1

Consider a multi-tenant SaaS application that uses domain names to identify which customer to serve. Customers access the application using client001.ourdomain.com, client002.ourdomain.com, etc. The code base is shared among all customers.

Two obvious security concerns for me are:

  1. Predictable URLs allow anyone to easily determine who all of our customers are and the number of customers we have by simply iterating through the valid domain names and scraping the customer name from the homepage. This is an information leak.
  2. Expanding on #1, an attacker could find and exploit a vulnerability for one customer and easily automate that same exploit across multiple tenants.

What other security concerns are there in this approach?

Appleoddity
  • 503
  • 1
  • 4
  • 7
  • you describe a lack of obscurity, not a lack of security. – dandavis Oct 16 '19 at 16:50
  • 1
    I feel like you've pretty much covered it. Using sequential URLs like this sort of an insecure direct object reference vulnerability. You could use the hash of a random string like so: client4a9947f... for this problem to solve the security problems you've mentioned. That way there's still a structure to the URL that is easy to manage. Good stuff. – leaustinwile Oct 16 '19 at 17:06

0 Answers0