Horizontal Privilege Escalation

Horizontal Privilege Escalation occurs when a user gains access to resources or functionality belonging to another user at the same privilege level. Unlike vertical escalation (gaining admin access), horizontal escalation involves accessing peer accounts.

How It Works

The application performs some authorization but fails to verify that the specific resource belongs to the requesting user. A regular user can access another regular user's data by manipulating identifiers.

Example

// User Alice views her profile
GET /profile?user_id=100  (Alice's ID)

// Alice changes ID to view Bob's profile
GET /profile?user_id=101  (Bob's ID)

// Application checks: "Is user logged in?" -- YES
// Application should check: "Does user 100 own resource 101?" -- NOT CHECKED

Common Scenarios

• Viewing other users' private data
• Modifying other users' settings
• Accessing other users' orders/transactions
• Reading private messages between other users

Prevention

• Always verify resource ownership, not just authentication
• Use session-based user identification, not client-supplied values
• Implement row-level security in database queries
• Add ownership checks: WHERE user_id = current_user.id

See Also

• Vertical Privilege Escalation
• Insecure Direct Object Reference (IDOR)
• Broken Access Control