PRP: Secret extractor for Salesforce OAuth Access Token and Refresh Token

[0xXA]

• Secret name: Salesforce OAuth Access Token and Refresh Token
• Risk in exposing the secret:

• Access token leaks allow attackers to immediately call Salesforce APIs (Authorization: Bearer <token>) as the victim.
• Refresh token leaks are more severe, since they can be exchanged indefinitely for new access tokens, providing persistent unauthorized access.

• Validation method:

• Send POST to https://login.salesforce.com/services/oauth2/token with grant_type=refresh_token and the leaked refresh token.
• If valid, a new access token is issued.

• Regex:

• 3MVG[0-9A-Za-z]{80,} → Salesforce OAuth Client ID
• [A-Za-z0-9._-]{20,60} near keywords client_secret → Client Secret
• 00D[0-9A-Za-z]{8,} → Salesforce Org ID prefix (often embedded in tokens)
• 00D[0-9A-Za-z]{8,}![A-Za-z0-9._-]{60,} → Common access token format
• [A-Za-z0-9._-]{100,} near refresh_token → Refresh token

• Resources:
  • Salesforce OAuth 2.0 Refresh Token Flow

[github-actions]

Welcome to the OSV-SCALIBR patch reward program!
Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.
Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.
~The OSV-SCALIBR PRP team

[github-actions]

This message is addressed to the OSV-SCALIBR panel.

Contributor stats

• The contributor has 0 issues tagged as main;
• The contributor has 1 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[0xXA]

Hi @erikvarga

I wanted to share an update regarding the Salesforce detectors work.

Initially, we assumed the detection logic for client credentials, refresh tokens, and access tokens would overlap, based on prior guess. However, during implementation it became clear that the Salesforce Access Token requires a separate detector with different heuristics and detection doesn't overlap with the existing Salesforce Client Credentials + Refresh Token detector. Moreover, validation is really complex in some of the extractors (especially JWT Signing).

Because of this, the overall effort is significantly larger than what would normally fit into a single PRP. Given the expanded scope and effort, could you please check with the panel whether they would be open to either:

1. Treating Salesforce Client Credentials + Salesforce Refresh Token + Salesforce JWT Signing Key and Salesforce Access Token as two separate PRPs due to overlapping nature. With n-tuples and pair as extra work.

2. Increasing the reward to match the combined effort equivalent to two PRPs + Extra work.

Brother since I’m done with this one, would you mind assigning me another issue from my queue ?

[erikvarga]

Hi @0xXA, thanks for the info. I've discussed this with the panel today and the conclusion was that we'll continue tracking this under one combined PRP but take the extra work for the two detection/validation methods and the n-tuples pre-work into account when determining the reward amount.

We've also decided on a new issue from your queue to work on, I'll finalize the details and assign it to you shortly.

[0xXA]

Sure thing, Thanks!