Privilege escalation occurs when a user with limited permissions gains access to higher-privileged functionality, data, or system operations that they are not authorized to use. In web applications, this usually means bypassing role-based restrictions to become an admin, super-admin, moderator, or system-level user. Privilege escalation is a direct result of flawed access control logic, weak role validation, insecure parameter handling, and inconsistent permission checks.
Privilege escalation is one of the most critical vulnerabilities because it turns a low-privileged user into a high-privileged attacker with full control over the application.
Understanding Privilege Escalation
Privilege escalation attacks fall into two categories:
Horizontal Privilege Escalation
A user accesses another user’s resources at the same level.
Example:
User A accesses User B’s messages.
While dangerous, it does not elevate privilege; it violates data separation.
Vertical Privilege Escalation
A low-privileged user escalates into a higher-privileged role.
Example:
Normal user becomes admin by modifying parameters.
This is the most damaging form.
How Privilege Escalation Happens in Web Apps
Privilege escalation usually appears due to:
-
missing permission checks
-
trusting user-controlled roles
-
inconsistent backend validation
-
insecure API endpoints
-
hidden but unprotected admin features
-
modifying roles through insecure parameters
-
JWT or cookie manipulation
-
poorly designed multi-role logic
Understanding these weaknesses is critical for testing.
Practical Privilege Escalation Discovery Workflow
Step 1: Identify Role-Based Endpoints
Review application sections such as:
-
admin dashboards
-
user management pages
-
billing and invoicing
-
content moderation
-
system configuration settings
-
audit logs
-
payment or refund flows
Try accessing these features with a low-privileged user.
Step 2: Modify Role Parameters
Look for parameters in:
-
URL
-
JSON bodies
-
form fields
-
cookies
-
JWTs
Example JSON request:
{
"username": "mayur",
"role": "user"
}
Modify:
{
"username": "mayur",
"role": "admin"
}
If the server accepts the change → vertical privilege escalation.
Step 3: Test Hidden or Disabled Features
Buttons or forms disabled by JavaScript may still work on the backend.
Remove disabled attributes:
<button disabled>
Run the action again.
If the backend accepts it → privilege escalation.
Step 4: Look for Direct API Access
Frontend may hide admin features, but APIs remain accessible.
Try:
GET /api/admin/users
POST /api/admin/create
DELETE /api/admin/user/10
If normal user can access these, privilege escalation is confirmed.
Step 5: Replay Admin Requests as Normal User
Capture an admin operation in Burp:
POST /admin/deleteUser
Remove admin cookies or replace token with a normal user’s token.
If the operation succeeds, there is no server-side role enforcement.
Step 6: Modify Cookies and Tokens
Check cookies or tokens for role-related values:
role=user
permissions=1
is_admin=false
auth_level=basic
Modify them:
role=admin
permissions=999
is_admin=true
auth_level=superuser
If server trusts this → full privilege escalation.
Step 7: Check JWT Role Manipulation
JWT example:
Header:
{"alg":"none"}
Payload:
{"user":"mayur","role":"user"}
Modify:
{"user":"mayur","role":"admin"}
If server doesn't validate signatures → admin access gained.
Step 8: Check Parameter Pollution
Inject multiple parameter values:
role=user&role=admin
Some frameworks accept the last or the first value, causing privilege escalation.
Step 9: Discover Misconfigured Access Control Lists (ACLs)
If ACLs are inconsistent or weak:
/admin/view_users → protected
/admin/add_user → unprotected
Attackers use one of the unprotected endpoints to escalate privileges.
Step 10: Exploit Function-Level Access Control Bugs
Some applications check permissions only on view pages, not on actions.
Example:
View page blocked:
GET /admin
403 Forbidden
Action endpoint allowed:
POST /admin/deleteUser
200 OK
Executing the action still works.
Practical Privilege Escalation Techniques
1. Modifying API Roles
API accepts arbitrary roles:
PUT /api/users/100
{
"role": "admin"
}
If successful → privilege escalation.
2. Changing Hidden Form Fields
Hidden field:
<input type="hidden" name="role" value="user">
Modify:
<input type="hidden" name="role" value="admin">
Submit → escalate privileges.
3. Exploiting Broken Role Validation
If backend checks only:
if (user.role == "admin")
But trusts role from cookie or token, attacker injects admin role.
4. URL and Endpoint Manipulation
Attacker navigates to:
/admin/edit?id=1
Even without admin UI access.
5. Privilege Escalation Through Forgotten Endpoints
Old or undocumented endpoints:
/admin_old/
/superuser/
/root/
/internal/manage
If accessible, they can elevate attacker.
6. Privilege Escalation via SSRF + Internal Admin API
SSRF is used to call internal admin-only endpoints:
http://127.0.0.1/admin/promoteUser?user=attacker
This results in privilege escalation through internal API exposure.
7. Exploiting Role Change Workflows
Some apps allow role change after registration:
POST /upgradeAccount
If the flow lacks proper authorization checks, attackers directly upgrade to premium or admin roles.
8. Business Logic Privilege Escalation
Examples:
-
Approve your own transactions
-
Assign yourself to restricted projects
-
Change owner_id values
-
Add yourself to admin-only teams
Logical flaws enable escalation without special payloads.
Advanced Privilege Escalation Scenarios
Token Substitution
Attacker swaps session tokens between users.
If backend misidentifies session owner → privilege escalation.
Session Fixation
Attacker provides a session token during signup or login flow, then hijacks it later.
Multi-Step Privileged Operations
Some workflows:
-
Prepare request
-
Submit for review
-
Approve action
If any step lacks authorization, attacker escalates privilege.
Cross-Tenant Escalation
In multi-tenant apps:
tenant_id=2 → change to tenant_id=1
If allowed, attacker accesses admin-level data across tenants.
Why Privilege Escalation Happens
Underlying causes:
-
relying on client-side checks
-
incomplete permission validation
-
missing backend authorization logic
-
predictable role values
-
misconfigured endpoints
-
inconsistent ACLs
-
insecure JWT handling
-
trusting cookies or hidden fields
Developers often assume authenticated users behave correctly, but attackers modify every parameter they can.
Impact of Privilege Escalation
Privilege escalation leads to:
-
accessing admin dashboards
-
modifying or deleting data
-
managing other users
-
stealing sensitive records
-
disabling security controls
-
accessing logs and configuration
-
performing system-level actions
-
creating new admin accounts
-
total application takeover
With vertical escalation, one compromised user equals full system compromise.
Intel Dump
-
Privilege escalation occurs when users gain access to privileges they should not have.
-
Main techniques include modifying roles in requests, manipulating tokens, bypassing UI restrictions, and exploiting unprotected APIs.
-
Testing requires parameter tampering, token inspection, hidden field modification, and forced browsing.
-
Vertical escalation is the most dangerous, turning normal users into admins.
-
Root causes include missing authorization checks, trusting client data, weak ACLs, and insecure role management.
-
Impact includes full administrative access, data theft, account takeover, and complete system compromise.