Glossary
What Is Privilege Escalation?
Privilege escalation is the umbrella class of vulnerabilities where an attacker uses an existing foothold (low-privilege user account, or unprivileged process) to gain higher privileges than originally authorized. Horizontal escalation = same level, different user; vertical escalation = lower-to-higher privilege tier. Both compound the impact of an initial compromise.
Horizontal vs vertical, with examples
| Horizontal | Vertical |
|---|---|
| BOLA — user A reads user B's resource | Mass assignment setting isAdmin: true |
| IDOR — predictable IDs let attacker enumerate | JWT signature bypass — alg: none or weak HMAC secret |
| Cross-tenant data leakage in multi-tenant SaaS | SQL injection that pivots to db_owner role |
| Public API endpoint missing auth scope check | Container escape from low-priv user → host root |
How SQUR detects privilege escalation
For every authenticated endpoint, the validator constructs cross-tenant + cross-user + privilege-tier-elevation requests. If a low-privilege session can access a high-privilege resource OR modify high-privilege state, the finding is confirmed with the before/after privilege state captured.
Remediation pattern
Apply authorization checks at every layer (controller, service, repository); enforce least-privilege on the database side; sign and verify all auth tokens; never trust client-supplied role claims. Architecture-level: separate privileged operations into their own microservice with strict input validation; audit-log every privilege-changing action.
Frequently asked questions
Which OWASP class does it map to?
OWASP Top-10 A01:2021 "Broken Access Control" is the umbrella. OWASP API Top-10 API1 (BOLA), API3 (Broken Object Property Level Authorization = mass assignment), API5 (Broken Function Level Authorization) are the API-specific manifestations.