TFS Auth Header Leaked
Service Name: Team Foundation Server
Service Description: Team Foundation Server (TFS) is Microsoft's on-premises application lifecycle management solution, now known as Azure DevOps Server. It provides source code management, reporting, requirements management, project management, automated builds, testing, and release management capabilities.
Service Address: https://azure.microsoft.com/en-us/products/devops/server/
Validation Type: -
IP Allow list: Does not exist
Secret Access Scope: Grants authentication access to TFS/Azure DevOps Server resources and can potentially expose authentication credentials.
Secret Revokement URL: Does not exist
Secret Example: X-TFS-FedAuthRedirect: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Suspicious Activity Investigation Instructions:
- Review TFS/Azure DevOps Server access logs for unauthorized access.
- Check for unusual project access or code repository activity.
- Examine build and release pipeline modifications.
- Look for unauthorized user accounts or permission changes.
- Monitor for data exfiltration or unusual download patterns.
- Verify if any code or artifacts have been modified unexpectedly.
- Review build and release pipelines for unauthorized modifications.
Mitigation Instructions:
- Immediately revoke any exposed authentication tokens or credentials.
- Reset passwords for any accounts that may have been compromised.
- Regenerate authentication tokens for affected users.
- Update TFS/Azure DevOps Server to the latest version to ensure security patches are applied.
- Review and adjust security settings to prevent header leakage.
- Implement proper header security practices in applications that interact with TFS.
- Consider implementing IP restrictions for TFS/Azure DevOps Server access.
- Review and update access control policies.
- Update any applications or scripts that may be using the exposed credentials.