[{"data":1,"prerenderedAt":301},["ShallowReactive",2],{"blog-glossary/privilege-escalation":3},{"id":4,"title":5,"body":6,"category":276,"date":277,"dateModified":277,"description":278,"draft":279,"extension":280,"faq":281,"featured":279,"headerVariant":285,"image":286,"keywords":286,"meta":287,"navigation":288,"ogDescription":289,"ogTitle":290,"path":291,"readTime":292,"schemaOrg":293,"schemaType":294,"seo":295,"sitemap":296,"stem":297,"tags":298,"twitterCard":299,"__hash__":300},"blog/blog/glossary/privilege-escalation.md","What is Privilege Escalation? Access Control Security",{"type":7,"value":8,"toc":265},"minimark",[9,16,21,24,28,73,77,104,108,143,152,156,194,198,212,234,253],[10,11,12],"tldr",{},[13,14,15],"p",{},"Privilege escalation is when users gain access beyond their authorization level. Vertical escalation means becoming an admin. Horizontal escalation means accessing other users' data. It often happens when authorization checks are missing or only enforced in the UI. Always verify permissions server-side for every action and resource access.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"A regular user finds a way to do admin things, or to access other users' data. Maybe they change a user ID in the URL. Maybe they call an API endpoint the UI hides from them. Maybe they exploit a bug. The result is the same: they have access they should not have.",[17,25,27],{"id":26},"types-of-privilege-escalation","Types of Privilege Escalation",[29,30,31,47],"table",{},[32,33,34],"thead",{},[35,36,37,41,44],"tr",{},[38,39,40],"th",{},"Type",[38,42,43],{},"Description",[38,45,46],{},"Example",[48,49,50,62],"tbody",{},[35,51,52,56,59],{},[53,54,55],"td",{},"Vertical",[53,57,58],{},"Lower to higher privilege",[53,60,61],{},"User becomes admin",[35,63,64,67,70],{},[53,65,66],{},"Horizontal",[53,68,69],{},"Same level, different user",[53,71,72],{},"User A sees user B's data",[17,74,76],{"id":75},"common-attack-patterns","Common Attack Patterns",[78,79,81,86,89,93,96,100],"prompt-box",{"title":80},"IDOR example",[82,83,85],"h1",{"id":84},"user-viewing-their-own-profile","User viewing their own profile",[13,87,88],{},"GET /api/users/123/profile",[82,90,92],{"id":91},"user-changes-id-to-access-another-user","User changes ID to access another user",[13,94,95],{},"GET /api/users/456/profile",[82,97,99],{"id":98},"if-the-server-does-not-verify-ownership","If the server does not verify ownership,",[82,101,103],{"id":102},"attacker-sees-user-456s-private-data","attacker sees user 456's private data",[17,105,107],{"id":106},"common-vulnerabilities","Common Vulnerabilities",[109,110,111,119,125,131,137],"ul",{},[112,113,114,118],"li",{},[115,116,117],"strong",{},"IDOR:"," Insecure direct object references",[112,120,121,124],{},[115,122,123],{},"Missing auth checks:"," API trusts the client",[112,126,127,130],{},[115,128,129],{},"Role manipulation:"," User can set their own role",[112,132,133,136],{},[115,134,135],{},"Path traversal:"," Accessing restricted files",[112,138,139,142],{},[115,140,141],{},"Parameter tampering:"," Modifying hidden fields",[144,145,146],"warning-box",{},[13,147,148,151],{},[115,149,150],{},"UI hiding is not security."," Just because a button is hidden does not mean the API endpoint is protected. Attackers bypass the UI and call APIs directly. Always enforce authorization server-side.",[17,153,155],{"id":154},"prevention-strategies","Prevention Strategies",[109,157,158,164,170,176,182,188],{},[112,159,160,163],{},[115,161,162],{},"Server-side checks:"," Verify every request",[112,165,166,169],{},[115,167,168],{},"Least privilege:"," Minimum necessary permissions",[112,171,172,175],{},[115,173,174],{},"Ownership verification:"," Confirm resource belongs to user",[112,177,178,181],{},[115,179,180],{},"Role-based access:"," Centralized permission checks",[112,183,184,187],{},[115,185,186],{},"Audit logging:"," Track privilege usage",[112,189,190,193],{},[115,191,192],{},"Regular testing:"," Pen test for broken access control",[17,195,197],{"id":196},"authorization-checklist","Authorization Checklist",[109,199,200,203,206,209],{},[112,201,202],{},"Is the user authenticated?",[112,204,205],{},"Does the user have the required role?",[112,207,208],{},"Does the user own or have access to this resource?",[112,210,211],{},"Is this action allowed for this user on this resource?",[213,214,215,222,228],"faq-section",{},[216,217,219],"faq-item",{"question":218},"What is the difference between vertical and horizontal privilege escalation?",[13,220,221],{},"Vertical escalation means gaining higher privileges (user to admin). Horizontal escalation means accessing resources of other users at the same privilege level (user A accessing user B's data). Both are serious but vertical escalation typically enables more damage.",[216,223,225],{"question":224},"How do privilege escalation attacks happen?",[13,226,227],{},"Common causes include IDOR vulnerabilities (manipulating IDs to access other resources), missing authorization checks (UI hides functions but API allows them), insecure direct object references, and exploiting system vulnerabilities to gain elevated OS-level privileges.",[216,229,231],{"question":230},"How do I prevent privilege escalation?",[13,232,233],{},"Always check authorization on the server side, not just in the UI. Verify the current user has permission for every action and resource access. Use the principle of least privilege. Audit authorization logic regularly. Test for IDOR and broken access control vulnerabilities.",[235,236,237,243,248],"related-articles",{},[238,239],"related-card",{"description":240,"href":241,"title":242},"Common vulnerability","/blog/glossary/idor","IDOR",[238,244],{"description":245,"href":246,"title":247},"The defense","/blog/glossary/authorization","Authorization",[238,249],{"description":250,"href":251,"title":252},"Identity verification","/blog/glossary/authentication","Authentication",[254,255,258,262],"cta-box",{"href":256,"label":257},"/","Start Free Scan",[17,259,261],{"id":260},"check-your-access-controls","Check Your Access Controls",[13,263,264],{},"Scan for privilege escalation vulnerabilities.",{"title":266,"searchDepth":267,"depth":267,"links":268},"",2,[269,270,271,272,273,274,275],{"id":19,"depth":267,"text":20},{"id":26,"depth":267,"text":27},{"id":75,"depth":267,"text":76},{"id":106,"depth":267,"text":107},{"id":154,"depth":267,"text":155},{"id":196,"depth":267,"text":197},{"id":260,"depth":267,"text":261},"glossary","2026-01-08","Learn what privilege escalation is, how attackers gain elevated access, and how to prevent unauthorized permission elevation in your application.",false,"md",[282,283,284],{"question":218,"answer":221},{"question":224,"answer":227},{"question":230,"answer":233},"green",null,{},true,"Privilege escalation lets attackers gain higher permissions than intended. Learn how to prevent it.","What is Privilege Escalation?","/blog/glossary/privilege-escalation","4 min read","[object Object]","DefinedTerm",{"title":5,"description":278},{"loc":291},"blog/glossary/privilege-escalation",[],"summary_large_image","EmOStBmX1LVwULcUjft6J509TWlIrk4p7jLZTp60Cfs",1775843922881]