Information Security News

Lightning Strike: Testing Salesforce Security with the Auraditor Extension

by ·

Auraditor

A Burp Suite extension for security testing Salesforce Lightning and Aura framework applications.

Features

Request Editor

  • View and edit Aura actions in HTTP requests
  • Add and remove actions using tabs
  • Edit controller names and method names
  • Modify JSON parameters for each action
  • Choose how to handle invalid JSON
  • Copy, cut, and paste in text fields
  • Toggle line wrapping for better readability

Base Requests Management

  • Save multiple base requests from HTTP history
  • Tag requests with custom names
  • Use saved requests for security testing operations

Discovery Operations

  • Find Aura controllers and methods from JavaScript files
  • Discover Lightning Web Component (LWC) endpoints
  • Extract API routes from application files
  • Search for objects by name in the application

Route Testing

  • Test discovered routes automatically
  • Categorize routes by response type
  • Export results to files

Salesforce ID Tools

  • Analyze Salesforce ID structure and format
  • Convert between 15-character and 18-character IDs
  • Generate sequential Salesforce IDs
  • Create custom ID payload generators for Burp Intruder
  • Change decimal values in Salesforce IDs

Development Methodology

This extension is developed using a multi‑agent workflow and the Vibe coding technique:

  • Multiple AI agents (e.g., Claude, ChatGPT) collaborate under a strict planning and approval process defined in agent.md.
  • Each agent prepares an implementation plan in ai-context/tasks/{agent}-latest.md, which is reviewed and approved before any changes.
  • Commits are authored by the maintainer and co‑signed by contributing AI agents using GitHub‑recognized Co-Authored-By trailers.

See agent.md for the full AI development guidelines and workflows.

What Changed From Original

  • Updated to modern Burp Suite API
  • Added tabs for managing actions
  • Fixed dark mode text visibility
  • Added context menus for text editing
  • Fixed request updates not being sent
  • Added user dialogs for error handling
  • Added discovery features for Lightning components

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: