SaaS Application & API Security Review
A fictionalized demonstration of THF reporting depth for a multi-tenant SaaS product. Manual testing focused on APIs, access control, tenant isolation and business logic.
Tenant Isolation Requires Immediate Attention
A multi-tenant SaaS platform was reviewed across its web application and REST API. Testing confirmed an authorization weakness allowing a low-privilege user to retrieve a record assigned to another tenant by changing an object identifier.
Authentication operated as expected; however, ownership was not consistently enforced after login. Because exploitation required only a standard account, the issue was assessed as release-blocking.
Authorized Test Boundaries
| Surface | Coverage | Roles | Status |
|---|---|---|---|
| Web application | Auth, sessions, workflows | Standard / Admin | Reviewed |
| REST API | Objects, exports, integrations | Workspace A / Beta | Reviewed |
| Out of scope | DoS, social engineering, physical | — | Excluded |
Manual Product-Context Testing
Map users, tenants, sensitive objects and trust boundaries.
Exercise authentication, authorization and business logic.
Confirm practical impact without unnecessary disruption.
Provide reproducible evidence and engineering guidance.
Verify fixes and adjacent authorization controls.
Coverage is informed by OWASP ASVS, OWASP WSTG and the OWASP API Security Top 10, then extended through manual product-context testing.
Validated Findings
| ID | Finding | Severity | Status |
|---|---|---|---|
| THF-001 | Cross-tenant record access | CRITICAL | Open |
| THF-002 | Privileged export available to standard users | High | Open |
| THF-003 | Excessive customer metadata | Medium | Open |
| THF-004 | Session remains active after reset | Medium | Open |
| THF-005 | Internal object identifiers exposed | Low | Open |
THF-001 — Cross-Tenant Record Access
The endpoint verifies that the requester is authenticated but does not confirm that the requested record belongs to the requester’s tenant. A Workspace A user can replace a valid identifier with a Workspace B identifier and receive the record with HTTP 200.
A Core SaaS Security Guarantee Is Broken
- Cross-tenant disclosure of customer records
- Contractual and regulatory exposure
- Potential bulk extraction if identifiers are enumerable
- Customer confidence and incident-response impact
Observed Authorization Failure
Expected
Content-Type: application/json
{ “error”: “access_denied” }
Observed
Content-Type: application/json
{
“record_id”: “rec_demo_8421”,
“tenant_id”: “tenant_beta”,
“customer_name”: “[REDACTED]”,
“status”: “active”
}
Reproduction Steps
- Sign in as the Workspace A standard user.
- Capture a valid record request.
- Replace the record identifier with the authorized Workspace B test record.
- Send the modified request.
- Observe HTTP 200 and confirm the token still belongs to Workspace A.
Authorization: Bearer [REDACTED]
No administrative role was required. Testing was limited to authorized test records; no production customer data was accessed.
Enforce Ownership in the Data-Access Layer
Apply the authenticated tenant context to every server-side object lookup. Do not accept tenant identity from client-controlled input, and deny access by default.
id = request.record_id,
tenant_id = authenticated_user.tenant_id
)
- Constrain read, update, delete, export and batch operations
- Centralize authorization policy where practical
- Add automated cross-tenant regression tests
- Log repeated object-identifier probing
- Review adjacent endpoints using the same object model
Closure Requires More Than One Denied Request
THF repeats the original attack, confirms same-tenant workflows remain functional, tests related operations and checks adjacent endpoints using the same authorization model.
Possible outcomes: Resolved · Partially resolved · Not resolved · Risk accepted.
Engineering-Ready Output
- Executive summary and validated risk summary
- Scope, methodology and technical findings
- Sanitized evidence and reproduction steps
- Business-impact analysis and remediation guidance
- Engineering prioritization and optional remediation discussion
- Retest support and final status update
See What a Focused Review Would Find
Share the product area, API, release or workflow you want reviewed. THF will respond with practical scoping questions and a recommended testing approach.
Request a Security ReviewView Review Scope
NDA available • Scoped SOW • Secure access coordination • Retesting support