How to Exploit Horizontal Privilege Escalation: A Step‑by‑Step Guide
This article documents a complete horizontal privilege escalation attack, showing how modifying POST parameters, REST‑style paths, and cookies can lead to unauthorized view, edit, and delete of other users' data, followed by techniques to combine the flaw with XSS and CSRF for greater impact.
0x01 Unauthorized View and Delete
After logging in, the tester discovers that by altering request parameters they can view or modify any user's profile, demonstrated using the education history field.
Steps:
Create a record, then intercept and replay the request, using the infoId to reference another user's object.
Changing the infoId value in the request retrieves other users' information; modifying the POST data similarly enables deletion of arbitrary user records.
Editing one's own self‑evaluation shows that the infoId also appears in the URL, allowing further manipulation.
Successful modification is confirmed by refreshing the target account.
The vulnerability arises because the API uses REST‑style parameters that can be tampered with.
0x02 Bypassing Login for Unauthorized Access
The attacker notices that the application relies on a cookie for authentication, with many fields base64‑encoded. By deleting cookie fields one by one, only career_id remains functional.
Decoding career_id reveals the user ID. Using Burp Suite's Intruder, the attacker enumerates other IDs and accesses their resume data.
Replacing the victim's cookie in the browser allows full bypass of login, granting edit and delete capabilities on other users' profiles.
0x03 Leveraging Self‑XSS for Further Privilege Gain
The personal‑center credential only checks career_id, while other pages validate additional cookie fields. The resume edit page contains a stored XSS (self‑XSS) vector.
By injecting malicious payloads into other users' resumes, the attacker can combine horizontal privilege escalation with self‑XSS, and potentially exploit CSRF vulnerabilities for even greater impact.
0x04 Summary
Key steps for testing horizontal privilege escalation:
Use variable‑control method to delete parameters or cookie fields and identify the effective ones.
Obfuscate parameters or cookie values and continue testing.
Modify parameter values or cookie fields to test unauthorized create, read, update, delete operations.
Combine privilege escalation with other vulnerabilities (e.g., XSS, CSRF) to increase impact.
Tools like Burp Suite's Authz extension can aid testing, though most cases focus on read‑only privilege bypass.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.