BACK TO BLOG

The First Five Things Hackers Look for When Targeting SaaS

Why modern breaches start with identity, not infrastructure

Security programs are typically structured around controls, coverage, and compliance indicators, yet attackers typically do not approach environments through that lens. When targeting a SaaS company, the objective is not to enumerate controls but to identify the shortest path to meaningful access, whether that is customer data, internal administrative capability, or influence over application behavior. This requires evaluating how identity is established, how it is extended, and how far it can propagate once obtained.

SaaS architectures are inherently identity-centric. Access decisions are enforced through APIs, mediated by tokens, and influenced by integrations that extend beyond the application boundary. As a result, compromise rarely depends on exploiting memory corruption or unpatched services. It depends on identifying where trust is implicitly granted and whether that trust can be reused or expanded without violating any explicit control.

The first five areas an attacker evaluates are therefore not arbitrary weaknesses but structural components of the control plane. Each determines whether access can be converted into persistence, expansion, or cross-tenant impact without generating signals that traditional detection systems are designed to recognize.

1. Identity Entry Points and Authentication Surfaces

The initial phase of targeting focuses on how identities are introduced into the system. SaaS platforms commonly expose multiple authentication paths, including federated SSO through SAML or OIDC, direct credential-based login, API authentication mechanisms, and service account access. These entry points are often implemented independently, with different enforcement logic, session controls, and validation layers.

An attacker does not treat authentication as a single boundary. Instead, each entry point is evaluated as a separate trust channel. Even when MFA is enforced for interactive login, it is frequently absent or inconsistently applied in non-interactive flows such as API token generation or service account authentication. This creates parallel authentication paths where one path may enforce strong assurance while another allows equivalent identity issuance with reduced friction.

From a technical perspective, this stage involves examining token issuance logic, session lifetime configuration, and fallback authentication behavior. If a SaaS platform permits long-lived API tokens that can be generated after a single MFA event, or allows session extension through refresh mechanisms that are not revalidated, the attacker can establish a durable foothold without repeatedly interacting with the authentication system. The objective is not to break authentication, but to identify where it is weakest while still producing a valid identity that is fully recognized by the control plane.


2. Token Power and Reusability

Once an identity is obtained, the focus shifts from authentication to token behavior. In SaaS environments, tokens are the operational representation of identity. Access tokens, refresh tokens, API keys, and session cookies enable direct interaction with backend services and APIs, often without invoking the original authentication checks that issued them.

Attackers evaluate whether tokens are narrowly scoped or broadly permissive, whether they are bound to specific devices or network contexts, and whether they can be reused across environments. Refresh tokens are of particular interest because they enable continuous access by minting new access tokens without requiring reauthentication. If these tokens are long-lived, not rotated, or not invalidated upon suspicious activity, they effectively decouple persistence from the original authentication event.

For example, in the 2023 Okta support system breach, attackers were able to access customer support data after compromising a support engineer’s session. The intrusion did not rely on bypassing authentication controls directly, but on the ability to reuse valid session artifacts and operate within an already authenticated context.

In practice, this means that a single token extracted from a client device, integration, or logging artifact can provide sustained access to sensitive operations. Because token usage typically manifests as legitimate API traffic, it does not produce the anomalies associated with credential-based attacks. The system continues to operate as designed, issuing responses to authenticated requests, while the attacker operates within the same boundaries as trusted clients.

The critical observation is that tokens often carry more operational authority than credentials. Credentials are subject to authentication controls and monitoring, whereas tokens represent already validated sessions that interact directly with the control plane. Their misuse therefore bypasses the mechanisms that security programs most heavily instrument.


3. Authorization Model and Tenant Isolation

With a functioning identity and usable tokens, attackers begin testing authorization boundaries. In multi-tenant SaaS systems, authorization determines whether access is correctly constrained to the resources associated with a specific tenant. Failures at this layer are particularly impactful because they allow access to other customers’ data without requiring additional compromise.

The evaluation typically involves interacting with API endpoints while modifying identifiers that reference tenants, users, or resources. If authorization checks are implemented inconsistently across services, it is possible for certain endpoints to validate authentication without enforcing object-level access control. This leads to scenarios where altering a tenant identifier in a request results in data retrieval from a different customer context.

A recent Microsoft Power Apps incident exposed tens of millions of records because backend APIs did not consistently enforce authorization on data queries. Authentication succeeded as expected, but authorization logic failed to restrict access at the object level, allowing unauthenticated or low-privileged users to retrieve sensitive data across tenants.

These conditions often arise in distributed architectures where multiple microservices handle requests and rely on shared assumptions about upstream validation. If one service assumes that authorization has already been enforced and does not revalidate access, the integrity of tenant isolation depends on consistent behavior across the entire request path. Any deviation introduces a point where data exposure can occur.

