corrupting or attempting to destroy or corrupt data information that not belong to you. Conducting any types of physical and electronic attack on Salesforce personal property or data centers. Salesforce engineering, any Salesforce service that's employees or contractor. You cannot find or do security research on these all following types. And also Salesforce security team commitment, if you report a security vulnerability in Salesforce CRM, Salesforce will respond in timely manner, acknowledging receipt of your vulnerability report, provide an estimate timeframe for addressing the vulnerability report, and Salesforce will notify you when the vulnerability has been fixed. So you can find the vulnerabilities in Salesforce CRM, and there is a dedicated subdomain is also created for the security results. You can find it here, security.salesforce.com where you can find multiple information related to how you can test Salesforce platform or Salesforce product. So you can see the new releases, how this Salesforce integrated with MFA, and you can see it here, security partnership. So you can see Salesforce security guide. And if you visit the URL, you can see this is the Salesforce security guide. And what this say that Salesforce security basics authenticate user, when you build a product on Salesforce CRM, how you authenticate users. So there are multiple methods. So they are using this, you can authenticate your users. So authentication means preventing unauthorized access to your organization or its data by making sure each local user is who they say they are. So this is something like a unauthenticated user will not use your CRM or your product. So this security guide you have to read and you have to create your product according to this security guide. But right now we are here to find some security vulnerabilities in Salesforce product. So let's do this and so do this. And if Salesforce is integrated with CRM on some of the websites. So here is the list of some of the websites that using Salesforce you can find on builtwith.com. You can search what is built on Salesforce. So you can see there are multiple websites that are built on Salesforce. Let's see. There are multiple websites in this. So Salesforce is built all this. Let's copy this copy one of the website and open it in our new tab and let's see if we can find something here. So I'm copying support.fandule.com. So first thing we do if you are using a target first thing we do is collecting information. So you can use your Firefox add-on vaporizer to see if this is built on Salesforce or not. So you can clearly see this website is used Salesforce service cloud for live chat. This website is used CRM Salesforce dash Salesforce and Salesforce service cloud. So this is built on Salesforce. So now we have to analyze that if we can find something related to Salesforce security. Also we can find some vulnerabilities on Salesforce itself. So how do you find how can you find some vulnerabilities? So first thing is collecting the information and in our previously videos I already told you how to collect sub domains, how to collect some links related to your target. So let's switch to our Kali Linux machine and find out if we can gather some information about the sub domains or links related to Salesforce and then we can collect information about the fandule.com which is using Salesforce CRM. This is my Kali Linux machine. First we have to find out we have to collect some sub domains related to Salesforce. So for collecting sub domains I am using asset finder and then you can type subs-only and then give your domain name. In my case my domain name is salesforce.com. Let's save all the results with the help of ANU in a new file called salesforce.pxt and run our tool. The tool is running in the backend and you can see it is finding some of the sub domains Salesforce is using. So we have multiple sub domains related to Salesforce and Salesforce built on. So this is a sub domain, bhtp.mysalesforce.com, click.mail.salesforce.com. The tool is running continuously and giving results and saving results in salesforce.txt. Stop the tool here and see if we have some domains in our file or not salesforce.txt and you see we have some domains to test on. We can try our methods for finding security vulnerabilities on all these domains we have collected so far. So you can see there are multiple domains. Let's filter all these domains live or not so you can use a tool called sttpx and then use the flag element. So this will tell you if our domain is live or not and also store these all these results in a new file. Salesforce live.txt. Let's run our sttpx tool on all these collected information. So you can see the sttpx is filtering some of the domains and only displaying the live domains. All these domains are live and currently working. So you have salesforce.com, test.salesforce.com, mc500.salesforce.com, image.mail.salesforce.com. So we have multiple sub-domain that is live. Now we have to find some URLs or path related to Salesforce to do that we are using a tool called gao. So we have echo call our domain. This is salesforce.com and run our tool gao and store all these results in a new file. Give the file name salesforceurls.txt. All the results that gao will discover will store in salesforceurls.txt. You can see we have multiple paths, multiple links related to Salesforce. All these links belong to Salesforce. So we have some targets or some path or some domains to analyze further. Now, as we have collected some sub-domains and paths related to Salesforce, first thing we have to do is running a vulnerability scanner, automated vulnerability scanner that is called nuclear. You have to install this automated vulnerability scanner that will scan your target for potential vulnerabilities and then you can analyze manually if this is vulnerable or not. So for to do that we have a tool called nuclear. Let me tell you how