From 6031cd2a0fd360007aecd0d73cf8e35e774182cd Mon Sep 17 00:00:00 2001 From: Adrian Sroka Date: Mon, 5 Jan 2026 23:50:24 +0100 Subject: [PATCH 1/3] First version of cloud suit --- source/cloud-cards-1.0-en.yaml | 114 +++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 source/cloud-cards-1.0-en.yaml diff --git a/source/cloud-cards-1.0-en.yaml b/source/cloud-cards-1.0-en.yaml new file mode 100644 index 000000000..56ec97cbb --- /dev/null +++ b/source/cloud-cards-1.0-en.yaml @@ -0,0 +1,114 @@ +--- +meta: + edition: "cloud" + component: "cards" + language: "EN" + version: "1.0" +suits: +- + id: "VE" + name: "CLOUD" + cards: + - + id: "CL2" + value: "2" + desc: "The attacker abused overly permissive roles assigned to an application to gain full access to cloud services beyond its intended scope" + stride: [ E ] + ccm: [ IAM-05, IAM-09 ] + mitre_attack: [ T1098.003, T1078.004 ] + cwe: [ CWE-732 ] + capec: [ CAPEC-122 ] + - + id: "CL3" + value: "3" + desc: "The attacker discovered a publicly accessible cloud storage bucket and downloaded sensitive customer data directly from the internet" + stride: [ I ] + ccm: [ DSP-17, IVS-03, LOG-04 ] + mitre_attack: [ T1530 ] + cwe: [ CWE-200 ] + capec: [ CAPEC-545 ] + - + id: "CL4" + value: "4" + desc: "The attacker operated within critical cloud services without triggering alerts by exploiting the absence of audit logs and security monitoring" + stride: [ R ] + ccm: [ LOG-01, LOG-05, LOG-07 ] + mitre_attack: [ T1562.008 ] + capec: [ CAPEC-268 ] + - + id: "CL5" + value: "5" + desc: "An attacker injected malicious code into the cloud Continous Integration/Continous Delivery pipeline by abusing unprotected build variables" + stride: [ T ] + ccm: [ AIS-05, CCC-02, CCC-04 ] + mitre_attack: [ T1195.002 ] + capec: [ CAPEC-242 ] + - + id: "CL6" + value: "6" + desc: "The attacker exploited a poorly protected cloud API to enumerate resources and manipulate backend cloud services" + stride: [ T, I ] + ccm: [ AIS-01, AIS-02, AIS-04, LOG-03 ] + mitre_attack: [ T1528, T1530 ] + capec: [ CAPEC-54 ] + - + id: "CL7" + value: "7" + desc: "The attacker escaped from a compromised container and gained access to the underlying cloud host" + stride: [ E ] + ccm: [ IVS-04, IVS-06 ] + mitre_attack: [ T1611, TA0008 ] + capec: [ CAPEC-480 ] + - + id: "CL8" + value: "8" + desc: "The attacker exploited a shared cloud account without access isolation, using metadata and tags to identify and access resources belonging to multiple products" + stride: [ E ] + ccm: [ DSP-04, DSP-17 ] + mitre_attack: [ T1552.005 ] + capec: [ CAPEC-545 ] + - + id: "CL9" + value: "9" + desc: "The attacker pivoted from one compromised cloud account into multiple connected environments using existing trust relationships" + stride: [ E ] + ccm: [ IAM-04, IVS-06 ] + mitre_attack: [ T1021.007, TA0008 ] + capec: [ CAPEC-161 ] + - + id: "CLX" + value: "10" + desc: "The attacker introduced backdoored Infrastructure-as-Code templates into version control, causing vulnerable cloud environments to be deployed at scale" + stride: [ T ] + ccm: [ AIS-04, AIS-06, CCC-06 ] + mitre_attack: [ T1195.001, T1584.004 ] + capec: [ CAPEC-248 ] + - + id: "CLJ" + value: "J" + desc: "The attacker compromised a CI runner and injected malicious code into container images that were automatically promoted to production across all cloud clusters" + stride: [ T ] + ccm: [ IVS-01, IVS-05, CCC-04 ] + mitre_attack: [ T1554, T1195 ] + capec: [ CAPEC-439 ] + - + id: "CLQ" + value: "Q" + desc: "The attacker leveraged a breach in one cloud service to pivot into another by abusing shared identities, pipelines, and secrets" + stride: [ I, E ] + ccm: [ IAM-05, IAM-116 ] + mitre_attack: [ T1195 ] + capec: [ CAPEC-161 ] + - + id: "CLK" + value: "K" + desc: "The attacker compromised the cloud