{ "slug": "privilege_escalation", "term": "Privilege Escalation", "category": "security", "difficulty": "intermediate", "short": "A flaw that lets a lower-privileged user gain higher access — e.g. reading an admin role from a URL parameter.", "long": "Privilege escalation occurs when authorisation decisions are based on attacker-controllable data — a URL parameter, POST field, or cookie value — rather than server-side session state. Example: checking $_GET['admin'] === 'true' instead of $_SESSION['role'] === 'admin'. The fix is always to derive permissions exclusively from server-side state that the user cannot tamper with.", "aliases": [ "privesc", "privilege elevation", "vertical privilege escalation" ], "tags": [ "authorisation", "owasp-top10", "access-control" ], "misconception": "Privilege escalation requires a separate exploit after initial access. Misconfigured role checks, JWT claim manipulation, and mass assignment vulnerabilities allow direct escalation from a regular user to admin in a single request.", "why_it_matters": "An attacker who gains any foothold in the system can use privilege escalation to become admin — horizontal escalation accesses peer accounts, vertical escalation gains higher permissions.", "common_mistakes": [ "Storing the user role or is_admin flag in the session without re-verifying against the database on sensitive actions.", "Not checking ownership when performing actions on resources — user A can modify user B's data by changing the resource ID.", "Mass assignment vulnerabilities that allow setting role or is_admin through form fields.", "Admin functionality that validates the role only in the UI, not in the server-side handler." ], "when_to_use": [], "avoid_when": [], "related": [ "session", "csrf" ], "prerequisites": [ "broken_access_control", "principle_of_least_privilege", "session" ], "refs": [ "https://owasp.org/www-project-top-ten/2021/A01_2021-Broken_Access_Control", "https://cwe.mitre.org/data/definitions/269.html" ], "bad_code": "// Role stored in JWT payload — user can edit it client-side\n\\$role = \\$jwtPayload['role']; // never trust client-supplied roles\nif (\\$role === 'admin') { grantAdminAccess(); }", "good_code": "// Always fetch authoritative role from the database\n\\$user = User::findOrFail(\\$jwtPayload['sub']); // look up by ID only\nif (\\$user->role === 'admin') { grantAdminAccess(); }\n\n// Or use signed, server-verified JWT with short expiry\n// Never embed mutable authorisation claims in long-lived tokens", "quick_fix": "Verify the authenticated user's role/permission on every sensitive action server-side — never trust client-supplied role claims", "severity": "critical", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/privilege_escalation", "html_url": "https://codeclaritylab.com/glossary/privilege_escalation", "json_url": "https://codeclaritylab.com/glossary/privilege_escalation.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Privilege Escalation](https://codeclaritylab.com/glossary/privilege_escalation) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/privilege_escalation" } } } }