The term “Privilege Escalation” describes a type of application security vulnerability in which a user has the ability to access information, features, or functionality that they are not entitled to in their role. It is only a concern in applications in which different classes of users (i.e. roles) are granted different permissions within the application, and represents the application’s failure to enforce those permissions properly.
Root Causes of Privilege Escalation Vulnerabilities
Privilege escalation can be caused by a number of design or coding missteps:
- Using the presentation layer as an access control mechanism. That is, assuming that if the controls are not displayed then the user cannot access the associated features.
- Failure to check a user’s permissions at the time of a request.
- Failure to implement the Principle of Least Privilege resulting in excessively privileged accounts by design.
- Misconfiguration of roles and permissions that mistakenly grant excessive permissions to certain users or roles.
Privilege Escalation is a category of security vulnerability that includes certain types of Insecure Direct Object References, and Open Forwards, specifically those that result in elevated access or permission.
For insights into detecting Privilege Escalation vulnerabilities, please review the article entitled “How To Test For Privilege Escalation“.
To learn about avoiding and/or fixing Privilege Escalation vulnerabilities, please see the article entitled “How To Prevent Privilege Escalation“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.