CAS-002 Question #267: Real Exam Question with Answer & Explanation

Question

Options

• AA registration process is implemented to have a random number stored on the client.
• BThe identity is passed between the applications as a HTTP header over REST.
• CLocal storage of the authenticated token on the mobile application is secured.
• DAttestation of the XACML payload to ensure that the client is authorized.

Explanation

For SSO to work securely across a mobile app, web services gateway, and legacy UI, the authenticated session token stored locally on the device must be protected to prevent theft or replay attacks.

Common mistakes.

• A. Storing a random number on the client does not constitute an authenticated identity token and provides no mechanism for the web services gateway or legacy UI to recognize and trust the authenticated session.
• B. Passing identity as a plain HTTP header over REST without securing the underlying token storage exposes the identity to interception and does not address the secure storage requirement that enables persistent SSO.
• D. XACML is an authorization policy language used to evaluate access control decisions; attesting an XACML payload does not establish or transmit an authenticated identity needed for SSO.

Concept tested. Secure local token storage for mobile SSO

Reference. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

No community discussion yet for this question.