description.md

Guest Access Abuse

ID: SAT1046

Tactics

• Initial Access

Summary

In SaaS platforms like Salesforce, ServiceNow, and Zendesk, misconfigurations related to guest user permissions can lead to unauthorized data access or escalation of privileges. These platforms often allow guest/unauthenticated users limited access for specific purposes. However, if the guest access is not correctly configured, it may grant broader permissions than intended.

An attacker can exploit such misconfigurations by accessing a guest account and leveraging the excessive permissions to access or manipulate sensitive data, potentially leading to a full account takeover or data breach.

Examples

• Salesforce guest user misconfiguration allowing data access.
• ServiceNow instance where guest users could access PII Data.

References

• Give Secure Access to Unauthenticated Users with the Guest User Profile.
• General Information | Potential Public List Widget Misconfiguration.