Privilege escalation: how attackers gain higher permissions
vertical privilege escalation, horizontal privilege escalation, role parameter tampering, forced browsing, function-level access control, audit logging
Privilege Escalation
Privilege escalation is gaining access beyond what was intended. Vertical escalation means gaining a higher role (user to admin). Horizontal escalation means accessing another user's data at the same privilege level (which is IDOR).
Common Vertical Escalation Patterns
Role parameter tampering: An API accepts a role field during registration or profile update and the server trusts it without restriction.
Missing function-level access control: Admin endpoints exist and work but aren't linked in the UI. Attackers enumerate predictable paths like /admin, /api/admin/users.
JWT claim tampering: Covered in lesson 4.2—algorithms: none attack modifies role claims.
Secure Pattern: Server-Side Role Assignment Only
// VULNERABLE — trusts user-submitted role
app.post('/register', async (req, res) => {
const { email, password, role } = req.body; // attacker sends role: 'admin'
await User.create({ email, password: hash, role });
});
// SAFE — role is always assigned server-side
app.post('/register', async (req, res) => {
const { email, password } = req.body;
await User.create({
email,
password: await bcrypt.hash(password, 12),
role: 'user' // Hard-coded, never from user input
});
});Audit Logging
Log every role change, permission grant, and admin action with timestamp, actor user ID, and target resource. This doesn't prevent escalation but is essential for detecting and investigating it. Use a structured log format (JSON) so logs are queryable.