July 17, 2026
From User to Admin: The Story of Privilege Escalation
How weak authorization checks turn ordinary users into administrators — and why this remains one of the most critical vulnerabilities in…

By Z3r0D4y
2 min read
How weak authorization checks turn ordinary users into administrators — and why this remains one of the most critical vulnerabilities in web application security.
When people hear the word hacker, they often imagine someone breaking into a system.
But in reality, many attackers don't break in.
They simply log in.
During a security assessment, I created two accounts: one as a normal user and another as an administrator. The application looked secure. Each account had its own dashboard, permissions, and features.
Then I intercepted one request and changed a single parameter.
Suddenly, the normal user was performing an administrator action.
That's the danger of Privilege Escalation.
What is Privilege Escalation?
Privilege Escalation happens when a user gains access to actions or data they shouldn't be allowed to access.
Authentication answers:
Who are you?
Authorization answers:
What are you allowed to do?
Privilege Escalation occurs when authorization fails.
Why Does It Happen?
Many applications only hide admin features in the user interface.
The button disappears.
The menu is hidden.
The page isn't linked.
But if the server doesn't verify permissions, attackers can still send the request manually.
Security should always be enforced on the server — not just in the browser.
Types of Privilege Escalation
Vertical Privilege Escalation
A normal user performs administrator actions.
Example:
GET /admin/usersGET /admin/usersIf the server returns the page without checking the user's role, anyone who knows the URL can access it.
Horizontal Privilege Escalation
A user accesses another user's data while keeping the same role.
Example:
GET /profile?id=1001GET /profile?id=1001Changing it to:
GET /profile?id=1002GET /profile?id=1002may expose another user's profile if the application doesn't verify ownership.
This often overlaps with IDOR (Insecure Direct Object Reference), which we'll explore in the next blog.
How Penetration Testers Find It
Privilege Escalation testing isn't about guessing admin URLs.
It's about comparing different user roles.
During penetration testing, testers often create:
- User account
- Manager account
- Administrator account
Then compare:
- API requests
- HTTP methods
- Cookies
- JWT tokens
- Hidden endpoints
Questions testers ask include:
- Can a normal user delete another account?
- Can a manager access admin APIs?
- Does changing an ID expose another user's data?
- Does the server validate permissions on every request?
This methodology is part of the OWASP Web Security Testing Guide (WSTG) and is widely used during bug bounty assessments.
How Developers Can Prevent It
Privilege Escalation is usually prevented with proper authorization checks.
Some good practices include:
- Validate permissions on every request.
- Never rely on hidden buttons or client-side checks.
- Apply role-based access control (RBAC).
- Verify resource ownership before returning data.
- Test every sensitive endpoint with different user roles.
Remember:
If the server doesn't check permissions, the attacker will.
Final Thoughts
Privilege Escalation isn't about bypassing the login page.
It's about what happens after login.
Many of the highest-impact findings in bug bounty programs and web application security assessments come from applications that authenticate users correctly but fail to authorize their actions.
Sometimes, changing one request is enough to go from a regular user to an administrator.
That's why authorization testing deserves as much attention as authentication.