Slightly SOSL'ed - Locating and Testing SOSL Injection
12-09, 15:45–16:30 (Europe/London), Track 3

The Salesforce platform allows a platform-specific vulnerability, known as SOSL injection. While conceptually similar to SQL injection, testing and exploitation requires different payloads and different approaches.
In light of the lack of online documentation, and a distinct lack of online examples or tutorials, this talk will explain the issue and its consequences. It will illustrate some working methods for detecting and confirming the existence of the vulnerability within a website, showing different payloads useful payloads for detection and exploitation, before explaining the consequences for a vulnerable site and how to fix occurrences of the issue.

A web search for "SOSL Injection" typically returns one or two pages explaining that SOSL injection exists (and no other information), along with a horde of largely irrelevant results for SOQL injection.
The initial issues that I encountered when testing Salesforce applications were that SOSL injection seems to be largely invisible to web fuzzers (or at least, not noticeable) and that there were no write-ups online to show how to test for it, or what an exploit looks like, etc.
I'm hoping to rectify this by making this information more widely available and providing details on how to identify and test for the issue.

Talk Outline

  1. Introduction/whoami
  2. What is SOSL?
  3. What is SOSL Injection?
  4. Where Will I Find it?
  5. Testing for SOSL Injection:
    a) How and Where to Find it
    b) Investigation and Verification
    c) Exploitation
  6. Conclusions

Coming from a background of software development and architecture, I spent a few years as software developer, architect, team lead, working in secure software for the financial sector
I moved into security consultancy, fisrt as an in-house penetration tester and code reviewer in online gambling, before moving into security consultancy and working on code review, penetration testing, threat modelling, and automating security testing with new tools, scripts, etc.