All security checks
Vulnerability DetectionA01:2021

Tenant Isolation Scanner

Use two authenticated test actors to verify tenant-scoped resources cannot be read across accounts.

Tenant isolation bugs are the heart of IDOR and broken access control. This opt-in scanner accepts two low-privilege test actors and owner-specific URLs, then verifies whether the non-owner receives the same protected response.

What this scanner does

Sends authenticated GET requests as actor A and actor B to configured tenant-scoped URLs. Flags cases where both actors receive successful, substantially identical owner-specific responses.

Why it matters

A single missing ownership check can let one customer read another customer’s records. URL-only scanners can miss this because both requests need authenticated context.

Common findings

  • Both test users can read the same tenant-owned record
  • Non-owner receives the same response as owner
  • Configured owner is denied while non-owner succeeds
  • Tenant-scoped API route lacks server-side ownership checks

OWASP Top 10 coverage

A01:2021Broken Access Control

Run this check on your site

Get a full security report with remediation guidance in 30 seconds. No setup required.

Scan your site freeView pricing

Related security checks

Vulnerability Detection

IDOR & Broken Access Control Scanner

Find exposed admin routes, unauthenticated APIs, sequential IDs, and mass data exposure.

Vulnerability Detection

Authentication Flow Scanner

Test your login, signup, and password reset flows for common security weaknesses.

Configuration Audit

Supabase Security Scanner

Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.

All security checksSecurity blog