Privilege Escalation

Privilege escalation occurs when an attacker exploits a vulnerability, design flaw, or configuration weakness to gain elevated access to resources that are normally protected. It's divided into two categories: vertical escalation (gaining higher privilege levels, like user to admin) and horizontal escalation (accessing resources of another user at the same privilege level).

In web applications, privilege escalation often manifests as Insecure Direct Object References (IDOR), missing function-level access controls, or flawed role-based access control implementations. An attacker might modify a user ID in an API request to access another user's data, or change a role parameter to grant themselves admin privileges.

Privilege escalation is a critical step in most attack chains. An attacker who gains initial access through a low-severity vulnerability can compound the impact significantly by escalating their privileges.

How APVISO tests for this: APVISO's scanner agent systematically tests access controls by manipulating user IDs, role parameters, and API authorization headers. The lead agent coordinates multi-step attacks that chain initial access with privilege escalation to demonstrate real-world impact.