Home GuidesPrivilege Escalation Testing Guide

Privilege Escalation Testing Guide

Learn how to test for privilege escalation — both horizontal (cross-user) and vertical (role elevation) in web apps, plus OS-level privesc after a foothold — with a clear methodology and checks.

Advanced

6 steps17 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Establish a privilege baseline

Enumerate roles and what each can do. Create accounts at each privilege level and record the exact requests/UI each role is allowed to perform. This baseline defines what "escalation" means.

Example payloads

Roles: anonymous, user, manager, admin.

For each role, capture allowed endpoints and parameters.

Note admin-only actions you will later try as a low-priv user.

Test horizontal escalation (cross-user)

As one user, try to access or modify another same-level user's resources by changing identifiers (this overlaps with IDOR/BOLA). Confirm authorization is bound to the session, not client input.

Example payloads

GET /api/users/{otherId}/settings  (as a different user)

POST /api/messages {"as": "[email protected]"}

Swap account_id / tenant_id to a peer's value.

Test vertical escalation (role elevation)

As a low-privilege user, attempt admin-only actions directly. Look for missing server-side role checks, client-side-only gating, and mass-assignment of role/permission fields.

Example payloads

POST /api/admin/users  (call admin endpoint as a normal user)

PATCH /api/users/me {"role": "admin"}  (mass assignment)

Set hidden field isAdmin=true / permissions=["*"].

Probe forced browsing and parameter tampering

Access admin routes by guessing/forcing URLs, replay captured admin requests with your low-priv token, and tamper with role-bearing parameters, cookies, or JWT claims.

Example payloads

Force-browse: /admin, /admin/dashboard, /internal/*

Replay an admin request with your own session token.

Tamper cookie role=admin or JWT claim {"role":"admin"}.

Test OS-level privesc after a foothold

If you have command execution or a shell, enumerate the host for escalation paths: SUID binaries, sudo rules, writable cron/services, kernel version, and stored credentials. Stabilize the shell first.

Example payloads

sudo -l ; find / -perm -4000 -type f 2>/dev/null

cat /etc/crontab ; getcap -r / 2>/dev/null

Upgrade the shell to a full TTY before enumerating.

Confirm impact and document

Demonstrate access or actions beyond your assigned privilege with a minimal reproduction, then record the path. Recommend server-side authorization on every action and removing client-trusted role data.

Example payloads

Document: starting role, action performed, target privilege reached.

Fix: enforce RBAC server-side per request; never trust client role/permission fields.

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Establish a privilege baseline

Enumerate roles and what each can do. Create accounts at each privilege level and record the exact requests/UI each role is allowed to perform. This baseline defines what "escalation" means.

Example payloads

Roles: anonymous, user, manager, admin.

For each role, capture allowed endpoints and parameters.

Note admin-only actions you will later try as a low-priv user.

Test horizontal escalation (cross-user)

As one user, try to access or modify another same-level user's resources by changing identifiers (this overlaps with IDOR/BOLA). Confirm authorization is bound to the session, not client input.

Example payloads

GET /api/users/{otherId}/settings  (as a different user)

POST /api/messages {"as": "[email protected]"}

Swap account_id / tenant_id to a peer's value.

Test vertical escalation (role elevation)

As a low-privilege user, attempt admin-only actions directly. Look for missing server-side role checks, client-side-only gating, and mass-assignment of role/permission fields.

Example payloads

POST /api/admin/users  (call admin endpoint as a normal user)

PATCH /api/users/me {"role": "admin"}  (mass assignment)

Set hidden field isAdmin=true / permissions=["*"].

Probe forced browsing and parameter tampering

Access admin routes by guessing/forcing URLs, replay captured admin requests with your low-priv token, and tamper with role-bearing parameters, cookies, or JWT claims.

Example payloads

Force-browse: /admin, /admin/dashboard, /internal/*

Replay an admin request with your own session token.

Tamper cookie role=admin or JWT claim {"role":"admin"}.

Test OS-level privesc after a foothold

Example payloads

sudo -l ; find / -perm -4000 -type f 2>/dev/null

cat /etc/crontab ; getcap -r / 2>/dev/null

Upgrade the shell to a full TTY before enumerating.

Confirm impact and document

Example payloads

Document: starting role, action performed, target privilege reached.

Fix: enforce RBAC server-side per request; never trust client role/permission fields.