common RBAC mistakes that cause privilege escalation
missing authorization checks, IDOR vulnerabilities, mass assignment, trusting client-supplied roles, horizontal vs vertical privilege escalation, security testing
Common RBAC Mistakes That Cause Privilege Escalation
Authorization bugs are the most common serious vulnerability in APIs. These four patterns appear repeatedly.
1. IDOR (Insecure Direct Object Reference): Accessing another user's resource by changing an ID parameter with no ownership check. Covered in the previous lesson โ always verify ownership.
2. Missing authorization on write endpoints: Auth middleware on GET routes but forgotten on POST/PUT/DELETE. Every route needs explicit authorization, not just reads.
3. Trusting client-supplied roles: Never accept role or admin fields from request bodies.
// VULNERABLE โ attacker sends { "email": "x@x.com", "role": "admin" }
const user = await User.create(req.body);
// SAFE โ only pick fields you control
const user = await User.create({
email: req.body.email,
passwordHash: await bcrypt.hash(req.body.password, 12),
role: 'viewer' // always default, never from client
});4. Mass assignment: ORM spread operators applying all request fields to a model. Whitelist allowed fields explicitly on every write operation.
Testing: use a second test account with a lower-privilege role and try to hit every endpoint your admin account can reach. This catches 80% of RBAC issues before production.