Privilege escalation occurs when an attacker gains access rights beyond what they were originally authorized to have. This can mean a regular user obtaining administrator privileges (vertical escalation) or a user accessing another user's resources at the same privilege level (horizontal escalation). Both forms represent a fundamental breakdown in access control.
How It Works
Vertical privilege escalation targets the boundary between user roles. An attacker with a standard user account attempts to perform administrative actions by directly accessing privileged API endpoints, manipulating role identifiers in requests, or exploiting flaws in role assignment logic. For example, if an application determines user roles based on a client-side cookie or a modifiable JWT claim, an attacker can simply change their role value from "user" to "admin" and gain full administrative access.
Horizontal privilege escalation exploits the boundary between users at the same level. This commonly occurs through insecure direct object references, where an attacker modifies a resource identifier in a request to access another user's data. Changing /api/users/1234/profile to /api/users/1235/profile should be blocked by authorization checks, but many applications only verify that the requester is authenticated, not that they are authorized to access that specific resource.
On operating systems, privilege escalation often exploits misconfigurations such as writable service binaries, SUID/SGID programs, unquoted service paths, or kernel vulnerabilities. In containerized environments, container escape vulnerabilities allow processes to break out of the container's isolation and gain host-level access. Each of these represents a failure in the trust boundaries that should separate privilege levels.
Why It Matters
Privilege escalation transforms a limited compromise into a full system takeover. An attacker who gains a foothold through any initial vulnerability can use privilege escalation to access sensitive data, modify configurations, create backdoor accounts, and move laterally through the environment. Security assessments specifically test privilege boundaries because these controls are often the last line of defense between a minor security issue and a catastrophic breach.
Need your application tested? Get in touch.