to install it. So the tool name is nuclear. You have to type it in your Linux terminal and hit enter. Nuclear will install and then how to run this tool is nuclear space hyphen you and give your domain name. In that case, we have salesforce.com hit enter. So what will nuclear do? Nuclear will analyze the salesforce.com and run their templates. We have five around 6000 templates. This is running on our domain and it will display all the results, all the potential security vulnerabilities that we have in our salesforce.com domain. So you can see the issues are coming. Let's complete this and then we will analyze how this is vulnerable or not. So read one by one. So we have technology detect, akamai. So salesforce.com is using akamai CDN technology. Also salesforce.com port number 443 is using some of the SSL DNS names. So this is the SSL. All these are SSL related names DNS names that are given in salesforce.com. SSL issuer. What is the SSL issuer? The salesforce is using is DIGISERT INC. So the SSL certificate installed in salesforce is delivered by DIGISERT. This is a DNS record that is salesforce is using the name server fingerprint. The salesforce is using udns3salesforce.com. The text fingerprint, the text record of DNS is this docker verification. And you can see some of the tokens and verification links as well. And the tool is running. We have no more result related to salesforce. This will take time to analyze the target you are giving because it will run around 6000 templates on your target. So you have a single target. It will run 6000 templates on your target if you have multiple target. So all target will be scanned. So using nuclei, we can find multiple vulnerabilities related to your domain. We have to categorize it using some informational vulnerabilities or some low categories vulnerabilities or medium category vulnerabilities, high category or critical category. We can filter them out like these informational vulnerabilities are no use for not consider as a security vulnerabilities. So we have to filter this informational output. So for to do this, you can use nuclei. Give your target like salesforce.com and then use a filter called ES. ES will exclude the severity you are giving. Right now I'm giving info. So it will not display the informational outputs in your result. It enter and you will see there is no displayed of information output. Using nuclei, you can automate your security testing on your target. And if you are testing a product that is using salesforce CRM, so you can give all you can give the website name is here and run the nuclei. Nuclear is the automated security scanner that will analyze your target. It will take time to analyze and you can see right now we have 3172 templates because all informational templates are not running on this domain because we have filtered with the ES flag. And if you can see our go is still running and collecting all the links related to salesforce. These are all the salesforce links that are running behind and using any of the sub domains. You can see the link content dam where global icons product industries. So we can find we can find found some sensitive information on these links. We will check out after this is finished. If you have a target related to your salesforce CRM, you can collect sub domains first, then find the all possible links that your websites is using and then run all these links into nuclei and find some potential security vulnerabilities. The tools are running. So let's switch to our main main website and let's see if we can find something some manual or not. So one more process is you can use is called fuzzing. You can do first on your target as well. What is fuzzing fuzzing is something like giving inputs onto your target and see how your website respond. Like if your target is this. In our case, our target is salesforce dot phone and slash. If we can find some sensitive data here on this path, we can find with the help of fuzzing process. We can first and give a word list to this domain and run and see if some of the sensitive files like if this file is hidden in something like this. This file contains some configuration data but but this is hidden and you don't you don't have any idea on which folder or on which path this file is running. So you can use the first process you can first all that you can first out your target and try to find some configuration files some sensitive files with the help of fuzzing. To do that process we use a tool called fuzz ffuf. The tool name is ffuf. This is pre installed in your Linux term in Linux distribution. So you can use the command ffuf then give your target name which is hyphen you and salesforce dot com slash fuzz. I want to find the files on this path so you have to type fuzz in capital and give a word list. So for the word list we use to flag hyphen w and the word list path. So we need we need some word list to do the fuzzing process. For word list you can use in the Google set list get up and you see you can find some word list related to your summit. Can you zoom in this is the word list I'm going to use to do the process of fuzz. So this folder has multiple files you can use so you need to clone it. So let's move to our Linux terminal and clone the file. Before this you can see our nuclei scan is complete and there is no results found better like next time. So you can this domain is not vulnerable with anything related to according to nuclei but all the sub domains we can also test. So for giving the sub domains you need to give at your sub domain file. This is our sub domain file and use pipe and run nuclei on them and filter with hyphen ES. So all the informational vulnerabilities will filter out and these all the templates nuclei have will run on all the sub domains we collected. Run this and you can see how many sub domains we have. So we have total 415 sub domains and all all sub domains is scanned with these 