Cloud Application Security for CCSP

Sample Practice Questions

1. Question 1

   What is the only data format permitted with the SOAP API?
   1. A. HTML
   2. B. SAML
   3. C. XSML
   4. D. XML
   Explanation

   The correct answer is: D. XML.

   SOAP is bound exclusively to XML; the entire message, including the Envelope, Header, Body, and any Fault element, is structured XML, and the surrounding WSDL contract that describes the service plus the WS-Security extensions that secure it all assume XML on the wire. HTML is a presentation markup designed for rendering web pages in browsers and is not a SOAP payload format under any binding. SAML is an XML-based assertion language used in federated identity and may be carried inside a SOAP message as a security token, but it is not the SOAP message format itself, just content that rides inside it. XSML is not a recognized standard at all and is only included as a distractor with letters reshuffled to resemble XML, so the correct and only permitted SOAP data format is XML.

2. Question 2

   Which data formats are most commonly used with the REST API?
   1. A. JSON and SAML
   2. B. XML and SAML
   3. C. XML and JSON
   4. D. SAML and HTML
   Explanation

   The correct answer is: C. XML and JSON.

   REST APIs are format-agnostic since the architectural style is decoupled from any specific representation, but the two formats overwhelmingly used in practice are JSON, prized for being compact, schema-light, and easy to parse in JavaScript and other modern stacks, and XML, which carries over from earlier service-oriented architectures and supports rich schemas, namespaces, and XSD validation. SAML is a federated-identity assertion format built on XML, not a general API payload format, so pairing it with JSON or XML for REST is incorrect. HTML is a presentation language for browsers and is not used as a structured data interchange format for REST APIs, even though some endpoints may return HTML for human consumption. Only the XML-and-JSON pairing reflects the actual dominant practice for REST endpoints in production systems.

3. Question 3

   Which of the following threat types involves an application that does not validate authorization for portions of itself after the initial checks?
   1. A. Injection
   2. B. Missing function-level access control
   3. C. Cross-site request forgery
   4. D. Cross-site scripting
   Explanation

   The correct answer is: B. Missing function-level access control.

   Missing function-level access control describes an application that enforces authorization only at the front door and then trusts that users invoking inner functions or admin endpoints are entitled to do so, allowing an authenticated low-privilege user to call privileged operations by manipulating URLs, parameters, or hidden function names. Injection involves running attacker payloads through unsafe input handling in an interpreter and is unrelated to authorization. Cross-site request forgery abuses a victim's authenticated browser session to issue unwanted requests but is not about the server skipping its own permission checks. Cross-site scripting executes untrusted script in another user's browser, again unrelated to per-function authorization, leaving missing function-level access control as the correct answer.

4. Question 4

   Which protocol does the REST API depend on?
   1. A. HTTP
   2. B. XML
   3. C. SAML
   4. D. SSH
   Explanation

   The correct answer is: A. HTTP.

   REST is an architectural style fundamentally built on HTTP, leveraging its verbs (GET, POST, PUT, DELETE, PATCH) for CRUD-style operations, URIs as resource identifiers, status codes to convey outcomes, and headers for caching, authentication, and content negotiation; without HTTP the style loses the very mechanisms that define it. XML is a data format used inside REST payloads alongside JSON, but it is not a transport protocol, so REST does not depend on XML at the protocol layer. SAML is an XML-based identity assertion language used in federated single sign-on, unrelated to REST transport. SSH is a secure shell protocol used for remote command execution and file transfer, and is not a web-service protocol, so HTTP is the only correct protocol on which REST depends.

5. Question 5

   Which of the following APIs are most commonly used within a cloud environment?
   1. A. REST and SAML
   2. B. SOAP and REST
   3. C. REST and XML
   4. D. XML and SAML
   Explanation

   The correct answer is: B. SOAP and REST.

   SOAP and REST are the two API styles that dominate cloud integrations: REST is preferred for its simplicity, statelessness, and HTTP-native design that scales horizontally and leverages HTTP caching, while SOAP remains common in enterprise scenarios that require WS-Security message-level protections, transactional guarantees through WS-AtomicTransaction, or formal WSDL contracts for code generation. SAML is an XML-based assertion language for federated identity, not an API style itself, so pairing it with REST is incorrect even though SAML can be carried inside API calls. XML is a data format used by both SOAP and REST payloads but is not itself an API style. Combining XML and SAML produces two non-API items, so SOAP and REST is the only valid pairing.

Other CCSP domains

• Cloud Concepts, Architecture, and Design (97 questions)
• Cloud Data Security (107 questions)
• Cloud Platform and Infrastructure Security (74 questions)
• Cloud Security Operations (48 questions)
• Legal, Risk, and Compliance (115 questions)