sdfc forbidden and advanced techniques
TRANSCRIPT
![Page 1: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/1.jpg)
Salesforce Forbidden and Advanced Techniques or Dark forces in the service of the Salesforce JediScreen scraping, Reverse engineering, URL hacking, Salesforce UI Requests Automation
![Page 2: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/2.jpg)
![Page 3: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/3.jpg)
IntroductionAbout myself:Bohdan Dovhan
Salesforce Development Team LeadSalesforce Certified Force.com DeveloperSalesforce Certified Force.com Advanced Developer 7 years of Development experience
![Page 4: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/4.jpg)
Forbidden or advanced techniques* Screen scraping: “Please Don’t Screen Scrape Visualforce!”Screen scraping is the most fragile integration you can imagine.If there is a better option, screen scraping should not be used* Debugging gacks (internal Salesforce Errors): gack id ( stack trace id)sometimes it is possible to fix the issue without Salesforce Support* Reverse engineering of Managed Package to workaround MP bugs* URL hacking: prepopulating field values on standard interface* Salesforce UI Requests Automation
![Page 5: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/5.jpg)
URL hacking: prepopulating field values
To create arbitrary record follow the url: /{SObject prefix}/e?To populate standard fields: ?{standard field name}={value}To populate custom non-lookup fields: ?{custom field id}={value}To populate custom lookup field: ?CF{custom field id}_lkid={lookupId}&CF{custom field id}={lookup.Name}
![Page 6: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/6.jpg)
URL hacking: trusted IP Address Range
To add your office or home IP Address to Trusted Network Access Range, follow the link https://login.salesforce.com/05G/e?IpStartAddress=194.44.136.82&IpEndAddress=194.44.136.82&Description=Office
and hit Save
![Page 7: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/7.jpg)
URL hacking: Remote Site SettingsTo add remote site settingshttps://login.salesforce.com/0rp/e?EndpointUrl=https://test.salesforce.com&SiteName=test&DescriptionField=testdescription and hit Save
![Page 8: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/8.jpg)
URL hacking: easy FLS copy1. Inspect request which is sent on FLS save on source field (which you want to copy FLS Settings from )2. Replace field Id with the desired field id3. Open that URL in browser4. => PROFIT! https://test.salesforce.com/_ui/common/config/field/StandardFieldAttributes/e?id=00N56000000QtLp&type=01IE0000000flp2&retURL=%2F00N56000000QtLp%3Fsetupid%3DCustomObjects&setupid=CustomObjects&_CONFIRMATIONTOKEN=VmpFPSxNakF4Tmkwd05pMHdOVlF3T0RvME16bzFOaTR4T0RoYSwxUEZObk9lX3Itc1JuTnVOaUdpS24xLFptRXpaRFpo&cancelURL=%2F00NE00000045qVx%3Fsetupid%3DCustomObjects&id=00NE00000045qVx&retURL=%2F00NE00000045qVx%3Fsetupid%3DCustomObjects&save_new_url=%2F_ui%2Fcommon%2Fconfig%2Ffield%2FStandardFieldAttributes%2Fe%3FretURL%3D%252F00NE00000045qVx%253Fsetupid%253DCustomObjects%26type%3D01IE0000000flp2%26setupid%3DCustomObjects&setupid=CustomObjects&type=01IE0000000flp2&save=+Save+&d00eE0000000IR4ZIAW=1&d00eE0000000z6D2IAI=1&r00eE0000000z6D2IAI=1&d00eE0000000z6D8IAI=1&d00eE0000000iXojIAE=1&d00eE0000000j0tSIAQ=1&d00eE0000000j0erIAA=1&r00eE0000000j0erIAA=1&d00eE0000000z6CfIAI=1&r00eE0000000z6CfIAI=1&d00eE0000000z6CrIAI=1&r00eE0000000z6CrIAI=1&d00eE0000000z6CmIAI=1&r00eE0000000z6CmIAI=1&d00eE0000000z6CyIAI=1&r00eE0000000z6CyIAI=1&d00eE0000000z6D1IAI=1&r00eE0000000z6D1IAI=1&d00eE0000000idXhIAI=1&r00eE0000000idXhIAI=1&d00eE0000000z6D3IAI=1&r00eE0000000z6D3IAI=1&d00eE0000000IQwlIAG=1&d00eE0000000IQwkIAG=1&d00eE0000000j4iyIAA=1&d00eE0000000G1Z5IAK=1&r00eE0000000G1Z5IAK=1&d00eE0000000z6DUIAY=1&r00eE0000000z6DUIAY=1&d00eE0000000z6CuIAI=1&r00eE0000000z6CuIAI=1&d00eE0000000IR4UIAW=1&r00eE0000000IR4UIAW=1&d00eE0000000IQvXIAW=1&d00eE0000000idR5IAI=1&d00eE0000000z6CxIAI=1&d00eE0000000j4W9IAI=1&r00eE0000000j4W9IAI=1&d00eE0000000j62qIAA=1&r00eE0000000j62qIAA=1&d00eE0000000z6ClIAI=1&r00eE0000000z6ClIAI=1&d00eE0000000z6DHIAY=1&r00eE0000000z6DHIAY=1&d00eE0000000z6DDIAY=1&r00eE0000000z6DDIAY=1&d00eE0000000z6D7IAI=1&r00eE0000000z6D7IAI=1&d00eE0000000j6TSIAY=1&d00eE0000000z6DOIAY=1&r00eE0000000z6DOIAY=1&d00eE0000000iYlBIAU=1&d00eE0000000z6CqIAI=1&r00eE0000000z6CqIAI=1&d00eE0000000z6CjIAI=1&r00eE0000000z6CjIAI=1&d00eE0000000ifooIAA=1&r00eE0000000ifooIAA=1&d00eE0000000ifotIAA=1&r00eE0000000ifotIAA=1&d00eE0000000j4YoIAI=1&d00eE0000000z6DTIAY=1&r00eE0000000z6DTIAY=1&d00eE0000000z6DMIAY=1&r00eE0000000z6DMIAY=1&d00eE0000000z6ChIAI=1&d00eE0000000j6YwIAI=1
![Page 9: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/9.jpg)
Screen Scraping Use Case: Get TotalLicenses1. No “good” way to obtain “TotalLicenses” on Salesforce User License2. There is a pilot feature which is not available for APEX queries even when enabled, and client needs to ask Salesforce to turn that feature and write complex logic to retrieve that field value3. Instead, we can just screen scrape User Licenses page and transform it into custom object records. I implemented this in a ULETAS Gamma managed package4. Custom object records can be used for easy further integration, they are accessible through APEX queries
![Page 10: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/10.jpg)
![Page 11: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/11.jpg)
![Page 12: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/12.jpg)
![Page 13: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/13.jpg)
Salesforce UI Requests AutomationNever say never. Nothing is impossible for those who believe.Even if some piece of functionality is not exposed through Standard Objects, Apex Queries, REST API, SOAP API, Metadata API, Tooling API, Bulk API, it doesn’t mean that it is not possible to write integration on it.Using combination of Screen Scraping, URL hacking, Requests Reverse Engineering it is possible to integrate ANY functionality which is exposed through Salesforce UI.Such integration won’t be reliable and will be the most fragile integration you can ever imagine, however, it exists at least if you can’t achieve that by any other means.
