Privilege Escalation is actually a "business flaw" vulnerability, something that is caused because there is a security vulnerability in the application's design itself. There can be many different ways of exploiting it, one of which could be IDOR.

IDOR, on the other hand, is more of a "coding flaw" vulnerability. It is a security vulnerability that arises when developers trust user-supplied input to directly access internal database records or files without verifying if the user has permission to view them.

None

I was asked this question during an interview while explaining IDOR, and honestly, I hadn't thought deeply about it before. I tried explaining the difference based on what I knew. But afterward, the question stuck with me:

"If I can access data I shouldn't, even if it belongs to a user with the same privilege level, isn't that something a "privileged" account should be able to do? So… does every IDOR become privilege escalation? Or is it the other way around?"

I was confused, and Google did not provide any real answers. So, if, like me, you ever come across this question and cannot find anything substantial, then here's my two cents on it.

To be honest, these two concepts overlap quite a bit. In fact, here's an excerpt from the OWASP Summary of Privilege Escalation:

"horizontal escalation when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user)."

None

That is literally the definition of IDOR. So, here's where I think they differ-

Privilege Escalation is actually a "business flaw" vulnerability, something that is caused because there is a security vulnerability in the application's design itself. There can be many different ways of exploiting it, one of which could be IDOR.

IDOR, on the other hand, is more of a "coding flaw" vulnerability. It is a security vulnerability that arises when developers trust user-supplied input to directly access internal database records or files without verifying if the user has permission to view them.

So, if put from a very high level, I think IDOR is a subset of privilege escalation. IDOR often leads to horizontal privilege escalation, because you're accessing another user's data without proper checks. But not all privilege escalation is IDOR.

For example:

  • Changing your role from "user" to "admin" → Privilege escalation (not IDOR)
  • Accessing /api/user/123 instead of /api/user/456 → IDOR → is one type of privilege escalation.

That's my take. I'd be happy to hear yours, too. :)