Lightning Strike: Testing Salesforce Security with the Auraditor Extension
Auraditor
A Burp Suite extension for security testing Salesforce Lightning and Aura framework applications.
Features
Request Editor
- View and edit Aura actions in HTTP requests
- Add and remove actions using tabs
- Edit controller names and method names
- Modify JSON parameters for each action
- Choose how to handle invalid JSON
- Copy, cut, and paste in text fields
- Toggle line wrapping for better readability
Base Requests Management
- Save multiple base requests from HTTP history
- Tag requests with custom names
- Use saved requests for security testing operations
Discovery Operations
- Find Aura controllers and methods from JavaScript files
- Discover Lightning Web Component (LWC) endpoints
- Extract API routes from application files
- Search for objects by name in the application
Route Testing
- Test discovered routes automatically
- Categorize routes by response type
- Export results to files
Salesforce ID Tools
- Analyze Salesforce ID structure and format
- Convert between 15-character and 18-character IDs
- Generate sequential Salesforce IDs
- Create custom ID payload generators for Burp Intruder
- Change decimal values in Salesforce IDs
Development Methodology
This extension is developed using a multi‑agent workflow and the Vibe coding technique:
- Multiple AI agents (e.g., Claude, ChatGPT) collaborate under a strict planning and approval process defined in
agent.md. - Each agent prepares an implementation plan in
ai-context/tasks/{agent}-latest.md, which is reviewed and approved before any changes. - Commits are authored by the maintainer and co‑signed by contributing AI agents using GitHub‑recognized
Co-Authored-Bytrailers.
See agent.md for the full AI development guidelines and workflows.
What Changed From Original
- Updated to modern Burp Suite API
- Added tabs for managing actions
- Fixed dark mode text visibility
- Added context menus for text editing
- Fixed request updates not being sent
- Added user dialogs for error handling
- Added discovery features for Lightning components
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
