Google-owned Mandiant has open sourced AuraInspector, a defensive security tool designed to help organisations detect Salesforce misconfigurations that have led to major data exposures.
Google-owned cybersecurity firm Mandiant has released AuraInspector, a free, open-source command-line tool designed to identify dangerous access control misconfigurations in Salesforce environments, marking a significant move to democratise enterprise-grade security testing.
AuraInspector focuses on preventing large-scale data exposure, targeting flaws that have been abused to leak credentials, health information, and identity documents at dozens of high-profile organisations over the past two years. The tool scans Salesforce Aura framework implementations from an external perspective, simulating what unauthenticated guest users could access without credentials.
According to Mandiant, its Offensive Security Services unit frequently encounters misconfigurations within Salesforce Experience Cloud, where complex permission models can allow excessive access to go unnoticed until after a breach.
AuraInspector automates detection by discovering Aura endpoints, listing accessible Salesforce objects, and testing whether guest users have excessive permissions to sensitive records such as Account, Contact, and Lead data.
The tool also identifies Record List components that permit unauthorised viewing or modification of records and detects exposed administration panels linked to third-party modules. Mandiant revealed that it used the Salesforce GraphQL API to bypass the platform’s standard 2,000-record retrieval limit, describing this as a previously undisclosed technique. Efficiency is improved through action bulking, which tests multiple configurations in a single request.
Released on GitHub, AuraInspector is not an officially supported Google product. To prevent misuse, the open-source release deliberately excludes data extraction features, operates in read-only mode, and does not modify target systems, positioning open source as a preventive security control rather than a post-breach tool.
