Skip to content

Security Test: Azure Tenant ID Exposure

Description

Default Severity:

When sensitive information about an organization's Azure environment is accidentally left in the code or configuration files, it can give a clear signal to attackers about the internal structure of that cloud setup. This happens when the tenant ID, which is meant to be private, is exposed through error messages, logs, or publicly accessible resources. The problem is that knowing the tenant ID can help attackers tailor their approach for further intrusion or social engineering, increasing the risk of compromised credentials or unauthorized access. Developers frequently fall into mistakes like hardcoding these values or not properly sanitizing logs, so it's important to treat these identifiers like any other sensitive information.

Configuration

Identifier: information_disclosure/azure_tenant_id_exposure

Examples

All configuration available:

checks:
  information_disclosure/azure_tenant_id_exposure:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API8:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.1
GDPR Article-32
SOC2 CC6
PSD2 Article-95
ISO 27001 A.12.6
NIST SP800-53
FedRAMP AC-6
CWE 200
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score 2.0