root or break-glass account, gaining irreversible control over billing, identities, and recovery mechanisms" + stride: [ S ] + ccm: [ IAM-01, IAM-02, IAM-09 ] + mitre_attack: [ T1098 ] + capec: [ CAPEC-233 ] + - + id: "CLA" + value: "A" + desc: "You have invented a new attack against Data Validation and Encoding" + misc: "Read more about this topic in OWASP's free Cheat Sheets on Input Validation, XSS Prevention, DOM-based XSS Prevention, SQL Injection Prevention, and Query Parameterization" From 615bc3df02576f96efa85b510ff8649687e4ad62 Mon Sep 17 00:00:00 2001 From: Adrian Sroka Date: Tue, 6 Jan 2026 23:19:22 +0100 Subject: [PATCH 2/3] Moving cards definition to companion file Changing "the attacker" to names --- source/cloud-cards-1.0-en.yaml | 114 ----------------------------- source/companion-cards-1.0.yaml | 24 +++--- source/companion-mappings-1.0.yaml | 50 +++++++++++++ 3 files changed, 62 insertions(+), 126 deletions(-) delete mode 100644 source/cloud-cards-1.0-en.yaml diff --git a/source/cloud-cards-1.0-en.yaml b/source/cloud-cards-1.0-en.yaml deleted file mode 100644 index 56ec97cbb..000000000 --- a/source/cloud-cards-1.0-en.yaml +++ /dev/null @@ -1,114 +0,0 @@ ---- -meta: - edition: "cloud" - component: "cards" - language: "EN" - version: "1.0" -suits: -- - id: "VE" - name: "CLOUD" - cards: - - - id: "CL2" - value: "2" - desc: "The attacker abused overly permissive roles assigned to an application to gain full access to cloud services beyond its intended scope" - stride: [ E ] - ccm: [ IAM-05, IAM-09 ] - mitre_attack: [ T1098.003, T1078.004 ] - cwe: [ CWE-732 ] - capec: [ CAPEC-122 ] - - - id: "CL3" - value: "3" - desc: "The attacker discovered a publicly accessible cloud storage bucket and downloaded sensitive customer data directly from the internet" - stride: [ I ] - ccm: [ DSP-17, IVS-03, LOG-04 ] - mitre_attack: [ T1530 ] - cwe: [ CWE-200 ] - capec: [ CAPEC-545 ] - - - id: "CL4" - value: "4" - desc: "The attacker operated within critical cloud services without triggering alerts by exploiting the absence of audit logs and security monitoring" - stride: [ R ] - ccm: [ LOG-01, LOG-05, LOG-07 ] - mitre_attack: [ T1562.008 ] - capec: [ CAPEC-268 ] - - - id: "CL5" - value: "5" - desc: "An attacker injected malicious code into the cloud Continous Integration/Continous Delivery pipeline by abusing unprotected build variables" - stride: [ T ] - ccm: [ AIS-05, CCC-02, CCC-04 ] - mitre_attack: [ T1195.002 ] - capec: [ CAPEC-242 ] - - - id: "CL6" - value: "6" - desc: "The attacker exploited a poorly protected cloud API to enumerate resources and manipulate backend cloud services" - stride: [ T, I ] - ccm: [ AIS-01, AIS-02, AIS-04, LOG-03 ] - mitre_attack: [ T1528, T1530 ] - capec: [ CAPEC-54 ] - - - id: "CL7" - value: "7" - desc: "The attacker escaped from a compromised container and gained access to the underlying cloud host" - stride: [ E ] - ccm: [ IVS-04, IVS-06 ] - mitre_attack: [ T1611, TA0008 ] - capec: [ CAPEC-480 ] - - - id: "CL8" - value: "8" - desc: "The attacker exploited a shared cloud account without access isolation, using metadata and tags to identify and access resources belonging to multiple products" - stride: [ E ] - ccm: [ DSP-04, DSP-17 ] - mitre_attack: [ T1552.005 ] - capec: [ CAPEC-545 ] - - - id: "CL9" - value: "9" - desc: "The attacker pivoted from one compromised cloud account into multiple connected environments using existing trust relationships" - stride: [ E ] - ccm: [ IAM-04, IVS-06 ] - mitre_attack: [ T1021.007, TA0008 ] - capec: [ CAPEC-161 ] - - - id: "CLX" - value: "10" - desc: "The attacker introduced backdoored Infrastructure-as-Code templates into version control, causing vulnerable cloud environments to be deployed at scale" - stride: [ T ] - ccm: [ AIS-04, AIS-06, CCC-06 ] - mitre_attack: [ T1195.001, T1584.004 ] - capec: [ CAPEC-248 ] - - - id: "CLJ" - value: "J" - desc: "The attacker compromised a CI runner and injected malicious code into container images that were automatically promoted to production across all cloud clusters" - stride: [ T ] - ccm: [ IVS-01, IVS-05, CCC-04 ] - mitre_attack: [ T1554, T1195 ] - capec: [ CAPEC-439 ] - - - id: "CLQ" - value: "Q" - desc: "The attacker leveraged a breach in one cloud service to pivot into another by abusing shared identities, pipelines, and secrets" - stride: [ I, E ] - ccm: [ IAM-05, IAM-116 ] - mitre_attack: [ T1195 ] - capec: [ CAPEC-161 ] - - - id: "CLK" - value: "K" - desc: "The attacker compromised the cloud root or break-glass account, gaining irreversible control over billing, identities, and recovery mechanisms" - stride: [ S ] - ccm: [ IAM-01, IAM-02, IAM-09 ] - mitre_attack: [ T1098 ] - capec: [ CAPEC-233 ] - - - id: "CLA" - value: "A" - desc: "You have invented a new attack against Data Validation and Encoding" - misc: "Read more about this topic in OWASP's free Cheat Sheets on Input Validation, XSS Prevention, DOM-based XSS Prevention, SQL Injection Prevention, and Query Parameterization" diff --git a/source/companion-cards-1.0.yaml b/source/companion-cards-1.0.yaml index 799e398a8..c20b3c242 100644 --- a/source/companion-cards-1.0.yaml +++ b/source/companion-cards-1.0.yaml @@ -153,62 +153,62 @@ suits: id: CLD2 value: 2 url: https://cornucopia.owasp.org/cards/CLD2 - desc: + desc: "Dan can abuse overly permissive roles assigned to an application to gain full access to cloud services beyond its intended scope" - id: CLD3 value: 3 url: https://cornucopia.owasp.org/cards/CLD3 - desc: + desc: "Roupe can discover a publicly accessible cloud storage bucket and downloaded sensitive customer data directly from the internet" - id: CLD4 value: 4 url: https://cornucopia.owasp.org/cards/CLD4 - desc: + desc: "Ryan can operate within critical cloud services without triggering alerts by exploiting the absence of audit logs and security monitoring" - id: CLD5 value: 5 url: https://cornucopia.owasp.org/cards/CLD5 - desc: + desc: "Josh can inject malicious code into the cloud Continous Integration/Continous Delivery pipeline by abusing unprotected build variables" - id: CLD6 value: 6 url: https://cornucopia.owasp.org/cards/CLD6 - desc: + desc: "Monica can exploit a poorly protected cloud API to enumerate resources and manipulate backend cloud services" - id: CLD7 value: 7 url: https://cornucopia.owasp.org/cards/CLD7 - desc: + desc: "Jon can escape from a compromised container and gained access to the underlying cloud host" - id: CLD8 value: 8 url: https://cornucopia.owasp.org/cards/CLD8 - desc: + desc: "Siddharth can exploit a shared cloud account without access isolation, using metadata and tags to identify and access resources belonging to multiple products" - id: CLD9 value: 9 url: https://cornucopia.owasp.org/cards/CLD9 - desc: + desc: "Akash can pivot from one compromised cloud account into multiple connected environments using existing trust relationships" - id: CLDX value: X url: https://cornucopia.owasp.org/cards/CLDX - desc: + desc: "Adrian can introduce backdoored Infrastructure-as-Code templates into version control, causing vulnerable cloud environments to be deployed at scale" - id: CLDJ value: J url: https://cornucopia.owasp.org/cards/CLDJ - desc: + desc: "Michael can compromise a CI runner and injected malicious code into container images that were automatically promoted to production across all cloud clusters" - id: CLDQ value: Q url: https://cornucopia.owasp.org/cards/CLDQ - desc: + desc: "Eleftherios can leverage a breach in one cloud service to pivot into another by abusing shared identities, pipelines, and secrets" - id: CLDK value: K url: https://cornucopia.owasp.org/cards/CLDK - desc: + desc: "Daniele can compromise the cloud root or break-glass account, gaining irreversible control over billing, identities, and recovery mechanisms" - id: CLDA value: A diff --git a/source/companion-mappings-1.0.yaml b/source/companion-mappings-1.0.yaml index d5b7fde0c..37be4a70c 100644 --- a/source/companion-mappings-1.0.yaml +++ b/source/companion-mappings-1.0.yaml @@ -120,50 +120,100 @@ suits: id: CLD2 value: 2 url: https://cornucopia.owasp.org/cards/CLD2 + stride: [ E ] + ccm: [ IAM-05, IAM-09 ] + mitre_attack: [ T1098.003, T1078.004 ] + cwe: [ CWE-732 ] + capec: [ CAPEC-122 ] - id: CLD3 value: 3 url: https://cornucopia.owasp.org/cards/CLD3 + stride: [ I ] + ccm: [ DSP-17, IVS-03, LOG-04 ] + mitre_attack: [ T1530 ] + cwe: [ CWE-200 ] + capec: [ CAPEC-545 ] - id: CLD4 value: 4 url: https://cornucopia.owasp.org/cards/CLD4 + stride: [ R ] + ccm: [ LOG-01, LOG-05, LOG-07 ] + mitre_attack: [ T1562.008 ] + capec: [ CAPEC-268 ] - id: CLD5 value: 5 url: https://cornucopia.owasp.org/cards/CLD5 + stride: [ T ] + ccm: [ AIS-05, CCC-02, CCC-04 ] + mitre_attack: [ T1195.002 ] + capec: [ CAPEC-242 ] - id: CLD6 value: 6 url: https://cornucopia.owasp.org/cards/CLD6 + stride: [ T, I ] + ccm: [ AIS-01, AIS-02, AIS-04, LOG-03 ] + mitre_attack: [ T1528, T1530 ] + capec: [ CAPEC-54 ] - id: CLD7 value: 7 url: https://cornucopia.owasp.org/cards/CLD7 + stride: [ E ] + ccm: [ IVS-04, IVS-06 ] + mitre_attack: [ T1611, TA0008 ] + capec: [ CAPEC-480 ] - id: CLD8 value: 8 url: https://cornucopia.owasp.org/cards/CLD8 + stride: [ E ] + ccm: [ DSP-04, DSP-17 ] + mitre_attack: [ T1552.005 ] + capec: [ CAPEC-545 ] - id: CLD9 value: 9 url: https://cornucopia.owasp.org/cards/CLD9 + stride: [ E ] + ccm: [ IAM-04, IVS-06 ] + mitre_attack: [ T1021.007, TA0008 ] + capec: [ CAPEC-161 ] - id: CLDX value: X url: https://cornucopia.owasp.org/cards/CLDX + stride: [ T ] + ccm: [ AIS-04, AIS-06, CCC-06 ] + mitre_attack: [ T1195.001, T1584.004 ] + capec: [ CAPEC-248 ] - id: CLDJ value: J url: https://cornucopia.owasp.org/cards/CLDJ + stride: [ T ] + ccm: [ IVS-01, IVS-05, CCC-04 ] + mitre_attack: [ T1554, T1195 ] + capec: [ CAPEC-439 ] - id: CLDQ value: Q url: https://cornucopia.owasp.org/cards/CLDQ + stride: [ I, E ] + ccm: [ IAM-05, IAM-116 ] + mitre_attack: [ T1195 ] + capec: [ CAPEC-161 ] - id: CLDK value: K url: https://cornucopia.owasp.org/cards/CLDK + stride: [ S ] + ccm: [ IAM-01, IAM-02, IAM-09 ] + mitre_attack: [ T1098 ] + capec: [ CAPEC-233 ] - id: SDL name: SSDLC From 9d4d195aead1b00de564edd54ecebd2a112a928a Mon Sep 17 00:00:00 2001 From: Adrian Sroka Date: Fri, 9 Jan 2026 16:51:10 +0100 Subject: [PATCH 3/3] Update descriptions for CLD5 and CLDJ entries Explaining CI terms --- source/companion-cards-1.0.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/companion-cards-1.0.yaml b/source/companion-cards-1.0.yaml index c20b3c242..75bb52aec 100644 --- a/source/companion-cards-1.0.yaml +++ b/source/companion-cards-1.0.yaml @@ -168,7 +168,7 @@ suits: id: CLD5 value: 5 url: https://cornucopia.owasp.org/cards/CLD5 - desc: "Josh can inject malicious code into the cloud Continous Integration/Continous Delivery pipeline by abusing unprotected build variables" + desc: "Josh can inject malicious code into the cloud build or deployment pipeline by abusing unprotected build variables" - id: CLD6 value: 6 @@ -198,7 +198,7 @@ suits: id: CLDJ value: J url: https://cornucopia.owasp.org/cards/CLDJ - desc: "Michael can compromise a CI runner and injected malicious code into container images that were automatically promoted to production across all cloud clusters" + desc: "Michael can compromise a build runner and injected malicious code into container images that were automatically promoted to production across all cloud clusters" - id: CLDQ value: Q