While testing a web application that uses a single sign-on solution, you notice that an unvalidated parameter is used to pass user tokens to a relying site. Which procedure is most effective for checking if tokens can be diverted to a hostile domain?
Force the user to switch browsers during authentication to look for session isolation issues
Redirect the user’s authorization flow to a separate endpoint you manage and observe if tokens appear
Configure the identity tokens with stronger encryption in the identity provider settings
Review the identity provider logs in search of unusual tokens exchanged between client and server
Modifying the callback so tokens get redirected to a site under your control is a practical approach to confirm if violations occur. This reveals whether an application accepts changes that allow data to be captured. Strengthening encryption or reviewing logs alone does not confirm that the attacker truly obtains the tokens, and forcing the user to switch browsers does not test token theft.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a single sign-on (SSO) solution?
Open an interactive chat with Bash
What does an unvalidated parameter mean in web applications?
Open an interactive chat with Bash
Why is redirecting to a controlled endpoint effective for testing token theft?