FPO-Case-Featured-Image
Example BURP Scanner Screen

If you have included an integration with an external application in your managed package, Salesforce requires that you run a BURP scan against the external application. Thankfully, they provide a free license for ISVs! While you can find documentation galore for testing websites and APIs, testing the beast known as a Canvas App is a lonely journey, or at least it used to be. As a background on Canvas Apps, they were introduced to replace iFrames of websites/applications inside of Salesforce. iFrames, while convenient, are quite susceptible to abuse and security issues. Canvas provides a new way to integrate off-platform applications into the Salesforce UI (whether Chatter, tabs, or Visualforce). In order to do this in a secure, authorized manner, rather than the HTTP GET of an iFrame, the page is actually generated via an HTTP POST. Additionally, the POST takes place server side from Salesforce rather than the browser, with the response being proxied back to the browser. The POST generally (though not always) contains authorization information, including user data, session tokens, and contextual data (such as the record the user is currently viewing). From a BURP perspective, this creates two issues:

  1. The URL is requested by the server so that BURP never captures the request
  2. The Canvas app often needs the proper Auth data POST’ed in order to render the page

We can solve both of these issues with a little creativity:

  • Modify canvas code to log the signed_request value from SFDC
  • Tail the log
  • Start the BURP proxy
  • Under the proxy tab, set Intercept to ON
  • Log in to Salesforce and go to the page that “activates” the canvas app (you can use the App Previewer in Setup)
  • From the log, retrieve the value of signed_request

Now that we have captured the POST data from Salesforce, the next step is to proxy a call to your Canvas App, passing the POST data, proxying the call through your desktop BURP software. In order to do that, I have chosen curl. Assuming that your BURP proxy is running at 127.0.0.1:8080, the following will work: curl –insecure -H “Accept: application/json” -H “Content-type: application/json” -X POST -d ‘{“signed_request”:”…”}’ –proxy 127.0.0.1:8080 https://example.com/myCanvas Note: The URL should be the URL of your Canvas app and the abbreviated json string (‘{“signed_request…”}’) is the value that you captured in your application logs. A brief explanation of the curl flags:

  • –insecure: as the BURP scanner will intercept the call, it won’t be able to verify your SSL cert. This allows you to call without verifying SSL certs
  • -H: need to set the type to application/json
  • –proxy: set your BURP proxy here
  • -X POST: duh
  • -d: key here is formatting your json correctly. single quotes, with variable + data in double quotes. You know, properly formatted json

NOTE: You must still be logged into Salesforce as you make this call. The POST data contains a session token that is only valid during the current session. That should now proxy your call through BURP to your Canvas App. From there, you can spider and scan your App like any website or API.