3000 templates and we have already filtered our informational vulnerabilities. So it will only display low medium severity or high severity vulnerabilities. Let's see if we have if we can find any vulnerabilities. While this process is running let's download the our word list for the process of fuzzing. So I am open a new terminal and with git clone load the file you need to git clone it give the URL of github.com slash this is our URL Daniel this is our URL. Summit I think that screen is not visible so it is showing github yeah now it is visible command prompt. Give the file name and it will also clone so I have I already have this file. So what we have in this file is set list so you can see these all the word list we have in our set list folder we have to use it with the help of fuf. So now this is also still running I have to stop it with the help of now we collected all the URLs with the help of nuclear we scanned with potential vulnerabilities. And with the help of fuf we can scan if we can find some potential files which contain some malicious information. So let's run our tool fuf as well. So to do that go back and clear the terminal use fuf this is our file use the domain you want to find vulnerabilities in our case which is salesforce.com and then give the word list. So in word list we have cyclist slash home slash calling cyclist and then discovery that content this is our word list file I'm going to run out salesforce we have an error I didn't give us and give the full URL this will running and it will find all the possible directories all the possible links you can see all these folders will find fuf will finding and if it will find something the status code will be 200. So all the four hundred four thousand seven hundred fifteen folders it is scanning so we have multiple multiple word list for finding various information so you need to run various folders on the cyclist. So let's give check what we have so we have in cyclist word list we have discovery so use discovery and in discovery we have web content you can go to this file and we have these all these word list. All these word list we have so we have hyper and we have go lang.txt graph ql jboz jenkins web logic so if you want to run any of this you need to specify the path and run on our target. Let's use another file let's use combined directories so back give your tool this is our command so I'm using combined directories dot txt and then run so it will find all the backup files all the directories so we have around 13 leg possible combinations that will run on your target. And if it can find some matching folders or content it will result with the status code 200 and you can see sizes also zero so these folders or paths are not present in salesforce dot com what we can do what if some some of the websites also using a salesforce CRM you can first you can first find sub domains and then can find links and search for sensitive data. So let's give this URL in our website website name is web.archive.org where you can find some possible links manually so let's copy this domain this website is integrated with salesforce CRM and find some of the links we can find go to the URLs. And you see we have some links like this website have robot dot txt file and this website has this link anonymous request new this has 1498 entries so you can search for some of the sensitive content like. Config so if we have something related to config the URL will displayed so here is a URL and it is Salesforce aura let's open this be and then open. So see if we can find some sensitive or not so this will redirected to our salesforce login so we need to log in to our fan dual sub fan this is we have to log in our salesforce so then we can access and your support so this link is only accessible if you are a authenticated user so the security is right but if this link is opened without any security or any protection any authorization we can find some configuration data like you can see. post dot config dot can get config data so we have multiple URLs we have four entries related to conflict let's open one by one and see all of them is asking. Login credentials or not this is also retired us to log in let's use another so all these all these will redirected to our salesforce login let's find another file like SQL so we don't have any SQL file let's find dot I and I file we don't have any I and I let's find. When we don't have an admin link password so we have some password related path so these are some articles so that's not suspicious database so we have some URLs related which have DB in it so let's open it. Sumit someone is asking Kali Linux is must for cyber security. Yes, Kali Linux is must for cyber security. You can use the other Linux distribution as well that are based that are based for a pen testing because these are distribution have pre installed tools that will helpful if you are doing a pen test or if you are finding the liberties on your target. So this these distribution will surely help you you can use the parent distribution as well. This is a also based on Linux. So Kali Linux is must because every every security tools is already installed or it is completely based on security related tools so Kali Linux is must. So this website this URL is not running. And I can see if we can find some of the link open this so we don't have any URL that have some content sensitive information. Let's found some token if we can found some token we don't have any token let's find API key not API we have some JS files. So let's found some JS. So we have some API related JS. Let's open this JS file. This is the JS file that are displayed here and you can find some token some password in this JS file. So you need to analyze and search password in this JS password is not present. You can search some keys keys are not also not present some tokens not present some API. So we have API but not any key. So you need