Domain 4: Cloud Application SecurityModule 38 of 70

Module 38: Common Cloud Vulnerabilities (OWASP, SANS)

CCSPDomain 4 — Cloud Application SecuritySection A6–8 min read
The CCSP exam expects you to recognize common web and cloud application vulnerabilities by category and understand which SDLC phase addresses each one.

OWASP Top 10: The Exam Baseline

The exam does not ask you to recite the OWASP Top 10 in order. It tests whether you can identify a vulnerability from a scenario description and select the correct mitigation.

Key categories you must recognize:

  • Injection — SQL, NoSQL, OS command, LDAP injection. Untrusted data sent as part of a command or query
  • Broken Authentication — weak session management, credential stuffing, missing MFA
  • Sensitive Data Exposure — unencrypted data at rest or in transit, weak cryptographic algorithms
  • Broken Access Control — users accessing resources beyond their authorization. IDOR (Insecure Direct Object Reference) is a classic example
  • Security Misconfiguration — default credentials, unnecessary features enabled, verbose error messages
  • Cross-Site Scripting (XSS) — injecting malicious scripts into web pages viewed by other users
When the exam describes a scenario where user input is included in a database query without validation, the answer is injection. When user input is reflected in HTML without encoding, the answer is XSS. Pattern recognition is key.

Cloud-Specific Vulnerabilities

Beyond traditional OWASP, cloud introduces unique attack vectors:

  • Server-Side Request Forgery (SSRF) — tricking an application into making requests to internal cloud services, especially the metadata service (169.254.169.254)
  • Insecure cloud storage — publicly accessible S3 buckets, Azure blob containers
  • Overly permissive IAM — application service accounts with excessive privileges
  • Insecure API endpoints — unauthenticated or under-authenticated cloud APIs
  • Container image vulnerabilities — unpatched base images from public registries

SSRF is particularly dangerous in cloud because the metadata service can expose temporary credentials, API keys, and instance configuration data. The exam expects you to recognize SSRF as a cloud-amplified vulnerability.

SANS CWE Top 25

The SANS CWE (Common Weakness Enumeration) Top 25 overlaps with OWASP but focuses on software weaknesses rather than web application risks. Key entries for the exam:

  • CWE-79 — Cross-site Scripting
  • CWE-89 — SQL Injection
  • CWE-787 — Out-of-bounds Write (buffer overflow)
  • CWE-20 — Improper Input Validation (root cause of most injection attacks)
  • CWE-862 — Missing Authorization
The exam tests root causes. Most injection and XSS vulnerabilities trace back to CWE-20: Improper Input Validation. If a question asks for the ROOT CAUSE of injection attacks, the answer is insufficient input validation, not the specific injection type.

Mapping Vulnerabilities to Mitigations

The exam tests whether you can match the vulnerability to the correct defense:

  • Injection → Parameterized queries, input validation, prepared statements
  • Broken Authentication → MFA, secure session management, credential rotation
  • XSS → Output encoding, Content Security Policy (CSP), input sanitization
  • SSRF → Allowlisting outbound requests, blocking metadata service access, IMDSv2
  • Misconfiguration → Automated configuration scanning, CIS benchmarks, CSPM tools

Vulnerability Disclosure and Response

Cloud applications require coordinated vulnerability response between customer and provider:

  • Application vulnerabilities are the customer’s responsibility to patch
  • Platform vulnerabilities are the provider’s responsibility
  • Responsible disclosure timelines must be defined in advance
  • Bug bounty programs incentivize external researchers to report vulnerabilities
Next ModuleModule 39: Secure SDLC: Business Requirements and Design