Skip to content

Owasp a01 broken access control #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
r3k2 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Owasp a01 broken access control #105

r3k2 wants to merge 5 commits into from

Conversation

@r3k2
Copy link

@r3k2 r3k2 commented Sep 4, 2025

Add OWASP A01:2021 Broken Access Control Experiment

Description

Implements the first OWASP Top 10 (2021) security experiment for Kubernetes environments, testing for broken access control vulnerabilities.

What this does

  • Tests for RBAC bypass attempts across namespaces
  • Verifies if pods can access secrets/configmaps in restricted namespaces (e.g., kube-system)
  • Creates a minimal service account to test unauthorized access patterns
  • Provides clear VULNERABLE/SECURE results for each access attempt

Changes

  • Added experiments_owasp_broken_access_control.go implementing the experiment
  • Added owasp-broken-access-control.yaml example configuration
  • Extended categories to include OWASP framework support
  • Registered the new experiment in the registry

Testing

Successfully tested on my EKS cluster - correctly identifies when RBAC is properly configured (all tests returned SECURE).

OWASP Reference

https://owasp.org/Top10/A01_2021-Broken_Access_Control/

r3k2 added 5 commits August 18, 2025 21:17
@r3k2
Add ConfigMap code injection experiment
114b571 
  Tests if malicious code can be injected and executed via ConfigMaps.
  Attackers could use this to escalate privileges or exfiltrate data from pods that mount untrusted ConfigMaps.
@r3k2
change copyright to myself since doing this from personal git repo
b82ed46
@r3k2
Refactor ConfigMap injection experiment
52f3004 
  - Remove hardcoded script content from Go implementation
  - Make all parameters required (scriptContent, mountPath, targetCommand)
  - Clean up YAML example to be more concise and professional
@r3k2
Add OWASP A01:2021 Broken Access Control experiment
64cda7b 
- Implements OWASP Top 10 A01:2021 vulnerability testing
- Tests RBAC bypass attempts across namespaces
- Verifies if pods can access secrets/configmaps in restricted namespaces
- Adds OWASP framework to categories
- Creates minimal service account to test access controls
@r3k2
Improve OWASP A01 experiment output and validation
f78981f 
- Add OWASP reference URL and timestamps
- Enhance logging to show actual kubectl commands executed
- Add summary section with test completion info
- Improve description for better user understanding
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@r3k2