TL;DR
Privilege escalation is when users gain access beyond their authorization level. Vertical escalation means becoming an admin. Horizontal escalation means accessing other users' data. It often happens when authorization checks are missing or only enforced in the UI. Always verify permissions server-side for every action and resource access.
The Simple Explanation
A regular user finds a way to do admin things, or to access other users' data. Maybe they change a user ID in the URL. Maybe they call an API endpoint the UI hides from them. Maybe they exploit a bug. The result is the same: they have access they should not have.
Types of Privilege Escalation
| Type | Description | Example |
|---|---|---|
| Vertical | Lower to higher privilege | User becomes admin |
| Horizontal | Same level, different user | User A sees user B's data |
Common Attack Patterns
User viewing their own profile
GET /api/users/123/profile
User changes ID to access another user
GET /api/users/456/profile
If the server does not verify ownership,
attacker sees user 456's private data
Common Vulnerabilities
- IDOR: Insecure direct object references
- Missing auth checks: API trusts the client
- Role manipulation: User can set their own role
- Path traversal: Accessing restricted files
- Parameter tampering: Modifying hidden fields
UI hiding is not security. Just because a button is hidden does not mean the API endpoint is protected. Attackers bypass the UI and call APIs directly. Always enforce authorization server-side.
Prevention Strategies
- Server-side checks: Verify every request
- Least privilege: Minimum necessary permissions
- Ownership verification: Confirm resource belongs to user
- Role-based access: Centralized permission checks
- Audit logging: Track privilege usage
- Regular testing: Pen test for broken access control
Authorization Checklist
- Is the user authenticated?
- Does the user have the required role?
- Does the user own or have access to this resource?
- Is this action allowed for this user on this resource?
What is the difference between vertical and horizontal privilege escalation?
Vertical escalation means gaining higher privileges (user to admin). Horizontal escalation means accessing resources of other users at the same privilege level (user A accessing user B's data). Both are serious but vertical escalation typically enables more damage.
How do privilege escalation attacks happen?
Common causes include IDOR vulnerabilities (manipulating IDs to access other resources), missing authorization checks (UI hides functions but API allows them), insecure direct object references, and exploiting system vulnerabilities to gain elevated OS-level privileges.
How do I prevent privilege escalation?
Always check authorization on the server side, not just in the UI. Verify the current user has permission for every action and resource access. Use the principle of least privilege. Audit authorization logic regularly. Test for IDOR and broken access control vulnerabilities.