Skip to content

Information Disclosure: Azure Tenant Id Exposure

Identifier: azure_tenant_id_exposure

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

When sensitive information about an organization's Azure environment is accidentally left in the code or configuration files, it can give a clear signal to attackers about the internal structure of that cloud setup. This happens when the tenant ID, which is meant to be private, is exposed through error messages, logs, or publicly accessible resources. The problem is that knowing the tenant ID can help attackers tailor their approach for further intrusion or social engineering, increasing the risk of compromised credentials or unauthorized access. Developers frequently fall into mistakes like hardcoding these values or not properly sanitizing logs, so it's important to treat these identifiers like any other sensitive information.

Configuration

Example

Example configuration:

---
security_tests:
  azure_tenant_id_exposure:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.