Security Test: Tenant isolation¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
When a system isn't properly isolating tenant data, it can mistakenly flag the same object as belonging to more than one user, breaching strict separation rules. This type of vulnerability is dangerous because it can lead to unauthorized data access where one tenant might see or even change another tenant's data. It often happens due to misconfigured rules or flawed logic in how object instances are tracked and associated with users, making it easier to unintentionally combine or share sensitive information across tenants. Developers should keep a close eye on how their application defines and enforces tenant boundaries to avoid these kinds of security pitfalls.
Reference:
Configuration¶
Identifier:
access_control/tenant_isolation
Examples¶
All configuration available:
checks:
access_control/tenant_isolation:
skip: false # default
parameters:
objects: # cf. Parameters below
paths: # cf. Parameters below
scalars: # cf. Parameters below
GraphQL: Accessiblity of objects private instances for differents users
{
... Authentication settings ...
... Other configuration settings ...
"checks": {
... Other checks ...
"access_control/tenant_isolation": {
"parameters": {
"objects": [
"MyVeryPrivateData", # Record access to object `MyVeryPrivateData`
# if two different users access the same object
# (i.e. two different users access the same self bound private data)
# the an alert will be raised.
],
"scalars": {
"Post": [
"createdBy", # Record access to field `createdBy` of object `Post`
# if two different users can access the same scalar value
# an alert will be raised.
]
}
}
}
... Other checks ...
}
... Other configuration settings ...
}
REST: Enforce tenant isolation on path /users/{id} and /me
{
... Authentication settings ...
... Other configuration settings ...
"checks": {
... Other checks ...
"access_control/tenant_isolation": {
"parameters": {
"paths": [
"/users/{id}",
"/me"
]
}
}
... Other checks ...
}
... Other configuration settings ...
}
Parameters¶
Parameters can be set in the parameters key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
objects | List[string] | A list of private objectNames. A single instance of this object should not be access by 2 different users. Each object instance is identified by its ID. | |
paths | List[string] | List of the paths of the routes to control, compliant with the OpenAPI route format. See swagger.io | |
scalars | ObjectRefParameters1 |
ObjectRefParameters1¶
| Property | Type | Default | Description |
|---|---|---|---|
additionalProperties | List[string] | Additional properties are allowed |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API5:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 7.1.2 |
| GDPR | Article-25 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 264 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 7.2 |