to analyze every JS files for sensitive information and you can use the fuzzing process as well or quickly analyzing. Like we have a domain name displayed here so you can use this if we have some information. This is also redirect us to login.salesforce.com. So all these URLs are protected with the authentication process. You need to analyze or open every JS files you can find in your target. Some of the JS files surely have some of the data like this production JS let's open this. This is not opening. This is also not visible. Nothing is opened. Everything will be secured. Let's search for our main target salesforce.com and also check we have to check the result of our fuzzing process that is completed. And let's see if we can find some of the 200 status. Nothing is displayed. Nothing is available. So we don't have any file with the fuzzing process. Let's find some JS files in here. We have some JS files on salesforce. Like we have some smart player API. Let's open it. The page you are trying to view isn't here. So this is protected. Let's open this. So this has a URL default JPG image. Let's open this. So the salesforce JPG image. But if we have a CRM children list.js file. So you need to check every file every possible file that have some content. We have total 212 entries related to our JS files. So you need to open each and every file. Like this staging file. This is not visible. So you need to. What is the process of testing the first process is collect all the domains or sub domains related to your target. Using our collecting script sub domain collecting. The second step is collect all the URLs using URL grabbing script. I already talked about how to collect sub domains and collect URLs in our previous videos. So you need to check that out. And then run nuclear templates on your domain. And check if we can find some sensitive or some severity like medium severity or high severity bugs. You can use pause with word list. To find some sensitive data. So we have four process to test our Salesforce CRM. We have more. We can find SQL. We can find some accesses vulnerabilities. So I will talk about how to find SQL on tomorrow's session. So you need to practice on using all these methods. You need to run nuclear templates on your domain or to do that. And this is our command nuclear hyphen you and your target name. And then filter out with hyphen ES and filter ES info. And if we are we if you are giving all the sub domains, then open the your sub domain file. Like I'm giving your target.txt. Then use pipe and run nuclear hyphen ES info. And if you are fuzzing your target, use ffuf hyphen you give your target name. And then try pause in capitals and then give your word list. Your word list part where you want to use. So word list we are using is set list. You can easily Google it and clone it for cloning. The command is get clone. And your path where this checklist is located. So you need to download the checklist word list first, then give it with the help of ffuf. And can first all the possible combinations or the possible sensitive files or file directories, some possible paths. You can use nuclei on your target to find potential vulnerabilities. API is an automated vulnerability scanner. And these two processes are compulsory because it will give you some insights how your domain is working, how many sub domains your domain have, how many URLs your domain have. And you can then filter out and see if we have some sensitive files or JS files or some database files, some database links, some sensitive files like configuration, APIs, admin files. So you can grab all the, you can collect all these by seeing all the visiting all these URLs collected by Gau or Katana or Webeck URLs. In tomorrow's session, we will talk about how to find SQL injection or accesses vulnerabilities on your Salesforce CRM and the websites that are using Salesforce. So do join for tomorrow as well. And if you have any questions now, you can ask me. Yeah, I think there are a few questions in the chat if you can take our cyber account is asking, we are testing the entire Salesforce domain in here. So we do pen test our own organization. Yes, cyber, you can do pen test your own organization as well. And if you are, if your organization is using Salesforce CRM, you can use all these methods. But these methods you can use on others CRM as well like Wordpress or some AM Adobe, you can use these tactics on any other domains. I don't see any other questions here. Okay. So I think you shared lots of knowledge and maybe guys if you join tomorrow session, so you will be getting more information on this. And it is important to know like how we can secure some Salesforce CRM like through cybersecurity tools. So yeah, so submit actually this guy is asking about Salesforce org. So in Salesforce, basically whenever we create an account, so that so one instance is created. So that is basically known as org. So whenever we log in and whenever we try to access that CRM so that instance is basically known as org, not that organization. So he's asking in that context. So you can consider like he's trying to log in into Salesforce.com. So he will be getting a free copy for practice. So he's asking how do we pen test our own org. So you can use a nuclear or you can first the link. You can first your own link and you can use the nuclear and give the path like if we have multiple paths. And then you can use the nuclear give the path with the help of hyphen you and then filter with the hyphen ES. So nuclear will run as own sub domains or as well as links as well. Okay, and maybe if you have questions cyber account so you can join tomorrow's session and then you can ask more questions. So guys, this is it for today's session. Thank you for joining and see you tomorrow on the same time and few more tips and tricks. So it will be sharing with you. Thank you so much for sharing insights in today's session.