Security Test: Azure Tenant ID Exposure¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
When sensitive information about an organization's Azure environment is accidentally left in the code or configuration files, it can give a clear signal to attackers about the internal structure of that cloud setup. This happens when the tenant ID, which is meant to be private, is exposed through error messages, logs, or publicly accessible resources. The problem is that knowing the tenant ID can help attackers tailor their approach for further intrusion or social engineering, increasing the risk of compromised credentials or unauthorized access. Developers frequently fall into mistakes like hardcoding these values or not properly sanitizing logs, so it's important to treat these identifiers like any other sensitive information.
Configuration¶
Identifier:
information_disclosure/azure_tenant_id_exposure
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.1 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.12.6 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 200 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVSS Score | 2.0 |