Skip to content

TFS Auth Header Leaked

Service Name: Team Foundation Server

Service Description: Team Foundation Server (TFS) is Microsoft's on-premises application lifecycle management solution, now known as Azure DevOps Server. It provides source code management, reporting, requirements management, project management, automated builds, testing, and release management capabilities.

Service Address: https://azure.microsoft.com/en-us/products/devops/server/

Validation Type: -

IP Allow list: Does not exist

Secret Access Scope: Grants authentication access to TFS/Azure DevOps Server resources and can potentially expose authentication credentials.

Secret Revokement URL: Does not exist

Secret Example: X-TFS-FedAuthRedirect: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize

Suspicious Activity Investigation Instructions:

  • Review TFS/Azure DevOps Server access logs for unauthorized access.
  • Check for unusual project access or code repository activity.
  • Examine build and release pipeline modifications.
  • Look for unauthorized user accounts or permission changes.
  • Monitor for data exfiltration or unusual download patterns.
  • Verify if any code or artifacts have been modified unexpectedly.
  • Review build and release pipelines for unauthorized modifications.

Mitigation Instructions:

  • Immediately revoke any exposed authentication tokens or credentials.
  • Reset passwords for any accounts that may have been compromised.
  • Regenerate authentication tokens for affected users.
  • Update TFS/Azure DevOps Server to the latest version to ensure security patches are applied.
  • Review and adjust security settings to prevent header leakage.
  • Implement proper header security practices in applications that interact with TFS.
  • Consider implementing IP restrictions for TFS/Azure DevOps Server access.
  • Review and update access control policies.
  • Update any applications or scripts that may be using the exposed credentials.