Authorization
Privilege escalation
Gaining higher access than intended.
What it is
A normal user becomes an admin, or one tenant reads another's data, by abusing weak access control (IDOR, missing checks).
How attackers exploit it
Endpoints that trust client-side role checks, sequential IDs without ownership checks, or admin features hidden by URL only.
How to protect against it
- Authorize on the server, every time. Never trust the client.
- Use UUIDs and ownership checks (`WHERE owner_id = $current_user`).
- Store roles in a dedicated table; check via a security-definer function — not on the user/profile row.
- Write tests that another user cannot read your data.
Reference videos
IDOR — Insecure Direct Object References
PortSwigger
Broken access control
OWASP
Further reading