![Page 14: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/14.jpg)
![Page 15: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/15.jpg)
Salesforce UI Requests Automation: Smart S2SIf you are tired to perform some tasks manually, you can implement Salesforce UI Requests Automation using combination of Screen Scraping, URL hacking, Requests Reverse Engineering.Use case: reconnect S2S connection of sandboxes after monthly refresh.1. Particular implementation for the current client (hardcoding templates there)2. General implementation for arbitrary pair of source and destination connectionsGeneral integration I am going to present as Smart S2S managed package (not ready yet)
![Page 16: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/16.jpg)
Salesforce UI Requests Automation: Smart S2S
![Page 17: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/17.jpg)
Salesforce UI Requests Automation: Smart S2S
![Page 18: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/18.jpg)
![Page 19: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/19.jpg)
Salesforce UI Requests Automation: Smart S2S
![Page 20: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/20.jpg)
Salesforce UI Requests Automation: Smart S2S
![Page 21: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/21.jpg)
![Page 22: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/22.jpg)
![Page 23: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/23.jpg)
Salesforce UI Requests Automation: Smart S2S
![Page 24: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/24.jpg)
To screen scrape from the current organization, you can use the way suggested by Bob Buzzard which I call “Local Browser”:public class LocalBrowser {public static Blob browse(String endPoint) {new PageReference(endPoint).getContent();}}
This approach is used only for get requests.Used in get total licenses package
Screen scraping basics: Local Browser
![Page 25: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/25.jpg)
To screen scrape from the other organization, you need HTTP Request Callout
public static HttpResponse get(String endPoint){ Http h = new Http(); HttpRequest req = new HttpRequest(); req.setHeader('Cookie', cookies); req.setTimeout(60000); req.setEndpoint(endPoint); req.setMethod('GET'); return h.send(req);}
Screen scraping basics: Browser.get
![Page 26: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/26.jpg)
To screen scrape from the other organization, you need HTTP Request Callout
public static HttpResponse post(String endPoint, String body){ Http h = new Http(); HttpRequest req = new HttpRequest(); req.setHeader('Cookie', cookies); req.setTimeout(60000); req.setEndpoint(endPoint); req.setMethod(POST'); req.setBody(body); return h.send(req);}
Screen scraping basics: Browser.post
![Page 27: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/27.jpg)
Sometimes you may need to extract confirmation token from get response body and prepend it to your parameters list
HttpResponse r = get(uri);String token = r.getBody().substringBetween('<input type="hidden" name="_CONFIRMATIONTOKEN" id="_CONFIRMATIONTOKEN" value="', '" />');post(uri, '_CONFIRMATIONTOKEN=' + token + '&' + data );
Screen scraping basics: confirmation token
![Page 28: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/28.jpg)
Everyone knows that it is impossible to catch Limit Exceptions.However, if you use ToolingAPI.ExecuteAnonymous or REST API Execute Anonymous or any similar techniques described in article about custom “Eval” implementation in Salesforce http://www.corevalue.net/is-eval-evil-or-not/, you can process Limit Exception falling in Anonymous Execution Context started from your main
How to catch Limit Exceptions?
![Page 29: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/29.jpg)
References1. https://developer.salesforce.com/blogs/developer-relations/2011/10/please-dont-screen-scrape-visualforce.html2. http://salesforce.stackexchange.com/questions/4692/screen-scrape-salesforce-with-rest-get-call-from-apex3. http://stackoverflow.com/questions/7841998/treat-salesforce-visualforce-page-as-an-external-widget4. https://developer.salesforce.com/blogs/engineering/2015/02/gack.html5. http://www.salesforceben.com/salesforce-url-hacking-tutorial/6. http://www.corevalue.net/is-eval-evil-or-not/
![Page 30: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/30.jpg)
Q & A? Questions?
![Page 31: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/31.jpg)
![Page 32: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/32.jpg)
![Page 33: Sdfc forbidden and advanced techniques](https://reader035.vdocuments.us/reader035/viewer/2022062412/587982bf1a28ab6c358b5d2f/html5/thumbnails/33.jpg)
AND FINALLY: MAY BE THE FORCE.COM WITH YOU...