Vertical Privilege Escalation

Vertical Privilege Escalation occurs when a user gains access to functionality or data that should be restricted to users with higher privileges, such as administrators. This typically involves bypassing role-based access controls.

How It Works

The application fails to properly verify user roles before granting access to privileged functions. Attackers can directly access admin endpoints, manipulate role parameters, or exploit flaws in role validation logic.

Example

// Regular user discovers admin endpoint
GET /admin/users          -- Should be restricted!

// Role parameter manipulation
POST /user/update
{"username": "attacker", "role": "admin"}

// Hidden admin parameter
GET /settings?admin=true

// Accessing admin API directly
GET /api/admin/delete-user/123

Common Attack Vectors

• Direct URL access to admin pages
• Modifying role/permission fields in requests
• Exploiting JWT claims manipulation
• Session role confusion after privilege changes
• Bypassing client-side role checks

Prevention

• Implement server-side role checks on every privileged endpoint
• Use deny-by-default access control
• Don't trust client-supplied role information
• Audit and test all admin functionality
• Implement proper session invalidation on role changes

See Also

• Horizontal Privilege Escalation
• Broken Access Control
• Mass Assignment