Privilege Escalation means getting privileges to access something you should not accessible. This is the most common vulnerability found in web applications.
- In access control hierarchy, if you are escalating the same level privileges, then it is called as Horizontal Privilege Escalation.
- For example, one user can access the secret data of another user.
- CSRF is an example of Horizontal Privilege Escalation.
- In access control hierarchy, if you are escalating higher-level privileges, then it is called as Verticle Privilege Escalation.
- For example, one user can use administrative data.
- It has a comparatively higher impact than Horizaontle Privilege Escalation.
considers a scenario.
https://site.com has User Dashboard and Admin Dashboard
Based on the role(user or admin), there are different functionalities provided.
Actions, a user can perform are listed on User Dashboard,
https://site.com/dashboard) are as below,
https://site.com/view_profile https://site.com/edit_profile https://site.com/change_password
Actions, an admin can perform are listed on Admin Dashboard,
https://site.com/admin/dashboard) are as below,
https://site.com/admin/view_profile?id=<USER_ID> https://site.com/admin/edit_profile?id=<USER_ID> https://site.com/admin/change_password?id=<USER_ID>
A normal user will not know the end-points in the admin dashboard.
If this website has not implemented access control appropriately, it is vulnerable to Privilege Escalation, and if some normal user gets those end-point details, he can send a request as,
https://site.com/admin/view_profile?id=<USER_ID> and he will be able to view a profile, edit profile, change the password of any other user.
This is an example of Verticle Privilege Escalation.
- The impact of this vulnerability depends on what actions the attacker can perform by escalating privileges. In general, it has a high impact.
- It can leak sensitive data of users, customers.
- It may lead to account takeover.
- If It is Verticle Privilege Escalation then will be very high impact as a user can perform administrative action like delete all users, access all database, etc.
- Follow the principle of least privileges.
- If the resource is only for internal use, deny public access to it.
- Deny access by default to all resource, only give intended access to each resource.
- Keep the system updated.
- Close unnecessary open ports. Stop unused services.