Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy Privilege Escalation
Advanced · 20 min

Privilege Escalation

Learn how attackers access admin functions as regular users when server-side role checks are missing.

1 Vertical Privilege Escalation

Vertical privilege escalation occurs when a lower-privileged user accesses functions or data reserved for higher-privileged roles (e.g., a regular user accessing admin endpoints).

Client-side only authorization (vulnerable):

// Frontend hides the admin button for non-admins
// But the API endpoint has no server-side check!
if (user.role === "admin") {
  document.getElementById("admin-btn").style.display = "block";
}
# API endpoint with no role check
@app.route("/api/admin/delete-user", methods=["DELETE"])
def delete_user():
    user_id = request.json["user_id"]
    db.delete_user(user_id)  # Any authenticated user can call this!

An attacker simply calls DELETE /api/admin/delete-user directly — the hidden UI element does not protect anything.

IDOR leading to escalation: Accessing /api/users/1/promote where only user ID 1 (an admin) should be able to self-promote, but any user can call it without ownership checks.

2 Proper Authorization Checks

Every sensitive endpoint must perform authorization checks server-side, on every request, regardless of what the client UI shows or hides.

Role-based middleware (Node.js):

// Reusable authorization middleware
function requireRole(...roles) {
  return (req, res, next) => {
    if (!req.user) return res.status(401).json({ error: "Not authenticated" });
    if (!roles.includes(req.user.role)) {
      return res.status(403).json({ error: "Insufficient permissions" });
    }
    next();
  };
}

// Apply to every admin endpoint
app.delete(
  "/api/admin/delete-user",
  authenticate,
  requireRole("admin", "superadmin"),
  deleteUser
);

Defense checklist:

  • Never rely on client-side UI to enforce authorization
  • Check roles/permissions server-side on every request
  • Use middleware that applies consistently to all routes
  • Log all authorization failures for audit
  • Test with lower-privileged accounts during security review

Knowledge Check

0/3 correct
Q1

Why is hiding UI elements (like admin buttons) insufficient as an authorization control?

Q2

What HTTP status code should a server return when an authenticated user attempts to access a resource they lack permission for?

Q3

What is the most maintainable way to enforce role-based access control in an Express.js API?

Code Exercise

Add Server-Side Role Check

The admin endpoint has no authorization check. Any authenticated user can delete other users. Add a role check that only allows users with role "admin".

javascript