Security Test: Azure Tenant ID Exposure¶

Description¶

Default Severity:

When sensitive information about an organization's Azure environment is accidentally left in the code or configuration files, it can give a clear signal to attackers about the internal structure of that cloud setup. This happens when the tenant ID, which is meant to be private, is exposed through error messages, logs, or publicly accessible resources. The problem is that knowing the tenant ID can help attackers tailor their approach for further intrusion or social engineering, increasing the risk of compromised credentials or unauthorized access. Developers frequently fall into mistakes like hardcoding these values or not properly sanitizing logs, so it's important to treat these identifiers like any other sensitive information.

Configuration¶

Identifier: information_disclosure/azure_tenant_id_exposure

Examples¶

All configuration available:

checks:
  information_disclosure/azure_tenant_id_exposure:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.12.6`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`200`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
CVSS Score	`2.0`