As a penetration tester, you are authorized to test an application's API that employs scoped access tokens. When you request a token from the authorization server specifying a particular scope, you receive a token with broader privileges than expected. What should your next course of action be to ethically continue the test according to the rules of engagement?
Manually adjust the scope in the token to match the intended permissions and proceed with testing.
Inform the client and request a token with the correct scope.
Continue testing using the received token but avoid accessing the functionalities that are outside the initial scope.
Use the broader scoped token to test additional functionalities since it will provide a more comprehensive security assessment.
The correct answer is to inform the client and request a token with the correct scope, as per the test's rules of engagement. Accidentally receiving a token that grants broader access than intended can lead to testing systems that are out of scope, which might be against the policies and potentially illegal. While tempting, using the broader scoped token without authorization would be unethical and potentially a violation of the agreed-upon rules. Continuing with the received token without notifying the client or attempting to limit its privileges on your own are both incorrect actions that could lead to adverse outcomes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are scoped access tokens?
Open an interactive chat with Bash
What are the rules of engagement in penetration testing?
Open an interactive chat with Bash
Why is it important to notify the client about issues like receiving a broader scoped token?