Breaking into Salesforce: Our experience with Penetration Testing

TL;DR- Pen testing Salesforce requires brains, not tools.

For many companies, Salesforce has become the go-to platform for managing customer data. If it is also where your business stores confidential information, then you must do your part in strengthening the platform against threat actors. Whether your business has leveraged Salesforce for a while or recently deployed the platform, it’s vital to stay aware of potential weaknesses and address them before they become a threat.

Penetration testing is one measure that we recommend taking to really test your Salesforce deployment. Our team wanted to share our robust experience with pen testing Salesforce, so here are some insights from our experience.

What is penetration testing?

Penetration testing, often called pen testing, simulates a cyber attack on your organisation or software to identify vulnerabilities. Think of it like a stress test. The aim is to find creative ways of exploiting these vulnerabilities to reveal methods that threat actors might leverage to gain unauthorised access to your data or systems.

During a pen test, we determine what is normal for the application and then try to take some unexpected actions. The goal is to identify the steps a threat actor might take to harm your system; this component requires creative flair. While tools can help reveal vulnerabilities, they are seldom enough. With a pen test, you need people to think and get creative to trigger a bad response.

What do we look for during the pen test?

It is important to note that pen testing is not trying to achieve the same goals as quality assurance testing. We are not ticking boxes to validate that a piece of software works as expected.

We aim to unearth the unexpected by attempting to trigger responses that should not occur in the system or application. For example, a pen tester looking at a login page for an online banking system might try entering a long string of characters in the username or password fields to see if the system can handle it. If the system crashes or returns an error message, it could indicate a weakness that an attacker could exploit using a similar technique.

The biggest issues we find in Salesforce deployments

How we pen test Salesforce differs slightly from typical pen tests that might target your IT infrastructure. Salesforce is also a different environment to your regular IT infrastructure, so common attacks like SQL injections or items that are outputted from automated tools are less successful.

Problems with business logic are among the biggest issues that we find. This means that the application’s programming does not align with the intended business processes. Finding a problem with business logic in a web application is similar to a chef following an incorrect recipe. If they use the wrong recipe or misinterpret the steps, the dish will not be what the customer ordered. Another analogy would be putting shoes on before pants; theres not exactly set rules as to why this is bad, but it just doesn’t seem right. Similarly, if the business logic in a web application is incorrect, the application may not function as intended, and it could compromise the security and functionality of the system.

Another common issue we see is a race condition. This is when different parts of the system work on the same task simultaneously, causing conflicts and unexpected results. For example, a race condition might occur when two users try to access the same data simultaneously, and the system does not have adequate safeguards to prevent data corruption.

Why should your business consider pen testing?

Penetration testing provides an independent assessment of the security of your Salesforce deployment. It helps you identify weaknesses overlooked during deployment and ensures you get the promised solution. It is also an excellent way to ensure compliance with regulatory and contractual requirements such as the Payment Card Industry Data Security Standard (PCI DSS) or the General Data Protection Regulation (GDPR).

Furthermore, pen testing is a proactive approach to security. By identifying vulnerabilities before attackers can exploit them, your business can reduce the risk of a data breach or security incident. Regular pen tests can help you identify and address vulnerabilities as they arise, ensuring your Salesforce deployment remains secure.


Penetration testing is an essential part of safeguarding your Salesforce implementation. It helps you detect and fix vulnerabilities and weaknesses, reducing the risk of attackers exploiting them. By taking proactive measures, you can strengthen your security posture and protect your business from potential threats.

Why choose Mercury to pen test your Salesforce deployment?

It’s important to work with experienced and qualified pen testing professionals to ensure creativity and effectiveness. In our pen testing processes, we aim to better understand your systems and provide a detailed understanding of the threats and risks you might encounter.

We are a CREST-registered company with one of Australia’s largest OSCP and CREST Certified teams. You can visit our services page for more on our capabilities.

We’re here to help

Let Mercury safeguard your business while you focus on growing it.

Reach out to us for a tailored cyber security consultation that aligns with your unique business needs.