Salesforce Forbidden and Advanced Techniques or Dark forces in the service of the Salesforce JediScreen scraping, Reverse engineering, URL hacking, Salesforce UI Requests Automation

IntroductionAbout myself:Bohdan Dovhan

Salesforce Development Team LeadSalesforce Certified Force.com DeveloperSalesforce Certified Force.com Advanced Developer 7 years of Development experience

Forbidden or advanced techniques* Screen scraping: “Please Don’t Screen Scrape Visualforce!”Screen scraping is the most fragile integration you can imagine.If there is a better option, screen scraping should not be used* Debugging gacks (internal Salesforce Errors): gack id ( stack trace id)sometimes it is possible to fix the issue without Salesforce Support* Reverse engineering of Managed Package to workaround MP bugs* URL hacking: prepopulating field values on standard interface* Salesforce UI Requests Automation

URL hacking: prepopulating field values

To create arbitrary record follow the url: /{SObject prefix}/e?To populate standard fields: ?{standard field name}={value}To populate custom non-lookup fields: ?{custom field id}={value}To populate custom lookup field: ?CF{custom field id}_lkid={lookupId}&CF{custom field id}={lookup.Name}

URL hacking: trusted IP Address Range

To add your office or home IP Address to Trusted Network Access Range, follow the link https://login.salesforce.com/05G/e?IpStartAddress=194.44.136.82&IpEndAddress=194.44.136.82&Description=Office

and hit Save

URL hacking: Remote Site SettingsTo add remote site settingshttps://login.salesforce.com/0rp/e?EndpointUrl=https://test.salesforce.com&SiteName=test&DescriptionField=testdescription and hit Save

URL hacking: easy FLS copy1. Inspect request which is sent on FLS save on source field (which you want to copy FLS Settings from )2. Replace field Id with the desired field id3. Open that URL in browser4. => PROFIT! https://test.salesforce.com/_ui/common/config/field/StandardFieldAttributes/e?id=00N56000000QtLp&type=01IE0000000flp2&retURL=%2F00N56000000QtLp%3Fsetupid%3DCustomObjects&setupid=CustomObjects&_CONFIRMATIONTOKEN=VmpFPSxNakF4Tmkwd05pMHdOVlF3T0RvME16bzFOaTR4T0RoYSwxUEZObk9lX3Itc1JuTnVOaUdpS24xLFptRXpaRFpo&cancelURL=%2F00NE00000045qVx%3Fsetupid%3DCustomObjects&id=00NE00000045qVx&retURL=%2F00NE00000045qVx%3Fsetupid%3DCustomObjects&save_new_url=%2F_ui%2Fcommon%2Fconfig%2Ffield%2FStandardFieldAttributes%2Fe%3FretURL%3D%252F00NE00000045qVx%253Fsetupid%253DCustomObjects%26type%3D01IE0000000flp2%26setupid%3DCustomObjects&setupid=CustomObjects&type=01IE0000000flp2&save=+Save+&d00eE0000000IR4ZIAW=1&d00eE0000000z6D2IAI=1&r00eE0000000z6D2IAI=1&d00eE0000000z6D8IAI=1&d00eE0000000iXojIAE=1&d00eE0000000j0tSIAQ=1&d00eE0000000j0erIAA=1&r00eE0000000j0erIAA=1&d00eE0000000z6CfIAI=1&r00eE0000000z6CfIAI=1&d00eE0000000z6CrIAI=1&r00eE0000000z6CrIAI=1&d00eE0000000z6CmIAI=1&r00eE0000000z6CmIAI=1&d00eE0000000z6CyIAI=1&r00eE0000000z6CyIAI=1&d00eE0000000z6D1IAI=1&r00eE0000000z6D1IAI=1&d00eE0000000idXhIAI=1&r00eE0000000idXhIAI=1&d00eE0000000z6D3IAI=1&r00eE0000000z6D3IAI=1&d00eE0000000IQwlIAG=1&d00eE0000000IQwkIAG=1&d00eE0000000j4iyIAA=1&d00eE0000000G1Z5IAK=1&r00eE0000000G1Z5IAK=1&d00eE0000000z6DUIAY=1&r00eE0000000z6DUIAY=1&d00eE0000000z6CuIAI=1&r00eE0000000z6CuIAI=1&d00eE0000000IR4UIAW=1&r00eE0000000IR4UIAW=1&d00eE0000000IQvXIAW=1&d00eE0000000idR5IAI=1&d00eE0000000z6CxIAI=1&d00eE0000000j4W9IAI=1&r00eE0000000j4W9IAI=1&d00eE0000000j62qIAA=1&r00eE0000000j62qIAA=1&d00eE0000000z6ClIAI=1&r00eE0000000z6ClIAI=1&d00eE0000000z6DHIAY=1&r00eE0000000z6DHIAY=1&d00eE0000000z6DDIAY=1&r00eE0000000z6DDIAY=1&d00eE0000000z6D7IAI=1&r00eE0000000z6D7IAI=1&d00eE0000000j6TSIAY=1&d00eE0000000z6DOIAY=1&r00eE0000000z6DOIAY=1&d00eE0000000iYlBIAU=1&d00eE0000000z6CqIAI=1&r00eE0000000z6CqIAI=1&d00eE0000000z6CjIAI=1&r00eE0000000z6CjIAI=1&d00eE0000000ifooIAA=1&r00eE0000000ifooIAA=1&d00eE0000000ifotIAA=1&r00eE0000000ifotIAA=1&d00eE0000000j4YoIAI=1&d00eE0000000z6DTIAY=1&r00eE0000000z6DTIAY=1&d00eE0000000z6DMIAY=1&r00eE0000000z6DMIAY=1&d00eE0000000z6ChIAI=1&d00eE0000000j6YwIAI=1

