Tenant Tilt
Tenant Tilt is a multi-tenant billing and analytics dashboard where dozens of small businesses manage invoices under a shared SaaS umbrella.
The Scenario
TenantTilt is a multi-tenant billing and analytics dashboard used by dozens of small businesses under a single SaaS umbrella.
The founders received a report that invoice data may be visible across tenant boundaries under certain conditions. They need a concrete reproduction path and a clear explanation of what can be extracted. You're stepping in to validate isolation, identify any workflow weaknesses, and prove whether tenant-to-tenant data exposure is real.
Lab Intel
Synopsis
TenantTilt have enlisted your services to validate tenant isolation across their shared billing platform. Invoice data may be leaking between tenant boundaries, and they need a concrete reproduction path before rolling out a fix.
Architecture
An easy-rated single-service lab running a FastAPI multi-tenant billing dashboard backed by SQLite. It focuses purely on broken object-level authorization -- you'll exploit a straightforward IDOR in an authenticated API to cross tenant boundaries and exfiltrate another tenant's invoice data.
Who It's For
Beginners who are comfortable with basic web app navigation and can intercept HTTP requests with a proxy like Burp Suite or browser dev tools. Prior experience with REST APIs and sequential ID enumeration is helpful but not required.
Skills You'll Practice
- HTTP request interception (browser dev tools or Burp Suite)
- Basic understanding of REST API endpoints
- Familiarity with authentication vs. authorization concepts
What You'll Gain
- IDOR/BOLA exploitation
- Sequential ID enumeration
- Cross-tenant data extraction
- Broken object-level authorization identification