Or how I learned that some bugs are truly rare

Ah, yes, third party is 9 out of 10 times out of scope. But sometimes it's not. Sometimes it's very much in scope. Unlike Zendesk , Salesforce can be misconfigured by its clients or left in a default state which allows for access to interesting/not-meant-to-be-publicly-accessible data.

The Bug

It's really simple (for more complicated and indepth analysis check this article.

First you have to find a subdomain that is on Salesforce/aura, which is usually help.target.com, support.target.com or community.target.com, but it can also be some random thing like state.target.com etc. In case of widescope program it's best to use nuclei with Salesforce aura module to automate the process, but sometimes manual approach may be necessary.

Second, after finding Salesforce/aura site, using burp or even Firefox/chrome network inspector find any POST request to aura endpoint. You'll know what you're looking for when there's message parameter in the body:

Final step, this is where you learn if the target is vulnerable or not, edit the message parameter by replacing the value with this (you don't even have to encode it):

If the result shows Success and email address that is [email protected] or [email protected] or similar

Congrats, you have found highly likely Low bug/P4.

But, if it's either showing email address that's [email protected], or null, or Guest user isn't authorized, then they have properly configured that subdomain and you should move on.

The Low vs The Critical

There are plenty of Salesforce websites that have low/p4 type of bug that is quick and easy to test, but can be a process to get any bounty for it (but, so far in my experience bounty for this one is between $50 and $150).

But, then there's the medium to high to Critical, of which the critical is the rarest breed.

The Big Stuff

The small stuff is simply getting the User/UserProfile to give non default/null value, but the medium and the big stuff, those are truly interesting.

I'm referring to Content/ContentDocument and CollaborationGroup, these just by their names sound like they could have something interesting, even critical. But, one of these is more likely to disappoint even when it seems that it has a lot of stuff to investigate.

Content/ContentDocument

This one is where you can at first get super excited because it has a huge list of documents, but then you see it's .png or similar, with words like logo, brand, design, etc. Those suck. They have never been interesting from my experience. But, when it's .doc , .pdf, etc. Those are very much worth looking into. From my experience, I once found a lot of pdf documents with detailed bank invoices and of course a lot of PII. Fastest payout ever (less than 24 hours and $2K and not a private program).

CollaborationGroup

Here's one that you can see how interesting it is from the response text. If it contains discussions about company plans, and names of employees and what their positions are at the company, I mean it's already obvious how the attacker could abuse this. And most importantly, the bbp in question will know exactly how much they don't want that to be accessible information. Granted, in my experience it didn't reach critical/P1, nor P2, but P3 pays well on good bbps.