Multi-tenancy is commonly used in Software as a Service (SaaS) applications, where a provider hosts a single instance of the application and serves multiple customers over the internet. It offers benefits such as scalability, cost-effectiveness, and simplified maintenance, making it an attractive option for businesses looking to deliver cloud-based services to a broad audience.
This page talks about a vulnerability assessment test called as Multi-tenancy check. This attack is bit less known and also confusing. Hence this page tried to make it simple to understand and bring clarity into why this attack test is so important.
Tenant is a name given to organizations who sign-up/ make use of any SaaS Application.
When multiple organizations sign-up to a SaaS Application using same or different URLs is called multi-tenancy.
In a multi-tenancy check performed by Valency Networks, our test ensures whether the data is properly isolated and made private between each tenant/organization. Let’s take an example of a SaaS Application such as Microsoft365. It is being used by multiple individual users as well as by organizations as a whole. In such case, ensuring that one organization's data is not being viewed/modified by another organization is of great importance.
You may find multi-tenancy quite similar to privilege escalation, which is partially right.
The minor difference between privilege escalation and multi-tenancy check is that –
Privilege Escalation happens between 2 different user roles such as admin and non-admin/user using an application within a same organization
Whereas,
Multi-tenancy Escalation happens between users of 2 different tenants/organizations using the same SaaS application.
It is important to remember in this case that, based on the application functionality, the URL being accessed by 2 separate tenants, can be same or different. It does not matter. What matters is whether or not, the users from different organizations can see/access each other’s data, which is a critical vulnerability.
Think of it this way. As an example, if your organization is using a cloud-based SaaS CRM tool such as HubSpot, and its being used by your competitor too. If the tool is vulnerable to multi-tenancy attack, due to which your competitor can see your sales status and deals and other material, wouldn’t that be critical problem? (Note: We used HubSpot just as an example to make the point, and in no way, we are saying that it is vulnerable).
First step is to test your application to see if it is vulnerable. Depending on your business logic, cloud setup, URL setup, multi-tenancy setup, we can provide you consultancy to help you resolve this vulnerability.
If you need to get multi-tenancy checked for your application, we will need you to share below details-