Web App Multi-Tenancy Vulnerability

What is Muti-tenancy?

Multi-tenancy is commonly used in Software as a Service (SaaS) applications, where a provider hosts a single instance of the application and serves multiple customers over the internet. It offers benefits such as scalability, cost-effectiveness, and simplified maintenance, making it an attractive option for businesses looking to deliver cloud-based services to a broad audience.

What this page is about?

This page talks about a vulnerability assessment test called as Multi-tenancy check. This attack is bit less known and also confusing. Hence this page tried to make it simple to understand and bring clarity into why this attack test is so important.

What is a tenant in the context of SaaS Application?

Tenant is a name given to organizations who sign-up/ make use of any SaaS Application.

What is multi-tenancy in the context of SaaS app?

When multiple organizations sign-up to a SaaS Application using same or different URLs is called multi-tenancy.

Why it is important to test for this vulnerability?

In a multi-tenancy check performed by Valency Networks, our test ensures whether the data is properly isolated and made private between each tenant/organization. Let’s take an example of a SaaS Application such as Microsoft365. It is being used by multiple individual users as well as by organizations as a whole. In such case, ensuring that one organization's data is not being viewed/modified by another organization is of great importance.

How do we test it?

You may find multi-tenancy quite similar to privilege escalation, which is partially right.

The minor difference between privilege escalation and multi-tenancy check is that –

Privilege Escalation happens between 2 different user roles such as admin and non-admin/user using an application within a same organization


Multi-tenancy Escalation happens between users of 2 different tenants/organizations using the same SaaS application.

It is important to remember in this case that, based on the application functionality, the URL being accessed by 2 separate tenants, can be same or different. It does not matter. What matters is whether or not, the users from different organizations can see/access each other’s data, which is a critical vulnerability.

Few of our multi-tenancy test cases include -

  • Can tenant1 login with tenant2 URL
  • Can tenant1 access data of tenant2
  • Can tenant1 become tenant2 by changing the tenantId
  • Multiple such test cases are tested by us for SaaS Applications as part of multi-tenancy checks

Why is this a critical vulnerability?

Think of it this way. As an example, if your organization is using a cloud-based SaaS CRM tool such as HubSpot, and its being used by your competitor too. If the tool is vulnerable to multi-tenancy attack, due to which your competitor can see your sales status and deals and other material, wouldn’t that be critical problem? (Note: We used HubSpot just as an example to make the point, and in no way, we are saying that it is vulnerable).

What is the solution to resolve this vulnerability?

First step is to test your application to see if it is vulnerable. Depending on your business logic, cloud setup, URL setup, multi-tenancy setup, we can provide you consultancy to help you resolve this vulnerability.

What do we need from you for testing?

If you need to get multi-tenancy checked for your application, we will need you to share below details-

  • Application URL (UAT/Testing)
  • Tenant1 URL (Applicable if domains change for each tenant)
  • Tenant1 user roles and their login credentials (username & password)
  • Tenant2 URL (Applicable if domains change for each tenant)
  • Tenant2 user roles and their login credentials (username & password)
Author Avatar

Jemima Abraham

Senior Cyber Security Analyst

Location: Pune, India

Jemima is an accomplished pentester in the interesting world of cyber security. Her primary focus is on vulnerability assessment and penetration testing for IT infrastructure networks, web applications, and cloud applications. She has mastered an art of finding critical security loopholes in web applications and is capable of providing technical solutions to the application stakeholders. While she is always on the path of dedication to the field, she enjoys art, musical instruments and reading books.