Critical Severity
🔴 Vertical Privilege Escalation
🧠 Description
Regular user gains access to higher-privileged functions by manipulating parameters, headers, or API calls. This allows complete control over the application.
Impact: Full Admin Access, Data Breach, Complete System Compromise
🎯 Attack Surface
- User ID parameter manipulation
- Role/permission headers
- JWT claims modification
- API endpoint access
- Cookie manipulation
🔍 Detection Payloads
role=admin
is_admin=1
"role":"admin"
X-User-Role: admin
🛡️ Mitigation
✅ Verify authorization server-side
✅ Use server-side role checks for all actions
✅ Don't rely on client-side role indicators
✅ Log privilege escalation attempts
✅ Use server-side role checks for all actions
✅ Don't rely on client-side role indicators
✅ Log privilege escalation attempts