Screen Scraping Use Case: Get TotalLicenses1. No “good” way to obtain “TotalLicenses” on Salesforce User License2. There is a pilot feature which is not available for APEX queries even when enabled, and client needs to ask Salesforce to turn that feature and write complex logic to retrieve that field value3. Instead, we can just screen scrape User Licenses page and transform it into custom object records. I implemented this in a ULETAS Gamma managed package4. Custom object records can be used for easy further integration, they are accessible through APEX queries

Salesforce UI Requests AutomationNever say never. Nothing is impossible for those who believe.Even if some piece of functionality is not exposed through Standard Objects, Apex Queries, REST API, SOAP API, Metadata API, Tooling API, Bulk API, it doesn’t mean that it is not possible to write integration on it.Using combination of Screen Scraping, URL hacking, Requests Reverse Engineering it is possible to integrate ANY functionality which is exposed through Salesforce UI.Such integration won’t be reliable and will be the most fragile integration you can ever imagine, however, it exists at least if you can’t achieve that by any other means.

Salesforce UI Requests Automation: Smart S2SIf you are tired to perform some tasks manually, you can implement Salesforce UI Requests Automation using combination of Screen Scraping, URL hacking, Requests Reverse Engineering.Use case: reconnect S2S connection of sandboxes after monthly refresh.1. Particular implementation for the current client (hardcoding templates there)2. General implementation for arbitrary pair of source and destination connectionsGeneral integration I am going to present as Smart S2S managed package (not ready yet)

Salesforce UI Requests Automation: Smart S2S

Salesforce UI Requests Automation: Smart S2S

Salesforce UI Requests Automation: Smart S2S

Salesforce UI Requests Automation: Smart S2S

Salesforce UI Requests Automation: Smart S2S

To screen scrape from the current organization, you can use the way suggested by Bob Buzzard which I call “Local Browser”:public class LocalBrowser {public static Blob browse(String endPoint) {new PageReference(endPoint).getContent();}}

This approach is used only for get requests.Used in get total licenses package

Screen scraping basics: Local Browser

To screen scrape from the other organization, you need HTTP Request Callout

public static HttpResponse get(String endPoint){ Http h = new Http(); HttpRequest req = new HttpRequest(); req.setHeader('Cookie', cookies); req.setTimeout(60000); req.setEndpoint(endPoint); req.setMethod('GET'); return h.send(req);}

Screen scraping basics: Browser.get

To screen scrape from the other organization, you need HTTP Request Callout

public static HttpResponse post(String endPoint, String body){ Http h = new Http(); HttpRequest req = new HttpRequest(); req.setHeader('Cookie', cookies); req.setTimeout(60000); req.setEndpoint(endPoint); req.setMethod(POST'); req.setBody(body); return h.send(req);}

Screen scraping basics: Browser.post

Sometimes you may need to extract confirmation token from get response body and prepend it to your parameters list

HttpResponse r = get(uri);String token = r.getBody().substringBetween('<input type="hidden" name="_CONFIRMATIONTOKEN" id="_CONFIRMATIONTOKEN" value="', '" />');post(uri, '_CONFIRMATIONTOKEN=' + token + '&' + data );

Screen scraping basics: confirmation token

Everyone knows that it is impossible to catch Limit Exceptions.However, if you use ToolingAPI.ExecuteAnonymous or REST API Execute Anonymous or any similar techniques described in article about custom “Eval” implementation in Salesforce http://www.corevalue.net/is-eval-evil-or-not/, you can process Limit Exception falling in Anonymous Execution Context started from your main

How to catch Limit Exceptions?

References1. https://developer.salesforce.com/blogs/developer-relations/2011/10/please-dont-screen-scrape-visualforce.html2. http://salesforce.stackexchange.com/questions/4692/screen-scrape-salesforce-with-rest-get-call-from-apex3. http://stackoverflow.com/questions/7841998/treat-salesforce-visualforce-page-as-an-external-widget4. https://developer.salesforce.com/blogs/engineering/2015/02/gack.html5. http://www.salesforceben.com/salesforce-url-hacking-tutorial/6. http://www.corevalue.net/is-eval-evil-or-not/

Q & A? Questions?

AND FINALLY: MAY BE THE FORCE.COM WITH YOU...