An AI Agent Just Pentested Salesforce Sites — And Found What Humans Missed
Give it a URL. It maps the attack surface. Analyzes every exposed endpoint. Identifies vulnerabilities. Writes working exploits. Runs them. No human guidance after the initial target.
This isn’t science fiction. It’s what Reco’s security research team built — and when they pointed it at real‑world Salesforce Experience Cloud sites, the results were brutal.
An autonomous AI agent discovered high‑severity vulnerabilities on sites belonging to major tech companies that invest heavily in security. It wrote exploit scripts from scratch, extracted real PII, and even scraped LinkedIn to build target lists — all without human intervention.
What the Agent Actually Did
The agent isn’t a single script. It’s a pipeline of AI skills that mirror a human pentester’s workflow: reconnaissance, analysis, exploitation, validation. But every phase is executed by an LLM that can reason, adapt, and make judgment calls.
Phase 1 — Reconnaissance
Starting with nothing but a URL, the agent discovered 263 Salesforce objects, 55 Apex methods, and 10 public routes — a complete map of the attack surface.
Phase 2 — Object Analysis
It categorized every object by sensitivity, prioritized tables like “Contact” and “Lead”, and attempted to query records as a guest user. For file objects, it downloaded and read content — not just listed them.
Phase 3 — Apex Fuzzing
For every exposed Apex method, the agent inferred valid inputs, invoked the method, analyzed responses, and probed for SOQL injection. When it found a difference — an error message, a changed result set — it confirmed the injection and characterized the oracle.
Phase 4 — Exploitation
The agent didn’t just report vulnerabilities. It wrote working Python exploits from scratch, ran them, and validated that data was actually extracted. For blind SOQL injection, it constructed subqueries, implemented character‑by‑character extraction, and optimized the request frequency.
Phase 5 — Severity Review
The agent reviewed its own findings with a skeptical eye, catching severity inflation and distinguishing real PII exposure from metadata leaks.
The agent found a single sensitive file among hundreds of mundane ones. It found the one injectable parameter among 49 methods. It even decided to scrape LinkedIn for email addresses after discovering an email leak, then used the vulnerable endpoint to validate them. That’s not pattern matching. That’s reasoning.
Case Study 1 — The Email Leak That Became a PII Harvest
A major cybersecurity vendor (disguised as “Aegis Security”) had a partner portal built on Salesforce. Guest user access was disabled — or so they thought.
The agent discovered that PartnerPortalOnboardingController.getContactInfo was accessible to unauthenticated users. Given any email address, it returned full Contact records — name, phone number, job title — plus the linked Account’s complete billing address.
Then the agent got creative. It scraped LinkedIn to identify employees of partner companies, constructed likely email addresses, and used the vulnerable endpoint to validate them. For every hit, it extracted the full Contact record and billing address. It compiled a long list of employees and partners with their PII.
It also discovered that the site’s ContentDocument object exposed files from a “Partner Assets” workspace — including a Partner Admin Guide marked “CONFIDENTIAL”, legal contract templates, and onboarding documents. All downloadable with a single unauthenticated GET request.
Case Study 2 — Blind SOQL Injection From a Blog Post
A Fortune 500 tech company (“Helios”) ran a support community on Salesforce. The agent mapped 49 Apex methods. When it reached BlogDetailController.getFeedDetails, it probed the blogId parameter with a single quote.
The server responded with a SOQL syntax error — the Salesforce equivalent of a SQL injection indicator. The developer had concatenated the parameter directly into a dynamic SOQL query instead of using a bind variable.
The agent identified a boolean oracle: when the injected condition was true, the blog post record returned with real engagement numbers. When false, counters returned zero. A clean, reliable oracle.
Then the agent wrote a complete Python exploit from scratch — understanding SOQL’s constraints, designing cross‑object subqueries, implementing character‑by‑character extraction, handling URL encoding and error cases. It extracted the email and full name of the blog post’s author.
Recognizing that each blog post has a different author, the agent expanded the exploit. Across 13 unique authors, it extracted full names, corporate email addresses, and for three employees, personal phone numbers. It then pivoted to linked Contact records, extracting a customer record from a major financial services firm — full name, corporate email, and direct phone number.
Beyond the injection, the agent analyzed accessible objects and discovered that ContentDocument records were queryable by guest users. Most files were mundane — profile pictures, community assets. But one CSV file stood out: a customer’s syslog export attached to a support interaction. It contained PII, authentication event history, session IDs, and internal application names. A third‑party customer’s sensitive security audit data, sitting on a public‑facing portal, downloadable by anyone.
These are not small startups. These are major technology companies that invest heavily in security. Their Salesforce portals were vulnerable in ways that a traditional pentest might have missed because the attack surface is massive (263 objects, 55 methods) and the real risk lies in chaining small misconfigurations — exactly what an AI agent does well.
What the Agent Did Well — And What a Human Still Does Better
✅ AI agent strengths
- Enumerates every endpoint, object, and method at scale (263 objects in minutes)
- Tests every parameter without fatigue
- Writes working exploits autonomously
- Pivots from one finding to the next (email leak → LinkedIn scraping → PII harvest)
- Finds the one needle in a haystack (a single sensitive file among hundreds)
🔴 Where humans still lead
- Understanding business context — “Is this Customer PII actually sensitive in this jurisdiction?”
- Ethical boundaries — The agent didn’t have a “stop” button. A human pentester knows when to pause.
- Reporting — The agent produces findings. A human produces a prioritized, actionable report for your board and your dev team.
- Remediation support — An agent doesn’t answer “how do I fix this?” at 2am. I do.
AI agents are now capable of finding vulnerabilities that human teams miss. They work at scale, they don’t get tired, and they can chain low‑risk issues into critical breaches.
But they don’t understand your business. They don’t know which data is truly sensitive. And they don’t have a relationship with your team.
You need both: AI‑assisted scanning for scale, and a human pentester for context, ethics, and actionable fixes.
What You Should Do This Week
- ✅ Audit your Salesforce Experience Cloud sites. Assume every exposed Apex method and accessible object will be probed. Review sharing rules, guest user permissions, and
without sharingApex classes. - ✅ Check your guest user access. “Guest users can see and interact with the site without logging in” only affects default access to pages — not records. Files and methods can still be exposed.
- ✅ Use bind variables in SOQL. String concatenation in dynamic SOQL is still appearing in production code at major organizations. A single character (‘:’) instead of ‘\” would have prevented the entire Helios breach chain.
- ✅ Don’t rely on obscurity. Automated analysis doesn’t miss things because they’re buried. The agent found one sensitive file among hundreds. Assume all your controllers can be found.
- ✅ Get a human pentester who understands AI. The agent found the holes. A human needs to help you fix them — and verify the fixes.
Your Salesforce portals are connected to your sensitive data. When was the last time they were pentested?
Full infrastructure pentest: €3,000. Salesforce‑specific audit: included. Security retainer: €1,500/month.
📩 DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your real exposure.
Leave a Reply