The broader issue is that authentication confirms identity, but authorization defines scope. In SaaS environments, large-scale breaches are more frequently the result of authorization gaps than authentication failures. Once a valid identity exists, the question is not whether access is permitted, but whether it is correctly constrained at every point where data is accessed or modified.


4. Integration Surfaces and Third-Party Trust

Modern SaaS platforms are designed to integrate with external systems through OAuth applications, webhooks, APIs, and automation pipelines. These integrations extend functionality but also introduce additional trust relationships that operate outside the core authentication model.

Attackers analyze how external entities are granted access and what level of control they retain after initial authorization. OAuth consent flows are a common focus, particularly when applications request broad scopes that allow access to data or administrative actions. If users or administrators approve these requests without strict review, the resulting tokens provide persistent access that is independent of user sessions.

Webhooks and service-to-service integrations present similar opportunities. If inbound requests from external systems are not rigorously validated through signatures or mutual authentication, an attacker may be able to inject data or trigger internal workflows. Likewise, integrations with CI/CD systems or third-party platforms can introduce privileged access paths that are not subject to the same monitoring as user activity.

The key characteristic of integration-based access is that it is explicitly trusted by design. No exploitation is required if an external system already has the permissions necessary to interact with sensitive components. Compromise can therefore occur by obtaining or abusing credentials associated with these integrations rather than targeting the SaaS application directly.


5. Internal Privilege Escalation Paths

The final stage of evaluation focuses on whether a low-privileged identity can be expanded into administrative control. In SaaS environments, privilege escalation is rarely achieved through a single misconfiguration. It emerges from the interaction of multiple permissions, roles, and internal features that were designed to support legitimate operations.

Attackers examine role-based access control implementations, internal administrative interfaces, support tooling, and environment boundaries. Support systems are particularly relevant because they often require elevated privileges to perform user-facing actions. If these systems lack strict validation or auditing, they can be leveraged to modify roles, access data, or execute actions beyond the scope of the original identity.

Environment separation is another common area of weakness. If staging and production environments share identity providers, tokens, or trust relationships, access obtained in a lower-security context can be propagated into higher-value systems. Similarly, feature flags or internal APIs intended for operational use may expose functionality that is not adequately protected in production.

From a structural perspective, privilege escalation reflects the cumulative effect of small, individually acceptable permissions. Each component may appear correctly configured when evaluated in isolation, yet their combination creates a path from limited access to full control. Identifying these paths requires analyzing how permissions compose rather than how they are defined.


Conclusion

When targeting a SaaS company, attackers are not searching for isolated vulnerabilities. They are analyzing how identity is introduced, how it is represented through tokens, how authorization constrains it, how integrations extend it, and how it can be elevated through internal mechanisms. Each of these areas operates within the control plane, where actions are valid, authenticated, and often indistinguishable from normal behavior.

Traditional security metrics emphasize patching, endpoint visibility, and control deployment. These remain necessary, but they do not directly address how identity and trust relationships enable access propagation. In SaaS environments, compromise frequently occurs without violating any explicit rule, because the system is operating within the permissions it has been given.

Understanding these five areas requires shifting focus from control validation to adversary movement. It involves examining how far an identity can reach once established, how long it can persist through token reuse, and how easily it can cross boundaries that were assumed to be enforced. This perspective reflects the operational reality of modern attacks, where the distinction between legitimate use and malicious activity is defined not by the mechanism, but by the intent behind it.

At Silent Breach, this perspective informs how SaaS environments are assessed in practice. Rather than validating controls in isolation, adversary-focused simulations and MDR model how identity, tokens, and trust relationships interact under realistic conditions. The objective is not to identify individual weaknesses, but to determine whether those components can be combined into viable attack paths that allow persistence, escalation, or cross-tenant impact. This approach reflects how modern attackers operate and exposes structural risks that remain invisible to traditional testing methodologies.

About Silent Breach:

Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.

Learn more about our cybersecurity services

Our 24/7/365 Security Operations Centers (SOCs) are ready to serve you any time of the day, anywhere in the world.

Contact specialist
Read this next
See more
0-day
0-day Discovered in Popular Compression Tool, 7-Zip

Silent Breach has identified a 0-day vulnerability in 7-Zip that could allow file retrieval from AES-256 encrypted archives.

read more
Trends
3 Lessons Learned from Accenture's Mistakes

Car rental behemoth, Hertz, is suing Accenture for $32 million for their failure to deliver "viable web and mobile applications".

read more
Trends
3 Ways the Metaverse Will Change Cybersecurity

Although coined way back in the mid-90s, there are many reasons why the metaverse is being touted as the future of the internet.

read more
Subscribe to Our Newsletter: Stay informed. Stay secure.

Get the latest security insights, threat updates, and exclusive offers - straight to your inbox.

Thank you! You have subscribed!
Oops! Something went wrong while submitting the form.
Think like a hacker, defend like a pro
Product
Services
Managed protection
Resources