New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
Use two authenticated test actors to verify tenant-scoped resources cannot be read across accounts.
Overview
Tenant isolation bugs are the heart of IDOR and broken access control. This opt-in scanner accepts two low-privilege test actors and owner-specific URLs, then verifies whether the non-owner receives the same protected response.
What this scanner does
Sends authenticated GET requests as actor A and actor B to configured tenant-scoped URLs. Flags cases where both actors receive successful, substantially identical owner-specific responses.
Why it matters
A single missing ownership check can let one customer read another customer’s records. URL-only scanners can miss this because both requests need authenticated context.
Common findings
OWASP Top 10 coverage
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Vulnerability Detection
Find exposed admin routes, unauthenticated APIs, sequential IDs, and mass data exposure.
Vulnerability Detection
Test your login, signup, and password reset flows for common security weaknesses.
Configuration Audit
Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.
