Privilege Escalation
detect, understand, remediate
Privilege escalation occurs when an attacker gains access to resources or functionality beyond their authorized level, either by accessing other users' data (horizontal) or elevating to admin roles (vertical).
No credit card required. Free plan available forever.
What is privilege escalation?
Privilege escalation (CWE-269) is a security vulnerability that allows users to gain access to resources or functionality beyond their intended authorization level. It occurs when an application fails to properly enforce access controls, enabling attackers to elevate their permissions from a low-privilege account to an administrative or higher-privilege role. This vulnerability is closely related to broken access control, which tops the OWASP Top 10 list of web application security risks.
There are two primary forms of privilege escalation. Vertical privilege escalation occurs when a user gains access to functionality reserved for higher-privilege roles, such as a standard user accessing administrative panels or modifying system configurations. Horizontal privilege escalation occurs when a user accesses resources belonging to another user at the same privilege level, such as viewing another customer's account details or modifying their data through insecure direct object references.
Privilege escalation is particularly dangerous because it undermines the entire security model of an application. Once an attacker achieves elevated access, they can read sensitive data, modify configurations, create backdoor accounts, and potentially compromise the entire system. In multi-tenant environments, a single privilege escalation vulnerability can expose every tenant's data to an attacker operating from a single account.
How it works
Authenticate as low-privilege user
The attacker logs into the application with a standard user account, establishing a valid session and observing the available functionality and API endpoints.
Discover access control gap
Through API enumeration, parameter tampering, or source code analysis, the attacker identifies endpoints or actions that lack proper server-side authorization checks.
Escalate privileges
The attacker manipulates requests by modifying role parameters, changing user IDs, accessing admin-only endpoints directly, or tampering with JWT claims to gain elevated access.
Access admin functions
With escalated privileges, the attacker performs administrative actions: managing users, accessing all data, modifying system settings, or extracting sensitive information.
Common causes
Missing server-side authorization checks
API endpoints and server actions that do not verify the requesting user's role or permissions before executing privileged operations, relying only on UI-level restrictions.
Client-side role validation only
Enforcing access controls by hiding menu items or disabling buttons in the UI without corresponding server-side checks, allowing attackers to call restricted APIs directly.
Parameter and IDOR tampering
Accepting user-controlled parameters (user IDs, role values, tenant identifiers) without verifying that the authenticated user is authorized to access or modify the referenced resource.
Insecure token and session handling
Storing role information in client-accessible JWT claims, cookies, or hidden fields without server-side verification, allowing attackers to modify their own privilege level.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests for vertical and horizontal privilege escalation by replaying requests across different user roles and checking for unauthorized access
- API endpoint enumeration discovers hidden admin routes, undocumented endpoints, and actions that are accessible without proper role verification
- Code scanning identifies API routes missing authorization middleware, permission checks, or role-based access control enforcement in the source code
Manual testing
- Log in as a regular user and attempt to access administrative URLs, API endpoints, and functions by directly navigating to their paths
- Modify resource IDs in API requests to access other users' data, testing for horizontal privilege escalation between accounts at the same role level
- Tamper with JWT tokens, session cookies, and hidden form fields to change role values, user IDs, or permission flags and observe whether the server honours the modifications
How to fix it
Enforce server-side authorization on every request
Implement authorization checks on every API endpoint, page load, and action. Never rely on client-side UI restrictions as a security control. Use middleware or decorators to ensure no endpoint is accidentally left unprotected.
Implement role-based access control (RBAC)
Define clear roles with explicit permissions mapped to every resource and action. Use a centralized authorization framework that is applied consistently across all endpoints.
Apply the principle of least privilege
Grant users the minimum permissions required for their function. Default to deny access and explicitly grant only what is needed. Regularly review and revoke unnecessary permissions.
Validate resource ownership server-side
When accessing resources by ID, always verify that the authenticated user owns or has permission to access the requested resource. Never trust user-supplied identifiers without ownership checks.
Implement comprehensive audit logging
Log all authorization decisions, including denials and privilege changes. Monitor for patterns that indicate privilege escalation attempts, such as repeated access to unauthorized endpoints or rapid role-switching.
Compliance impact
Detect privilege escalation flaws
SecPortal tests for role-based access control bypasses, parameter tampering, and forced browsing across all authenticated endpoints. Start free.
No credit card required. Free plan available forever.