A Burp Suite extension for security testing Salesforce Lightning and Aura framework applications.

Developed by Soroush Dalili (@irsdl).

This tool is for authorized security testing only.

• ❌ NO SUPPORT: The maintainer provides no support or warranty
• ❌ NO LIABILITY: The maintainer is not responsible for any damage, harm, or legal consequences
• ❌ NO GUARANTEE: The tool may not work properly or may cause issues
• ✅ YOUR RESPONSIBILITY: Users assume ALL responsibility for proper, legal, and authorized use

Use at your own risk. Ensure you have proper authorization before testing any systems.

• View and edit Aura actions in HTTP requests
• Add and remove actions using tabs
• Edit controller names and method names
• Modify JSON parameters for each action
• Choose how to handle invalid JSON
• Copy, cut, and paste in text fields
• Toggle line wrapping for better readability

• Save multiple base requests from HTTP history
• Tag requests with custom names
• Use saved requests for security testing operations

• Find Aura controllers and methods from JavaScript files
• Discover Lightning Web Component (LWC) endpoints
• Extract API routes from application files
• Search for objects by name in the application

• Test discovered routes automatically
• Categorize routes by response type
• Export results to files

• Analyze Salesforce ID structure and format
• Convert between 15-character and 18-character IDs
• Generate sequential Salesforce IDs
• Create custom ID payload generators for Burp Intruder
• Change decimal values in Salesforce IDs

• Java 21 or higher
• Burp Suite Professional 2025.x or later

.\mvnw.cmd clean package

./mvnw clean package

mvn clean package

• Press Ctrl+Shift+P and run "Tasks: Run Task"
• Select "Maven: Package" for a complete build

In Burp Suite:

• Go to Extensions → Installed
• Click "Add"
• Locate the compiled jar file: target/auraditor-*.jar
• Click "Next" to install

• Burp Suite Montoya API
• Java 21
• Jackson JSON library
• Swing UI

• Updated to modern Burp Suite API
• Added tabs for managing actions
• Fixed dark mode text visibility
• Added context menus for text editing
• Fixed request updates not being sent
• Added user dialogs for error handling
• Added discovery features for Lightning components

This project uses Semantic Versioning:

• MAJOR (x.0.0): Breaking changes
• MINOR (2.x.0): New features
• PATCH (2.1.x): Bug fixes

• ✅ Active development with new features
• ✅ Uses Burp Suite Montoya API (2025.8)
• ✅ Independent project, not affiliated with Salesforce
• ⚠️ No official support, use at your own risk

The main tab shows options for discovering routes, testing endpoints, and managing base requests.

The request editor adds tabs to view and edit Aura actions, context, and messages.

Tools for analyzing Salesforce IDs and generating custom payloads for testing.

• Salesforce Penetration Testing Fundamentals
• Exposing Broken Access Controls in Salesforce-based Applications
• Misconfigured Salesforce Experiences

• Salesforce IDs Explained
• Converting IDs from 15 to 18 Characters
• Salesforce Object Key Prefixes
• Obscure Salesforce Object Key Prefixes

These projects provide additional tools for Salesforce security testing:

• aura-dump - Tool for exploring Aura framework data
• AuraIntruder - Automated Aura framework testing extension

This project builds upon salesforce/lightning-burp (now archived).

Auraditor is a complete rewrite with modern API, new features, and independent development.

• Soroush Dalili (@irsdl) - Project maintainer
• AI Collaboration - Technical implementation and code optimization