Skip to content

Security Test: Tenant isolation

Description

Default Severity:

When a system isn't properly isolating tenant data, it can mistakenly flag the same object as belonging to more than one user, breaching strict separation rules. This type of vulnerability is dangerous because it can lead to unauthorized data access where one tenant might see or even change another tenant's data. It often happens due to misconfigured rules or flawed logic in how object instances are tracked and associated with users, making it easier to unintentionally combine or share sensitive information across tenants. Developers should keep a close eye on how their application defines and enforces tenant boundaries to avoid these kinds of security pitfalls.

Reference:

Configuration

Identifier: access_control/tenant_isolation

Examples

All configuration available:

checks:
  access_control/tenant_isolation:
    skip: false # default
    parameters:
      objects: # cf. Parameters below
      paths: # cf. Parameters below
      scalars: # cf. Parameters below

GraphQL: Accessiblity of objects private instances for differents users

{
  ... Authentication settings ...
  ... Other configuration settings ...

  "checks": {

    ... Other checks ...

    "access_control/tenant_isolation": {
      "parameters": {
        "objects": [
          "MyVeryPrivateData",            # Record access to object `MyVeryPrivateData`
                                          #  if two different users access the same object
                                          #  (i.e. two different users access the same self bound private data)
                                          #  the an alert will be raised.
        ],
        "scalars": {
          "Post": [
            "createdBy",                  # Record access to field `createdBy` of object `Post`
                                          #  if two different users can access the same scalar value
                                          #  an alert will be raised.
          ]
        }
      }
    }

    ... Other checks ...
  }

  ... Other configuration settings ...
}

REST: Enforce tenant isolation on path /users/{id} and /me

{
  ... Authentication settings ...
  ... Other configuration settings ...

  "checks": {

    ... Other checks ...

    "access_control/tenant_isolation": {
      "parameters": {
        "paths": [
          "/users/{id}",
          "/me"
        ]
      }
    }

    ... Other checks ...
  }

  ... Other configuration settings ...
}

Parameters

Parameters can be set in the parameters key of the Security Test Configuration.

Property Type Default Description
objects List[string] A list of private objectNames. A single instance of this object should not be access by 2 different users. Each object instance is identified by its ID.
paths List[string] List of the paths of the routes to control, compliant with the OpenAPI route format. See swagger.io
scalars ObjectRefParameters1

ObjectRefParameters1

Property Type Default Description
additionalProperties List[string] Additional properties are allowed

Compliance and Standards

Standard Value
OWASP API Top 10 API5:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 7.1.2
GDPR Article-25
SOC2 CC6
PSD2 Article-95
ISO 27001 A.18.1
NIST SP800-53
FedRAMP AC-4
CWE 264
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
CVSS Score 7.2